Aleksandra Kovačević on Building Proactive Privacy Programs
Privado celebrates the work of Aleksandra this Data Privacy Day.
Director, Head of Product Trust
About
Aleksandra is the Director, Head of Product Trust at HERE Technologies. She previously served as the Product Manager at AGT International, Head of Peer-to-Peer Systems Group at TU Darmstadt, and Scientific Researcher at Universität Darmstadt and IPSI Belgrade.
What is your role, and how does it relate to ensuring data privacy?
As the Director of Product Trust, I oversee the privacy, and security compliance concerns proactively and continuously throughout the product development process. We develop various scanning tools and privacy-enhancing technologies to help keep a balance between privacy protection and the value of the data that we preserve.
Tell us about your approach to building privacy programs
First of all, we are trying to be very pragmatic there and not to position the privacy program and ourselves in some policing role. And we always try to start from the business needs because if privacy teams sit on opposite sides of the table to the product development team, then any privacy programs are destined for failure.
How do you measure and prioritize data privacy risks?
We continuously improve various scanning tools from both data scanning perspective and code scanning perspective, such as solutions such as Privado. And we make sure that we proactively catch any privacy risks in an objective manner. We use the regulatory framework to help prioritize the risks that we find. But there is a lot of common sense that comes into play. For example, if the data processing is done for an internal pilot project, obviously, it has all the very strict rules, and different priorities in handling than if it's released publicly.
What’s one thing that has surprised you in your data privacy work?
Mostly how difficult it is to sometimes interpret some privacy law. And figure out where the gray zone is, for example, what is acceptable re-identification risk when you anonymize data, but also how difficult it is to develop privacy instincts. So figuring out when there are privacy risks just by hearing from product teams when they develop, and how something obvious after a while for privacy teams, it's not that obvious for development teams even after explaining them. So one needs to be equipped with understanding with the patients because understanding privacy risks is a long process.
What are some challenges you have faced, and how have you overcome them?
The biggest challenge is actually when I started in privacy space, and that is when we looked at the privacy sensitivity of location data that we both receive and we release in various forms. And we try to find ways to protect and anonymize location data so that we still have the value preserved for our products. And that was very difficult. But more than five years ago, we started innovation in that space. And now, it is a product that's utilized with most of our data providers. And it's seen as state-of-the-art privacy protection for location data. So yeah, that one is the biggest challenge. It's more innovation in the research space, but one with a clear outcome.
What has been your experience engaging technical or developer teams?
What really helps is that both I and my team all worked in product development in the past. So we really understand how privacy compliance teams are always seen as a roadblock in development. They always bring sometimes even last moment in compliances, because we also brought the fact that there are some products, you know, last moment, which is something we are working on with these proactive tools to catch it early on.
But it is the fact that you know that you're not seen as a super welcoming part of the discussion on the product. So you need to bring in some empathy, some social intelligence, and most of all to understand the business needs or an urgency. And then really to try to come there as I want to come and help you and figure out how we can do both privacy protection and value preservation. And then, after a while, then you really see that we come together as one kind of extended team, and we figure this out together in a much kind of calmer and more productive, constructive manner.
What are some best practices to share or pitfalls to avoid when trying to ensure data privacy?
Mainly to make sure that we do not come only from a regulatory perspective active and that the whole privacy discussion is not going only into a regulatory compliance perspective and not seen as something that we just need to go blind. And that's it, we need to understand the reality of the risks because sometimes risks are there also when products are regulatory compliant, right, but there are still privacy risks there. Because, essentially, regulations do not capture all of those risks. So what we really tried to do is to make it relevant for them. Sometimes we even need to bring real-world examples that would really make it easy for them to understand, for example, I would know where your kids are, if blah, blah, blah. So making this real-world example if you see that really the understanding that doesn't come across, but most of all, making the tools really like Privado, very easy to use and very objective. So we do not come and say the thing that how you process data is not compliant. And there is a risk. No, we did scanning of the data you use or the code, and this is what we have found, and make it super easy. Click, click, click Done, and make it open for discussion. Because sometimes the solutions are very easy. And sometimes, it may need engineering development. But in both sides, we need to act as a team. And not only as somebody who figured out the risk and left the team alone to handle the risk however they need.
What predictions do you have for Data Privacy in 2023?
I think that they will be more focused on consent management but in a much more fair manner. And not like to have right now on cookies, websites where like, yes, accept all is really visible. But if you do not want to accept it, you really need to click 5000 times. But also to have more control over the data. Where it's shared, to have more fine-grained, more control over what you want to erase and revoke the consent form if you don't want to revoke everything, but you want to have insight and say please, for example, follow all location data to provide some geo-fences or things like this object provides the time or the place where please do not collect this data. But for the rest, I would be happy to because it provides me with more service. So to not have consent management is very binary, but to give it more freedom in a variety.
What will definitely be big and even more important in 2023, are proactive scanning capabilities to find privacy risks proactively, but also data lineage capabilities, where you can also automatically find out where your data is stored, very goes to in a company, how you're using that with probably also some data cataloging capability. So anything to help kind of privacy data governance in the company and optimize it and make it more objective and more. Proactive and continuous scanning. Because if you always wait for the end of the product development process, then you're very disruptive and bringing privacy, you don't bring any privacy considerations, then you only check it to the end and then it's very disruptive, you cannot change much, and then you can't do the good balancing solution because you don't have time, things already developed they can be changed much. So anything which can bring those considerations very early on will have to be focused on.
What does Data Privacy Day mean to you?
Data Privacy Day is a day where you do not feel like a paranoid one right? Sometimes also in private life. And you say you work on a privacy name and say yeah, come on, but I mean, what could happen, right, but do you really care but I have nothing to hide. This is my favorite. I have nothing to hide. And then it comes data privacy day, and if people are aware and sometimes they would see some nice small examples, then they are more tangible. It's less about regulations, which are very hard to consume. It's more examples, and they made them very easy and very simple, effective examples where one can understand okay, I do need to care about data privacy.
Continue reading
Privacy All Stars
Stay updated with future events and resources
Get updates on email
Stay up to date with our Data Privacy events and gatherings, and when new insights are published.
We are also on Slack
Connect with like-minded professionals and learn from the best in the field of data privacy.
More about the event
Who are Data Privacy Stars?
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
Data Privacy Stars are innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next. ‘Privacy All Stars' are professionals with considerable data privacy-related achievements accumulated over the years, while 'Privacy Rising Stars’ are passionately driving data privacy initiatives.
How is Privado celebrating Data Privacy Day?
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
Privado is celebrating Data Privacy Day by recognizing individuals doing outstanding work in implementing innovative privacy programs. As part of its Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize these individuals.
What does it mean to be a Data Privacy Star?
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
The ‘Data Privacy Star’ recognition validates individuals who receive it as innovative privacy champions who have a grasp of today’s challenges and can project a vision about what should come next.
What activities does the program entail?
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
As part of the Data Privacy Stars campaign, Privado has planned a series of activities to celebrate and recognize the privacy stars. These include a series of 10-minute video interviews called 'Star Insights', a microsite featuring Data Privacy Stars, celebrating the Privacy Stars on the NASDAQ Billboard, exclusive Data Privacy Week Dinners in the US and Europe, and ongoing engagement on the Privado Community.
I still have questions, who can I connect with?
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.
If you have any questions or want to know more about the Data Privacy Stars campaign, you can reach out to Privado on hello@privado.ai.