One of the reasons online privacy has been on my mind lately is because on Friday, I had dinner with a friend who is the Chief Privacy Officer at an online retailer with which we’re all familiar. What I learned was enlightening and thought-provoking about the responsibility that engineers have for privacy.
For her brand, it would be disastrous to get in the media about privacy issues or data leaks. The company is moving rapidly with many engineering teams collecting data from users at many touch points online, on mobile and in-store. In fact, they have been applauded for just how rapidly they innovate.
As a result, the essential stress of her position is that she is responsible for ensuring the security of the information, but she has to rely on many engineers across many engineering teams to deliver on those promises. She cannot do it on her own—the only way she will be successful is to enlist the engineering teams, and deputize them in the fight to secure user data and privacy.
The challenge is a conflict in organizational values. The product and engineering organizations value moving fast over privacy issues. The “corporate brand functions” (i.e. marketing, PR, legal) value privacy issues over speed. My poor friend is stuck in the middle.
In the last 18 months, she said, they’re “about 40% of the way there” in terms of educating their engineering teams about the importance of privacy issues, and getting them to take responsibility for owing privacy in their applications. It hasn’t been easy…it’s been exhausting work…a little Sisyphusian, I sensed. I suspect her work is nearing a tipping point…that once she’s over the 50% percent mark the culture will value privacy more than speed, and the engineering organization will self-train and self-police. But, until then, it feels like an uphill battle.
As I said, part of the reason it hasn’t been easy is cultural, but the other part is that, simply put, online privacy is hard. Managing privacy is a messy web laws from different jurisdictions, most of which are varying shades of gray and many of which overlap. And, as I wrote previously, most of those laws aren’t up to the task because they look at the problem as a matter of physical space, as opposed to tradable commodity.
Engineers rely on clarity, yet for any given project it may be totally unclear where to draw the line…even to the experts. So much of how to handle online privacy is evolving, and so rapidly. Not to mention, besides the law there is ethics and business management to consider. As a result, it often ends up in a negotiation or tug-of-war between product development and legal over what to do…which is the type of subjectivity which drives logically-minded engineers bat-sh**-crazy.
In the end, the product engineering teams and individuals have to realize that, from the perspective of the business, managing online privacy is primarily risk management and in America risk management is very real part of business management. These are low probability, high impact events, and even just one event causing a media outcry could damage the brand for years, if not permanently. Nevertheless, I appreciate that it’s hard for engineering teams to value these types of potential future events when they’re being pushed so hard by their investors, managers and competition to innovate rapidly.