6 The technical privacy review

This chapter covers

What is meant by “privacy reviews”
How companies can split privacy reviews between legal and technical teams
How technical privacy reviews can be integrated into a company’s workstream
How the technical privacy review can become more automated and efficient
Examples of both kinds of reviews (by lawyers and by engineers)

In earlier chapters of this book, you have seen how the modern development process empowers engineers to build products without the constraints of process. Adding to this innovative spirit is the flow of data and the inherent possibilities and risks. Add in impatient business leaders, complicated regulators, and a skeptical customer base, and you have a realistic possibility of products shipping with privacy issues.

The privacy review process is aimed at ensuring that privacy risks are addressed before a company releases products or features. Since the engineers who build the products do not always appreciate or have the time to understand the privacy implications of their work, it is vital that there be a process to ensure scrutiny of these products through a privacy lens.

6.1 What are privacy reviews?

6.1.1 The privacy impact assessment (PIA)

6.1.2 The data protection impact assessment (DPIA)

6.2 Implementing the legal privacy review process

6.3 Making the case for a technical privacy review

6.3.1 Timing and scope

6.3.2 What the technical review covers that the legal review does not

6.4 Integrating technical privacy reviews into the innovation pipeline

6.4.1 Where does the technical privacy review belong?

6.4.2 How to implement a technical privacy intake?

6.5 Scaling the technical privacy review process

6.5.1 Data sharing