Companies purchase digital solutions so workforce members can collaborate or be more productive. By reducing operational costs through efficiency, companies increase their revenue margins. Paradoxically, the same technologies implemented to save money can lead to expensive data breaches or privacy violations. In the data security industry, people often discuss the need to balance security capabilities and end-user experiences, treating the two as inherently contradictory features. Security and privacy professionals argue that too much security creates a burden on end-users who will look for workarounds. Realistically, technology companies need to build their solutions around the end-users, implementing security and privacy controls that help rather than hinder workforce members.
Use-Centricity Is Fundamental
Building technologies that empower user-friendly options is fundamental to the development principles of privacy by design. When Ann Cavoukian outlined her seven foundational principles, she originally intended them as a way to manage data protection across networked systems.
Privacy by design means that companies embed privacy into the design and architecture of IT systems and business practices. However, in an increasingly application-driven business world, these principles must be incorporated into the software design process, too. Privacy must be a core component of a company’s data protection program, and organizations need to consider how their business technologies deliver security and privacy as a core functionality.
Modern applications often incorporate security and privacy controls, yet simultaneously fail to consider how those impact the end-user experience. Too often, technology companies view business entities rather than the end-users as their customers. They design their applications around the business use cases without considering how those impact the people who interact daily with their technology.
Software companies must consider both the business entity buyer and the workforce user when designing their solutions.
Unity Not Duality
People regularly think in dualities. They view actions as right or wrong, ethical or unethical. They view statements as true or false, honesty or deception. In software development, the same is true. An application can incorporate security, or it can be easy to use. People can share documents, or they can control access and versioning.
In reality, nothing is ever clearly one thing or the other. The world exists in the areas of overlap. People’s truths and lived experiences overlap and diverge. Shared understandings even from different lived experiences move the world toward unity.
Similarly, software design must exist in the areas of overlap. Business data protection needs must overlap with how people complete their daily tasks. Applications must fit into a business entity’s overarching revenue objectives while enabling users’ work activities. Security must be intertwined with privacy. Data protection must be focused on usability.
When designing an application, companies must create truly unified experiences. Organizations, both vendors and business customers, must remember that technologies exist to help people. When technologies become a roadblock for end-users, they fail to achieve their fundamental objective.
Unifying Privacy, Security, and Usability
Creating unity across user experience and data protection may be challenging, but it’s not impossible.
Understand the End-User’s Needs
A successful application solves end-user challenges and meets people where they are. Buyers might be business entities, but they still purchase technologies because their workforce members need help.
When an application requires people to take too many affirmative actions unrelated to their daily tasks, the technology becomes a burden. By starting with the end-user’s needs and capabilities, developers build usability into their design from the start.
Map User Activities to Sensitive Data
After defining the end-users’ needs, application designers can think about how sensitive data might and should flow, both within their application and across business systems.
For example, a secure workspace that enables collaboration needs to consider how people:
- Work together within a document.
- Email documents or links internally
- Share with external users, like contractors or clients.
Identify Impact to Data Protection
By understanding how people interact with sensitive data and their productivity needs, the application developers can start to address the business entity’s data protection needs.
Data Integrity
When people collaborate within a document, the business entity must ensure the data’s integrity remains intact. Often, changes and edits can undermine these goals. An application that considers these daily activities and their impact on business needs could incorporate version logs detailing who made changes and when they made them.
Data Confidentiality
Preventing data leakages means ensuring that only the right people have the right access to the data that they need. In a digital world, the “share with a link” capability has increased this risk exponentially. Whether sharing the document using a link or a downloaded version, many companies lack control over what happens after someone shares it.
A secure workspace should make it easy for workforce members to share documents while giving companies the ability to limit what happens to them. For example, companies should have the ability to prevent people from downloading the document, even if they received the link legitimately.
Data Availability
While every application considers uptime as part of availability, few consider the intersection between end-user collaboration and availability. For example, when two people collaborate within a document, real-time changes can undermine availability. One person deletes something while the other person watches, and the original data is no longer easily accessible.
Although related to versioning, this use case is a bit different. To ensure availability and accountability, a secure workspace could offer users an option where they lock the document during editing. While everyone with access knows the document is being updated, no one needs to worry that their changes will suddenly disappear. Any further changes can then be traced to the individual who did remove data. Through transparency and accountability, the application ensures data availability within the file, not just at the service uptime level.
People-Focused Data Protection Experiences
Treating data protection and user experiences as separate entities ultimately undermines both goals. Applications should be designed so that people can simultaneously use and protect data. Too often, data protection discussions focus on how businesses use data or how businesses use technology.
Businesses are entities run by people. People use data to make decisions. People use technologies to collaborate. When developers focus on the people, they create unified data protection experiences that enable objectives.
- Creating People-Focused Data Protection Experiences - February 9, 2023