Having to reinvest in an existing product is not only a problem from a cost perspective, but it also affects the scalability of the business. Technical debt is an overhead that looms above, waiting to rear its head at an inopportune time, often when you need to deliver a feature that has a dependency on a previously deployed “quick fix.” This ends up requiring a lot more effort than expected due to having to re-develop the previous fix as well as the new feature, potentially jeopardizing a deal or release and adding frustration to all teams involved.

A similar type of debt exists in the privacy space, and I’d argue it is less visible than debt in code. Issues in code are generally tracked in an issue tracking system, or at the very least, there are (hopefully) comments added to the source code somewhere. Privacy debt is far more sinister, in that you often do not have visibility of it until it’s too late.

How Is Privacy Debt Racked Up?

Unlike code, where the debt racks up due to conscious decision and awareness that it has to be sorted out “at some point,” privacy debt can be racked up due to ignorance. In many cases, the debt first becomes visible when a potential client sends a mandatory security assessment document as a prerequisite to closing a deal.

Security assessments have, in the past, been about just that:security. Nowadays, we’re seeing privacy tacked on to these assessments or provided as separate assessments altogether, particularly with the focus on GDPR (the General Data Protection Regulation) in Europe and the UK, the California Consumer Privacy Act and Bill 64 in Quebec. Suddenly, privacy policies and procedures have come to the forefront instead of only products and features, as clients are obliged to verify that your practices match your policy.

Since privacy debt is regularly underestimated, it can subtly rack up. Businesses incorrectly assume privacy is only policies, where in fact it relates to every facet of the business and denotes a new way of operating for many organizations. Even in organizations that are more aware of their obligations, the debt can increase wilfully, as privacy is seen as a grudge purchase, implementing loads of paperwork, policies and procedures for very little financial or business reward. It’s an insurance policy “in case” things go wrong, which couldn’t be further from the truth.Privacy programs are about building a business ethically and scalably, from top to bottom.

When Debt Affects the Bottom Line

The longer you leave your current procedures in place, the more they become embedded. If your policies are not taking into account your regulatory obligations for privacy, your teams will not be incorporating privacy principles into their day-to-day operations. This results in teams embedding insufficient (or even bad) procedures that are increasingly challenging to shake. When you expand into a new market, work with a larger client or enter a regulated industry, the turnaround becomes that much more difficult and sluggish.

In reality, the larger your organization gets, the more awareness is required for privacy. The more complex your product gets, the greater your responsibility in terms of privacy impact assessments. The more information you collect, the harder it is to track and respond to individuals’ legal (and often constitutional) rights. Simply put, dealing with privacy reactively today, puts you on the back foot for expanding tomorrow.

These situations can be like receiving a final letter of demand for a credit card you didn’t know you had. In security, there are many fixes that can be put in place quickly for requested assessments and often build on existing policies and procedures within the company. Privacy, however, comes as a surprise, and privacy programs are not implemented in days; they take months or even years.

Shedding the Debt

Privacy debt most often takes the form of missing policies, insufficient procedures, a lack of awareness in the organization and, ultimately, a lack of visibility into the personal information processed by a company. Tackling any one of these items (even individually) requires tremendous effort, but if handled at a steady pace and addressed early, is far from insurmountable or unaffordable.

A key approach to effectively address privacy debt is to stop it racking up in the first place and to start paying back the debt you already have. Privacy is not a destination; it’s an ongoing process of investing and withdrawing, but once you’re on top of your payments it becomes easy to manage and can even serve as a competitive advantage.

To get to this point, you need to bring privacy to the discussion table and put together your payment plan. Addressing privacy starts with awareness, and addressing the debt starts with tackling your privacy requirements in a defined roadmap that makes sense for your business. Privacy is not a singular responsibility; the entire executive team needs to be aware of their role in the investment in privacy.

Being able to respond to assessments transparently and quickly reduces turnaround time on sales cycles. Incorporating privacy-first principles into the software development process reduces the cost of redeveloping noncompliant features. Inventorying your data allows you to respond to data requests and avoid fines. Having an overarching, mature program in place allows you to expand at scale without compromising the integrity of your clients’ privacy. Invest in your privacy and eliminate your debt, and scalability (from a privacy and security perspective) starts to manage itself.