Patrick Walsh
Originally published at blog.ironcorelabs.com.

Warning: SaaS Privacy Debt Will Crush Your Roadmap

Dear Software Developers,

That list of tech debt you’ve been trying to tackle bit by bit is not your biggest problem. Everything that would make your code easier to maintain, more scalable, less repetitive, and so on is important. I get it. I hope you get to tackle them. But you have a new list to worry about. Every minute you ignore it, the list grows a little bit longer and becomes a little bit harder to manage: It’s your privacy debt.

Privacy Laws Have Changed the Game; We Need to Change With it

The patchwork of global privacy laws keeps growing. There are general ones like the California Consumer Privacy Act (CCPA) and EU’s General Data Protection Regulations (GDPR), which you’ve probably heard of, but there are also almost 100 new general privacy laws that have passed in other countries in the world since 2017. Beyond that, there are numerous new niche laws covering financial information, anything that might relate to insider trading information, laws that protect the data of students, for example in Colorado.

CCPA: What You Need to Know _The California Consumer Privacy Act takes effect on January 1st, 2020.

The net result of all of these new laws is that practically any non-public information related to an individual is now regulated and protected.

The Privacy Debt Burden of Proof Is on You

Your data now requires extra protection, tracking, minimization, data retention, transparency around sharing and selling, and much more. Privacy laws tend to use broad but largely undefined terms and phrases like, ”data protection by design and by default” without specifying what does or doesn’t qualify as sufficient protection or sufficient design.

The authors of these laws do this on purpose. If they specify a technology today, the law becomes obsolete when the technology does. So they leave it to words like “reasonable” and “best practices” and then put the burden on the courts to rule on whether specific measures have met those invisible thresholds.

The lack of definition here is a problem because it has created a paralysis where everyone is waiting to see what everyone else is going to do before acting. Everyone is waiting for court cases and rulings to bring clarity. But it’s worth realizing that those rulings will nearly always come in the context of some major miss where private data was leaked or stolen. The odds are high that a company is found to have insufficiently protected private data if they weren’t conspicuously forward-thinking.

Today’s “best practices” for security do not sufficiently meet privacy standards. And even though everyone knows this, in the haze of the current paralysis, the privacy debt meter continues to run.

I’m sure you’ve seen tech debt run wild. When fixing the old thing takes a back seat to bolt the new thing onto the broken old thing, eventually, it all collapses under its own weight.

Industry-wide Tech Debt

For those who remember Y2K, we witnessed intense panic around the idea that airplanes would crash, electric grids would go dark, and essentially all software would be struck dumb when we got to the year 2000 since so many dates were represented with just two digits, like “1/1/86.” On January 1, 2000, newer dates would be perceived by computers as being older (the year 1900 since the “19” was hardcoded).

The dire predictions launched a concerted effort to fix systems. It was probably the single most coordinated and industry-wide tackling of tech debt in history. And it cost over $100 billion to address.

We Need to Learn From Tech Debt Failures to Address Privacy Debt

So what does all that have to do with privacy? Simple. Every piece of non-public user-generated content, every bit of location data, every address field, all demographic information, all information about a person’s friends, family, enemies, or whatever, needs special attention. The longer you wait to bring that attention to bear, the worse it will be.

New projects need to take measures early and often to reduce identifiability, protect, minimize (don’t collect what you don’t need), summarize, group, separate, and otherwise make Privacy Enhancing Technologies (PETs) a first-class part of every design. No one is going to bring a magic wand to the table that wholesale solves these problems for you.

Existing projects need to start chipping away at the data they hold before the problem becomes insurmountable.

Conclusion: PETs and Privacy Debt Zero

If you have only one take away here, it should be this: The goal must be Privacy Debt Zero. All private data needs to be appropriately handled for today’s requirements and in anticipation of tomorrow’s requirements. Make your Privacy Debt list today and, at the very least, don’t let that list grow as new data is collected, new features are added, and new business needs emerge.

Better yet, adopt some PETs and tackle that Privacy Debt starting today.

At IronCore, we care about data privacy. Check out our end-to-end encryption and customer managed keys solutions to see how we can help you make the world a little safer each day for enterprise software.