“This is a best-in-class example of cross functional problem solving for privacy.” – Trish Lamanna

Snapshot

Good Research worked with a digital consultancy Client who builds products for healthcare, financial, and e-commerce verticals. They asked us for guidance on how to handle sensitive personal data for a medical device app they were building.

Landscape

The Client was hired by a large pharmaceutical company to design, build, and launch a Class III medical device app in Europe prior to the General Data Protection Regulation (GDPR) rollout. These types of devices are, in general, implanted, and usually sustain or support life. The Android app would allow individuals with Type 1 diabetes to dispense and calculate their insulin over bluetooth. 

The Client wanted help not only to be legally compliant, but also to do the right thing with the sensitive medical data. They had always designed for a respectful user experience, customizing their strategy to match the context; however, this was before the concept of privacy by design became ubiquitous and before it was even legally required. Good Research would help build privacy into the product as well as into their organization. 

Motivation

The CTO reached out to Good Research’s Founder, Nathan Good, to get guidance on how to handle sensitive personal data. He wanted Good Research’s advice on working with the data safely and legally – essentially to build privacy into the product from the start. Specifically, they wanted:

1.  training on how to build a product using what was then the new concept of “privacy by design”; 
2. guidance on navigating GDPR; and, 
3. advice on how to create a privacy practice that not only meets human needs but prioritizes them.

Approach

Being completely new, designing this app was a great example of embedding privacy upfront. “Privacy by design” as opposed to “privacy in retrospect.” Nathan asked Maritza Johnson, Good Research’s Research Affiliate, to help on this engagement. With a strong background in data privacy and usable security, Maritza had a lot of experience on product teams. Their goal was to leave the Client with solid privacy practice and a good privacy story.

Privacy as a Value

Thanks to Good Research’s initial sessions, the Client learned that privacy is a value – a belief that guides actions. There are principles that serve that value and a set of shared guidelines that help make values real. Good Research and the Client agreed privacy is an ability to control how much someone wants to be seen, and together, they agreed to some guiding principles. For example,

• Clarity – include simple, straightforward explanations of how exactly personal data is used and for what purpose
• Control – include options to control what happens to personal data 
• Forgetability – include the option to delete personal data

Privacy Practice

To make sure the product team was designing and building according to the privacy principles,

Maritza and Nathan conducted training sessions. These included an overview of privacy as a value, the concept of privacy by design, and the upcoming GDPR regulations. Then, they came back at each stage of the product cycle to review, advise, and approve. 

As a result, the Client designed the app to offer control for how much the user wanted to be seen. They incorporated settings to easily download and/or delete data. They explained why Bluetooth and location services were necessary and provided a series of explainers that were easy to understand for the user. 

Privacy Story 

As part of the training, Martiza and Nathan went into depth about what GDPR covers and, importantly, how to demonstrate that the Client satisfies the regulations. It’s one thing to follow the rules and another to prove it! In other words, as an organization, how do you hold yourself accountable, not just to regulatory bodies, but also to your clients, and the individuals using your product? You create a privacy story, which describes your privacy posture, principles, and accountability process. These stories show you thought about privacy, you implemented privacy, and you can prove it. 

Value

Through this journey, the Client became privacy practitioners. They developed a framework, with supporting principals, that to this day informs and shapes their data strategy. Because they included privacy at the very beginning of the product cycle, they were able to navigate the complex relationships between regulation, user experience, and software. They recognized that privacy is not the responsibility of one team or one person. They embraced privacy as a value, critical to their success. 

Conclusion

The app beta release was delivered fully functional with the ability to administer insulin through a Bluetooth-ready insulin pump. It was completely accessible, easy to use, and vetted through multiple risk assessments and user tests. As a result, Good Research and the Client were asked to share this work at an International Association of Privacy Professionals conference. In September 2019, they gave a presentation where they discussed that privacy is not just about compliance. It’s about moving from hollow marketing terms like “We Care Deeply,” to actively applying privacy knowledge to build respectful solutions.