In practice, I see that privacy compliance comes across as imposing, because it would hinder Agile working and would not respect the Agile principles. Agile working has been a successful software development method for decades. Absolutely against the Agile working method is the subsequent testing of the privacy aspects of the delivered designs and products, via a separate so-called “data privacy impact assessment” (DPIA) required by the GDPR. An alternative to this, drawing up a privacy design prior to the sprints, not only goes against the Agile frameworks, but also hinders the implementation of the delivered functionalities. Even if privacy measures are designed in advance, it may still happen that these measures still have to be built in after the product has been delivered.
The required privacy measures must be designed and built in together with the features of the products they apply to. So hand-in-hand, to strengthen each other.
How can Agile working and privacy reinforce each other?
Precisely by embracing Agile working and also applying privacy based on the Agile principles. This proactively ensures that every product delivered in the sprints follows the PbD principles. This is a concrete approach within the framework of Agile working.
In Agile working there are three logical moments at which design choices are made for the functionality and products to be delivered. These are the so-called sprint 0, the sprint planning and the sprint review. Privacy should also be reflected in these three moments.
Sprint 0
Sprint 0 is the start of the Agile process in which frameworks are identified that apply to the entire range of functionalities to be delivered. These must be guaranteed for every product to be delivered. User stories can be drawn up aimed at ensuring compliance with the GDPR and the organization’s Privacy policy. An implemented Data Privacy policy is also one of the GDPR requirements.
Examples of privacy “compliance” user story
- For each user story to be realized, the possible impact on privacy has been assessed in advance by the data protection officer.
- Every processing of personal data is included in the processing register.
- The privacy/security test (carried out automatically) has been completed successfully and has not yielded any issues with the categories “critical and high”.
Sprint planning
The sprint planning meeting decides before a sprint which user stories will be worked on, which therefore directly influences the scope of the design work. It is possible to draw up user stories from the perspective of the data protection officer that need to be realized.
Examples of privacy user stories
- User story: right to be forgotten
If the personal data are no longer used for the purpose for which they were obtained, as a data protection officer I want them to be deleted from our systems and the systems of our suppliers in accordance with the stated retention periods.
- User story: anonymize personal data
As data protection officer, I want all personal data recorded and collected within our systems for analysis purposes to be anonymized so that we can use valuable and non-personal information.
- User story: security
As a data protection privacy officer, I want the personal data in the log files to be encrypted, so that no personal data can become available.
Sprint review
The sprint review marks the end of a sprint and is where deliverables are shown and accepted or rejected. The sprint review also includes the privacy-related user stories and assesses whether they have been sufficiently realized or can actually be considered “done”.
By seizing these three logical moments, PbD and Agile reinforce each other excellently.
