Prioritize Privacy by Design: Be Worthy of the Trust of your Customer

First, just a disclaimer. I'm not a lawyer and my talk is not meant to be legal advice. Hello, I'm Guppy Ahluwalia and I'm here to get you thinking about the importance of Prioritizing Privacy by Design and how we did so at Dropbox as a way to build trust with our customers. First a little bit about me and a clarification. I'm the one in the sunglasses. I'm in the photo and that's my sidekick Zoe, who was also present, just not on camera today. I've been in operations professional for the past 15 years at various government non-profit and tech companies, including two engagements at Google. Currently, I'm a Research and Design Operations Manager at Dropbox where my team has built up the foundation of a robust research ops practice including for personal panels, screener bank libraries, user-friendly lab spaces. I've been fortunate enough to publish some of my work in the journal of Qualitative Inquiry. A common theme in all of my roles is that I lead teams who at their very core build trust with audiences, create safe conditions, offer choice to customers and integrate ethics protocols including my work at Dropbox. I believe it's my perspective as a woman of color who encourages diverse thinking on how we think about problems that shapes my thinking innovative way. So, a little bit about Dropbox, we're on a mission to design a more enlightened way of working. We announced our virtual first strategy in October, 2020 that we are a distributed team building for distributed teams making remote work our primary experience for all Dropboxers. So, we care about the products we are building and also how we are building them. So, I'm excited to share with you a full agenda that for the next 10 minutes or so covers my passion for privacy by design. What privacy by design is, how integrated and operationalized these are consent through automation and how we balance governance and product requirements and finally the why and how we built transparency and trust with our users through our customer research privacy training. Before I dive into the meat of my presentation, I wanted to define the problem space a little bit more. More and more companies are wanting to focus on the customer. They're wanting to build empathy with their users. When I arrived at Dropbox just to offer you a bit of a local perspective, I was tasked with building out a robust research operations practice. I conducted an assessment of what we needed to prioritize and work on in line with our company goals. And at the same time, we started to drill down on a deep focus on the customer. I had a new team of high performers, but we were still forming. I was still getting to know our cross functional partners, including product council and our new privacy office. On my long list of things for our group to work on was creating a new privacy training that was aligned with the requirements of our privacy office. This was initially only supposed to be for researchers. What happens when there is a ramp up towards focusing on the customer teams quickly start racing and wanting to obtain access to customers. However, with that goal of being customer focused comes a responsibility, a responsibility to build trust with your users at every juncture of their user journey, including the one where they sign up to be a part of your research study or lightweight feedback session. And how much choice is given to them during their feedback session. So, before we go any further, I'd like to provide you a definition of Privacy by Design. It's the only definition I'll provide you in this presentation. It's a framework created by Anne Kabuki and that proactively embedding privacy practices into technologies, network infrastructures as well as business operations or practices. And it's the practices piece that I want to focus a little bit more on today. By building privacy into design specifications from the onset businesses are able to anticipate risks that prevent privacy related issues rather than retrofitting a system to address privacy issues as they arise. The concept calls for privacy to be taken into account throughout the entire product development process. So, here is a visual, you can see the seven foundational principles of privacy by design, including respect for user privacy and visibility and transparency with users which is something that the two principles that I'll be focusing more on. Privacy by design principles can further and organization success strategically as it can be a business differentiator and positions the company as a trustworthy brand. So, the first project that I want to talk about is integrating user consent before you begin conducting a research study, informed consent needs to be obtained. You want to be able to let your participants know what purpose the data is being collected for that they have the right to withdraw consent and that this consent is written an accessible language for your customer to be able to understand. So, while the research ops teams partnered with our legal team who took point in creating our informed consent. Research ops went on a task to creating an automated informed consent library that would seamlessly integrate this consent into the research flow and then when you get back your deliverable from legal as an informed consent form it may or may not have our company logo or the company logo on it. So, we also added and branded our informed consent form to help create user tests. So, users knew who was conducting the study that they were participating in. Then we added translations versions of these informed consents into our library in three additional languages outside of English. And then balancing governance and product requirements. As I mentioned earlier, when I first started our privacy office was new. And so, was I, and about eight months later we had spent a little bit more time on working on things like user consent and we reconnected to imagine all the subsequent problems we wanted to solve and how we could best partner. And what happened was a design thinking brainstorm workshop session that originated with a guidance doc that we started, a very messy paper doc with all of basically, the digital research flows that our research flow was going on. And so, that it outlined all the programs that ha that we were conducting research with that touch personal data, the tools that were implicated, the personal data that was being collected in each of those programs. And what deliverables they were putting out as well as how the data was currently being managed it was a super fun exercise that required bringing on the expertise or researcher to help flesh it out. And this was the foundation document that spark how we built the customer research privacy training. And then finally building transparency and trust our content is that we wanted to create this privacy training and we wanted to be able to, one, talk about how we handle the personal data of research participants, two what is personal data and three where to go with questions. So, the initial audiences I've mentioned has been researchers, but demand for product areas grew that we needed to include designers and product managers, a great problem to have. So, the actual audience was any Dropbox employee who has access to or exposed to the personal data for research projects that Dropbox needed to complete this role-based training. That means whether you're inside a research session or lightweight feedback session whether you're a design sharer or a note taker or an observer or a moderator, you're obligated to take this training. We all share in the responsibility of protecting our customer's data. Dropbox requires global privacy training on day one of during your onboarding and then annually thereafter, this role-based training is a complement to our global privacy training. Previously privacy training was offered as a deck to researchers only and this new training was in our learning management system and could track who had taken it. And it's also available for anyone who may not be in a role that would require role-based training or research role-based training to be able to take it. So, right now it could be also available to engineers or marketing as well, who was not the intended audience in the beginning. Just to show you a little bit more around the flow of this training is that the original document that I talked about, the digital research flow chart helped us determine how to structure this privacy training. We decided to break up the training into the phases of research, designing research, conducting research, analyzing it, and then retaining it. Meeting expectations of customers is an integral part of building trust and engendering. A culture of privacy shows customers they're important to your business and breeds loyalty based on trust. More importantly, it provides individuals with an appropriate level of control over data that they want to share with you. And the more data that you're likely to share with you, the more unique your value proposition from your competition. So, when you set out to become more user centric in our product development process, many times we don't include the practices of how we work and so we focused on solving a need. And one of the ways that I've been able to find success in this category is to be able to partner with teams like legal and privacy move out of our silos and collaborate on things like customer privacy, research training, as well as user consent. Thank you.