Astronaut diving into better security

April 11, 2022

Privacy’s shifting left: Are you ready to move?


We’re in the middle of a revolution in privacy, but it’s happening quietly. Most of us aren’t even aware of it yet.

It’s shaped by the proliferation of privacy laws in recent years. That’s a given. But more fundamentally, it’s shaped by a shift in the way people interact with the products they use to live their lives. Looking for evidence of a transformation? Watch cable TV any given night. Apple’s running national campaigns with one simple promise: It’ll protect your privacy.

But Tim Cook’s strategy reflects a larger fundamental shift in how companies make products today.

If you’re not a product person, let us explain. In general, you can plot product development on a continuum. On the far left, it begins with the germs of a great idea. It ends with fully built product-deployment on the right.

Here’s the problem, though. Saving the “ok-go” team until just before you ship is a reactive model. And it’s no longer viable. Because let’s be real: Breaches pervade headlines, fines for noncompliance with Europe’s privacy law continue to trickle down, and state and global privacy laws are emerging rapidly. But still, how often do you hear a chief privacy officer bemoan no one even knows where to find their office? That they’re seen as the House of No to product teams, or that they don’t even speak the same language as the engineers?

It’s time to consciously Shift Left. Privacy teams must be involved with product development from the earliest stages. It’s the difference-maker between reacting to a privacy misstep after the fact and preventing the misstep in the first place.

To be clear, this philosophy isn’t specific to privacy. Infosec went through this revolution more than a decade ago. Following some high profile data breaches, security was ushered to the front of the house. Fast-forward to today, and security teams largely know the product plan early enough to flag issues before they become deployment-date disasters.

If it sounds like an enormous task for us privacy folk, it kind of is. Yeah. But the marketplace itself is pushing companies to Shift Left their privacy programs largely because the GDPR changed the pre-deployment checklist. Now, you’ve got to answer the following questions before you ship your product: What data are you collecting? How will you use it? Who will you share it with? Where will you store it?

Those questions become nearly impossible to answer if privacy works in a silo and only gains visibility and input late in the game. By shifting left, privacy flips from reactive to proactive, ensuring that teams ship products with all the right privacy considerations baked in — and all without bottlenecking the business.

Of course, privacy’s leftward shift must clear some hurdles. After all, one of the reasons that privacy and product occupy polar ends of the development continuum is that their tools entrench their division. Developers and PMs work mainly in modern, agile tools like JIRA, and privacy pros don’t. Their principal tech stack — if you want to call it that — remains the spreadsheet, fixed and rigid as ever. And, until now, there hasn’t been an easy way to bridge that divide. For privacy to shift left, as it must, teams need a hub that unites those that build products with those that review them — a single source of truth that gracefully integrates with JIRA and the tools the business uses, maps what they’re doing to the world’s laws instantly, and just generally provides the scale, intelligence, and automation that today’s privacy programs lack.

But armed with the right tooling, we, as an industry of privacy professionals, can replicate the security industry’s shift left en masse. If they did it, we can too. We can prove that privacy isn’t “dead,” that human rights and speed of innovation aren’t at odds. At least, they don’t have to be. But to do that, we have to position privacy teams earlier in that product lifecycle. We have to elevate privacy’s role in the business, and empower each other to shape critical decision-making. Is it easy to do? Of course not. But it’s possible.

You might call it a philosophy, you might call it a movement. But it’s clear it’s privacy’s turn to Shift Left.

Are you ready to move?