Privacy Technology: Build vs Buy

It's important to map the necessary type of tooling to the potential privacy issues you need to address. Privacy tooling generally falls into three buckets: Know, Reduce, and Protect. Use this worksheet to help you consider this three-part framework as you plan for privacy tooling.

To determine the privacy technology you may need, look at your own organization, contemplate the problems or challenges you are solving for, and consider how a tool or approach might align with your goals around protecting data privacy. Consider which of the following questions have already been answered, and which you still need to. Do you already have tooling implemented to solve any of these problems?

Know: Inventory and Categorization

Discover and locate your sensitive data to determine if you have a method to fully account for where it comes from

Think about the data you collect... especially the most sensitive data. Can you answer the following questions?

• How is the data collected (by what and/or who)?
• Why is the data being collected?
• How would you classify each type of data you collect? Is it a mix of less sensitive, quasi-sensitive, and highly sensitive data?
• Where is your data stored?
• How is the data being processed or used?
• How much risk is associated with each type of data you collect?

Reduce: Data Minimization

Lessen the surface area via obfuscation and deletion

Think about tools and processes you have for data minimization. What methods, tools, or processes do you have in place to...

• ensure you collect the least amount of data necessary to achieve your business needs?
• obfuscate or delete unnecessary data?

Protect: Access Control

Enforce privacy protection as you align business needs

Think about how you control access to data, specifically:

• Which authentication and/or authorization processes do you have in place for data to be accessed?
• Which authentication and/or authorization processes do you have in place for accessing sensitive data?

Next Steps

If you answered these questions easily and thoroughly, you and your organization may already have many tools and processes in place that protect data privacy. Reflect on anything that was difficult to answer, or that didn't reflect strong security practices. How can you drive change?

If answering the questions was challenging, your organization might benefit from implementing new privacy tooling. Before you decide whether to build or buy a solution, check off the following statements that apply to your organization:

1. Our teams are siloed. Engineers focus on the part of the tech stack that most directly impacts their products.
3. There is a high degree of turnover among engineers.
5. We tend to solve for the most pressing issue at any given moment, rather than working from a roadmap to prevent future privacy issues.

If you checked off most or all of these boxes, you may need to look outside of your organization for adequate tooling. Building solutions in an organization with engineering teams with high turnover or that are very siloed is risky because these tools become difficult to scale and maintain.

Remember:

To make this decision, create a cross-functional team including engineering and technical program managers. Many teams will lean towards build, as it appears to be the path of least resistance. There can be limitations to homegrown solutions, so be sure to do a thorough and realistic analysis before starting down a solution path. When determining whether to build or buy, the right answer is specific to the needs of your organization's unique privacy risks.