Did Anyone Educate The Development Teams On Those Privacy Policies?

You know that new privacy policy your company worked so hard on? A fatal flaw exists in that beautiful new policy. That fine piece of legal art that meets the rigors of GDPR and CCPA; can undoubtedly be universally applied to all customers in one fell swoop; was rolled out through emails, pop-ups, and checkboxes; and was even developed and reviewed by high powered outside counsel, inside counsel, a consultant or two, and numerous c-level managers? That privacy policy has one fatal flaw: it isn’t implemented.

Sure, the teams implemented the workflows and the widgets. But the policy isn’t usable or enforceable because no one educated the development teams on it. All the existing systems didn’t suddenly become compliant just from the creation of the policy nor do the development teams know enough of the policy to know what to do in the future to be compliant. It’s all a bunch of words the business is demanding your customers see. No doubt, well intentioned, sincere words but in reality nothing changed at a fundamental level.

The development teams need to be skilled and knowledgeable in how to meet the demands of the privacy policy. The development teams need to consider significant changes in data architecture and user flow for new systems and even more for the legacy systems as part of the implementation of this new privacy policy.

I hear it now. The protestations of, “Our product teams were deeply involved. We spent months in various meetings with product teams and they ultimately implemented the text and the workflows and the new flags in the systems”. To which I say, ‘Yeah, so what’.

If the development teams are only taught/asked to add a workflow, then all that work on your privacy policy means nothing. Your development teams can no doubt tell you which flags and what states need to be met in various conditions. They can tell you about the exchange of emails and acceptance of privacy terms. But they likely know very little about the implications of their design and development on the implementation of the policy. Without that knowledge, your development teams will not be able to help build systems that are privacy first and allow you to consistently meet privacy requirements. You will encounter your first demand for reporting to a customer all of their data and the first demand to remove that same data and it will turn out it can’t be done without breaking systems.

I have seen it first hand. The organization spent weeks, if not months, preparing the text and having the workflow implemented. Outside of the workflow the developers weren’t educated on the policy in order to make changes in future designs, much less change past designs on data structures and logic. Testers were not educated to be able to test for anything but that the basic checkboxes and emails existed. Operations and Release Management were not educated to act as additional quality gates to ensure policies were being met. In essence, this organization rolled out a policy that promised a lot but they had no way to actually deliver. Don’t be that organization.

Photo by Jason Dent on Unsplash