“It’s not about the destination, but about the journey.” I’m sure data and privacy are the furthest from your mind when you hear this popular saying. However, after a year of virtually sharing Mozilla’s Lean Data Practices (LDP), I’ve realized this quote perfectly describes privacy, LDP, and the process that stakeholders work through as they apply the principles to their projects, products, and policies.
LDP is Mozilla’s framework for applying privacy, security, and transparency to its products and practices. It consists of three pillars:
1. Audience engagement: keeping your audience (i.e. consumers, customers, etc.) informed and empowered over their data;
2. Stay lean: striving to minimize data collection to that which delivers value (rather than collecting without a purpose); and
3. Build in security: protecting the data that is entrusted to you.
Over the past year, I’ve been able to teach Mozilla’s LDP framework and practical ways to apply it to individuals all over the world (virtually) and in a variety of industries. From artists and technologists in the United States and various European countries, to product managers and engineers in India, to startups and entrepreneurs across the African continent, we aimed to reach as many individuals as we could around the world with the message of LDP and how to apply it in various contexts. We also reached a younger audience by teaching university engineering students for two semesters, introducing privacy and LDP concepts at an earlier stage with the hope that they can take the knowledge into their own future engineering designs.
One year later, here are my seven key observations regarding how participants in our LDP presentations approach privacy and data handling, regardless of their background:
1. Privacy makes people nervous.
Privacy can be seen as complex and confusing to many, especially now with laws like the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA). In my experience, people know they should care, but are intimidated and often don’t know where to begin. When the privacy jargon is removed though, the concepts become easier to understand. Simply using terms like “individuals” rather than “data subjects” or “permission” instead of “consent” helps non-privacy professionals who are learning about LDP grasp the concepts and the reasons behind why it’s important. When your biggest stakeholders are non-privacy professionals, this change in framing helps get their buy-in because they are better able to understand the value and therefore implement what is needed to address consumer privacy expectations. Without knowing anything about privacy, many have been able to walk away after just a one hour LDP discussion with actionable steps they can take in their own area, whether it’s the arts, human resources, engineering, product, marketing, or something else.
2. People don’t think privacy rules apply to “them”.
Often, it is assumed that it’s the government’s responsibility or only for large corporations or specific departments (e.g. Compliance, Legal). However, through LDP conversations our audience was able to understand that they too have a critical role to play. If they have access to personal data or leverage it for their roles, LDP can apply to help their company to build trust with their consumers.
3. LDP is not one size fits all.
Every company has its own challenges. For example, an organization may struggle with being transparent with its users, but may have really strong security practices over the data that they do have. The level of risk of a data type can also vary depending on the company. For example, business contact information for a consumer-facing organization may be lower risk than business contact information for a business-to-business organization who sees it as competitive sales information. This is also why we remind our audience to be mindful of copying and pasting a privacy policy that they see online. What one company does with data is surely going to be different from their own needs, so it’s important to understand their data and how it’s being used in their environment to ensure they can be transparent with what is actually happening.
4. Deletion of data is often overlooked.
The last step of the data lifecycle is disposal of the data. This can be the most forgotten step for many across a variety of industries. The Stay Lean pillar of LDP is a good reminder to establish data retention policies that can actually be followed to ensure data does not remain for longer than necessary.
5. LDP is adaptable across many industries, each with their own unique challenges.
University engineering students can learn and grasp the concepts as they are building out innovative tools; creatives can apply it as they design solutions to tackle big problems such as racism and bias; and organizations can use it as they design and promote their products. I have always known privacy was applicable across industries, but it was eye opening to see it in practice, especially in the arts and creative space.
6. LDP applies globally.
LDP is adaptable globally, and it’s important to understand the local challenges to maximize its benefits. The sensitivity of data — for example, a mobile phone number — may vary depending on where you are in the world. I strive to incorporate local contexts into LDP presentations, but also learn from our participants the unique challenges they experience in their various geographies and how they can use LDP concepts to tackle them.
7. LDP empowers its practitioners to have more control of their own data.
There is an appetite to understand how we as consumers can hold companies accountable. One of the biggest surprises for me came when I would field questions at the end of a presentation, and people would ask about their rights as consumers and how they can hold companies accountable. For example, people wanted to understand their rights and recourse options if companies contacted them without permission, didn’t honor their unsubscribe requests, or did something else frustrating. I teach LDP for individuals to apply it in a business context, but we are all also consumers and customers. LDP can help us better understand how our own data should be handled and improve our understanding of what organizations are doing. We can then remember how we feel about certain situations and then ensure we are doing things in a more consumer-friendly way within our organizations.
Lean Data Practices is a journey. For many there won’t be an ultimate destination because it is an iterative process. If you try to apply all the principles across your entire organization at once, you will find yourself overwhelmed and likely unsuccessful. To maximize your chance of success, my advice — which is the same advice we give when we present — is to just start somewhere. Choose one aspect of your business and focus on that, one pillar at a time. Once you’ve successfully applied the principles, go to a different business unit and do the same. Remember to review and adapt as products and business needs (or data!) change as well. You may likely never reach your destination, but you will see your company improve in its practices along the way.
In 2022 I plan on continuing to spread our message of LDP, especially on the African continent. We will also have a course launching soon for anyone to take whenever they would like, which will help us reach more people compared to live discussions. Sign up here to receive a one-time email notification when the course is ready. Join us on the journey that is LDP.