Building Privacy Programs for Software Engineers

Vaibhav AntilVaibhav Antil is the Co-founder of Privado.ai, a developer-friendly privacy platform. Privado was purpose-built as a code-scanning solution for privacy to discover personal data, usage, flows, and leakages, as well as flag privacy issues in the code for GDPR regulations. Vaibhav became a privacy consultant to help companies remain compliant after the introduction of GDPR. Before Privado, he was the Co-founder of Jukebox Studio, which was acquired by Gaana, where he served as the Senior Product Manager of Subscriptions.

Available_Black copy
Tunein
Available_Black copy
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg
partner-share-lg

Here’s a glimpse of what you’ll learn:

  • How Vaibhav Antil founded Privado.ai and became a finalist for an International Association for Privacy Professionals award
  • The largest privacy and security challenges companies face
  • Vaibhav explains privacy debt
  • What does it mean to be a developer-friendly privacy platform?
  • How Privado scans codes for privacy risks
  • Who is responsible for a business’ privacy technology, and how does Privado build and maintain privacy?
  • API’s (application programming interface) proactive role in preventing data breaches
  • The future of privacy, and Vaibhav’s privacy protection tip

In this episode…

When developing apps and other software, engineers often collect excessive consumer data and lack consideration for potential breaches. As a privacy professional, how can you implement developer-friendly privacy programs?

According to privacy consultant Vaibhav Antil, there is a knowledge barrier between engineering and privacy teams. To address and mitigate this, it’s essential to provide developers with readily-available privacy tools that display each code's data leaks and breaches. By collaborating with engineers and using familiar language when giving instructions, you can mitigate risks to your software.

In today’s episode of She Said Privacy/He Said Security, Jodi and Justin Daniels host Vaibhav Antil, Co-founder of Privado.ai, to discuss building privacy programs for developers. Vaibhav explains privacy debt, the qualities of a developer-friendly privacy program, and how Privado scans codes for privacy risks.

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media.

To learn more, and to check out their Wall Street Journal best selling book, Data Reimagined: Building Trust One Bite At a Time, visit www.redcloveradvisors.com.

Episode Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

I Jodi Daniels here I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and certified informational privacy professional and provide practical privacy advice to overwhelmed companies.

Justin Daniels 0:37

Hello, Justin Daniel's here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:54

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. To learn more, and to check out our Wall Street Journal, best seller and new book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You're very smart key today.

Justin Daniels 1:40

It's exciting. The whole Wall Street Journal thing was pretty cool.

Jodi Daniels 1:43

It's very cool. In fact, I put my Wall Street Journal copy on the floor here right before our podcast recording right next to the dog. Wow, no, no, no, no. Now the dog gets a wonderful, special, spacious place to sleep. Newspapers just by my feet.

Justin Daniels 1:59

All right, well, why don't we introduce our guests today? Take it away.

Jodi Daniels 2:02

Absolutely. So today we have Vaibhav Antil, who is the CEO of Privato.ai, a privacy tech company. He started his career by CO founding Jukebox, a music tech startup acquired by Gaana, where he served as a senior product manager. He leapt into the world of privacy consulting after the introduction of GDPR and has been helping companies stay compliant since well, welcome to the show.

Vaibhav Antil 2:31

Thanks, Jodi. Thanks, Justin. And I'm super excited. And yeah, thanks a lot for having me here.

Jodi Daniels 2:36

Absolutely. Now, one of the things that I want you to share is, you recently received a pretty cool award from the IAP P, which is the international association of privacy professionals. So I'm going to ask if you can give a little hint about how your career started. But can you share a little bit about how it came to founding Privado today and winning a really cool award?

Vaibhav Antil 3:03

Yeah, so first of all on the award, so it's still I mean, we are the finalists. So the award announcement will happen on a chalkboard with of November. Yeah, but even like being finalists is super cool. Right? Like IPP is where you get all the privacy information in any case, probably like the single largest body of privacy professional, so I was super cool to participate and be one of the finalists. That'd be nice. Yeah.

Jodi Daniels 3:29

How many finalists? There are, there's not a lot of finalists?

Vaibhav Antil 3:33

Yeah, I think there are three finalists on the in the North America region where we participated in. It's

Jodi Daniels 3:40

a very exciting accomplishment. Kudos to you.

Vaibhav Antil 3:44

Yeah, thank you. And, and also, like, the excited exciting piece for us was we participated because of our open source project. So and we'll talk about this as we go through the podcast, but like the entire provider platform is powered by an open source project. So like our core code scanning product is completely open source for any privacy or security engineer to start using and start plugging in. So that's completely open source that's completely free. And that was our submission. And so we're super excited to see where it goes.

Jodi Daniels 4:16

Congratulations again. So tell us a little bit about how you got started to founding the company.

Vaibhav Antil 4:22

Awesome. So yeah, I talk about my background a little bit. So yeah, growing up, actually, I grew up in a lawyer family. I still remember I was a kid studying and seeing my dad practice for his cases. So looking back, I do think like some bit of that. That lawyer persona sort of came into me by osmosis, I would say how it turned out later in my life was I was sort of very comfortable operating in regulatory markets. So if I remember my first startup, as you were, as you were also mentioning was two books. It was a b2b music streaming application and And then I had to figure out licensing from labels, music labels in licensing bodies, right? So super regulatory, you can't even start the startup unless you get the licensing in place. And then what happened was that got acquired by another large, the largest music streaming company in India. And when I was there, I think it was about 2018. So GDPR was a big project, and it was going around was a tough problem, there was no real clear solution, even at that point of time. And then once I left the company, Indian government introduced a privacy law, personal data protection bill in our parliament, that was about 2020. So for me, I think I was lucky enough to have these experiences going through my professional career, I sort of connected the dots. And then, as I said, you know, I was able to read the law, I was, as I was reading contracts back back for my first startup, and then figure it out, and then realize that whatever the Indian government is passing is going to be super difficult. It's basically GDPR plus plus, in some sense, especially if you look at data sovereignty requirements. And that's how the journey really started. And yeah, I think interestingly, my first project, again, like, from my background perspective, I come from a product background. So I was always thinking about, hey, how does this impact product and engineering teams? And how can they cope up with these privacy laws, because the way we used to ship product was very different, you know, ship it fast, you know, you know, that that entire idea of ship code fast, you know, big things. That's inherently how product folks thing. And then that sort of something which does not sit well with how you do privacy, right. And we'll talk about that as well, on how privado enables that piece. But yeah, but I think these kinds of experiences of, of connecting the dots backward and leaving in the right places, that's how privado got started in the first place. And then my first project, interestingly, was in was an E commerce company. So I was doing data mapping for an E commerce company, all manual doing interviews and assessment. And essentially what we did was we spent nine months building this huge Excel sheet of data map. And at the end of the day, my co founder and CTO, Prashant told me, hey, whatever you've done, we can probably reach the 80% by scanning the code of whatever engineers have built products and applications. And that was kind of our lightbulb moments, it came by working with customers and sort of my own experiences across companies. That's the story of provider.

Jodi Daniels 7:29

That was a fun story. The osmosis piece. Interesting. So as you being the attorney Justin does that mean there are children are learning via osmosis? There's some legal principles here.

Justin Daniels 7:44

I'm waiting for me to talk about his next startup or that he disrupts the entire music industry with Blockchain. So people sell their music peer to peer. I think that could be your next venture, given all that you've learned about that very interesting industry.

Vaibhav Antil 7:59

I guess that's already happening there. Are there are some companies doing that

Justin Daniels 8:03

today. Anyway, today, our topic is privacy. And so from your perspective, what are the big privacy challenges you see companies facing today?

Vaibhav Antil 8:15

Yeah, so I was sort of thinking about this a lot. Even when we, when I'm speaking to more privacy professionals or even security professionals, I think it's the same problem that's been there from day one is sort of getting even visibility on the use of personal data and data flows. I think that's been a constant challenge. Across the last, I don't know, five, six years since GDPR. Came in, right. And probably let's take the example of meta. So I think this year, there was a leaked document by meta, and then I'm going to quote something from that document itself, which was talking about this challenge, right. So I think in the document, it was about, hey, we do not have an adequate level of control and explainability, or our system use data and tasks, we can confidently make control policy changes for external commitments, such as we will not use x data for y purpose. And this is exactly what regulators expect us to do increasing our risk of mistakes and misrepresentation. I think this is something which is super interesting, because meta has the highest number of privacy and security engineers, probably they will have the largest budget. But even there, you see the same basic problem that you don't know what data you collect and how it is used. And like the purpose limitation, you want to make those representation in a privacy policy that this is how your data will be used. But at the end of the day, you don't really know what happens with it. So I think that's the biggest problem that are the biggest challenge I see companies facing today. Specifically, if you have if you are a tech companies with engineers, this is a problem that everyone says is even today's problem, right? And if you think about it, like what's the underlying problem, why this challenge still exist? I think the Reason is that you had this age child development revolution, which started when everyone was said, as a developer, a build code, fast ship features fast to innovation to iteration with your end customers. And what it leads to it that you are in a situation where you're building nice product so that user centric, you're building them fast, but unintentionally, you are leading to either current or future privacy harms. And I truly believe until you give engineers privacy tools, like they have tools for testing, you will not be in a situation where you can solve this challenge it will be you will always be firefighting, you'll always have privacy debt, you'll always be in a situation where you get fined or breached. And then you like, how do we solve it? And at that point of time, it's a really, really big problem to solve.

Jodi Daniels 10:47

So you just share something called privacy debt. Can you explain a little bit more what that means?

Vaibhav Antil 10:54

Yeah, it's as simple as like, let's imagine a company which is just starting up, it has a nice mobile app. And then, you know, you just launched your first app, you have, you have a single formula connect, you're collecting first name, last name, email address, right? So pretty simple architecture. And as you get more and more traction, you are making decisions on data collection, data sharing data storage, right? What privacy data is, as you start collecting this data you make you make certain decisions about user permission. So you can either take a course location, or take a precise location, let's, let's say you don't, you don't make the right decision, you take precise location, you can even if you don't need it, that data enters your data bases, then it goes to another third party goes to an SDK goes to an advertiser. And slowly slowly, what happens is this centralized database, which, at the start of your development of a company's one or two databases suddenly becomes 1000s of databases, 1000s of services, housing of third party sharing 1000s of logs. And that's when you get a privacy person to say, Hey, can you help us with data mapping? And that's the privacy that you inherit. That's the privacy data.

Jodi Daniels 12:02

Thank you. So in, the other piece that I want to ask you is your mansion that provides kind of a developer friendly privacy platform? What does that mean to be a developer friendly privacy platform? Can you share a little bit more?

Vaibhav Antil 12:19

Yeah, for sure. So as I said, right, like, we operate specifically for technology companies who have developers, right. And as I was saying, the entire problem start, because as you're writing code, you're making decisions about data collection, sharing, processing, stories, etc. And what you really want to do is essentially give tools to developers, as you have given them tools for testing for like, just no for security for data quality, you want them to have privacy tools available, when they are writing the code so that they don't ship products, which have privacy risk or harm. So that's the basic concept. Now, we are kind of obsessed with the developers, which are the end users, and sort of rethink the entire privacy problem, hey, if we have to make sure that they like our privacy product? How would it look? How do we make sure that they really adopt the product? Because that's kind of, you know, the real solution in our minds. So to do that, we do a couple of things. So the first thing we do is we see this language gap between engineering teams and privacy teams. For engineers, they're thinking in code privacy, things are thinking in policies, too. And that leads to a situation where probably you are saying, Hey, do you delete the data after retention period, and that means something in privacy, but in engineering, it could mean anonymization to randomization, partially due to deleting it, and it could mean many things. So the first thing we do is we sort of tried now in our product, we bridge this gap between engineers and privacy. The way we do that is like the core of provide a product is a code scanning product. Essentially, for a developer, we are showing the privacy impact of the code they have written at the code level, literally, they see lines of code, and where we detected personal data and the corresponding time series. But for privacy teams, they see an aggregated view, which is Roper report, data flow diagram, privacy impact assessment. So this is sort of the same view is is made in such a way that privacy teams can see the overall impact on our lecture product level. But for the end engineers, they actually see the line of code where they have a misconfigured permission or data leak into a log, things like so I think the first thing for being a developer friendly privacy platform is speaking their language, which is good, which is what the entire provider platform is about. The second thing we do is being present in a developer workflow. So essentially, like whenever we find an issue, which happens because of a new code push, we essentially integrate within GitHub. So we'd literally whenever a new code push happen, we add a comment to GitHub itself. That's where engineers are spending most of their time. And that enables on that make sure that they're fixing whatever issue provider is finding. And finally I also feel by making sure We're not just flagging issue, we're also giving them mediation with code examples. So what would be a nice example of so let's say if you detect that you have this personal data flowing to logs, giving them an example of how they can fix that, how they can use encryption libraries to ensure that you know that personal data is obfuscated or encrypted before it hits before it goes to your logs, right. So I think these are the three things that primarily we do to make sure the end user, which is a developer really likes the platform adopts it, and then ultimately, everyone else benefits the privacy team security team, the data governance team.

Justin Daniels 15:34

So can you share a little bit more about how your product works to scan for privacy risks at that code level? It's literally privacy by design in the code.

Vaibhav Antil 15:47

Yeah, 100%. So essentially, like, the way our product works is, imagine it like an X day for your products and applications, it will go scan the code. And the journey will literally start by first detecting personal data and its sources. What I mean is we have a list of 150 data elements. And that's coming from CPRA GDPR. Other standards like HIPAA PCI, and we will go in and tag variables as this variable is first name, this variable is credit card numbers, so on and so forth. And by sources, I mean, where does the data journey start? So it could start from our user form, it could start from a user permission could start from an database or an API. So first, it's tagging sources of data and what data does your product or application has. That's sort of the starting of provider. The second thing is we also tagged all the destinations of data, which could be anything from an API to a third party API, a package like an SDK, like a advertisement, SDK, logs, databases. So you have a situation where you have sources of data and what data and destinations have data. And then what we do is we create a nice data flow diagram. And this is all from the code, it's all automatic. So at the end of the day, you have visibility in the sense of, hey, we have this location data, which is coming from an end user and is flowing to an advertiser investigate. And that's basically how, what what we're doing. And we do this across the company across all products, applications create user facing or internal being developed by engineers. So that becomes like the foundation of our privacy code scan. Once you have this personal data information. Then on top of it, we have a rules engine to detect privacy risk data, security risks, so on and so forth. So just to give you an example, it could be a you are collecting excessive data. So you have, you know, instead of course, location, you're collecting precise location, or you have excessive data sharing. So you have sensitive data, like health data flow into an literal ad SDK. And that's going to be like a privacy breach of tomorrow. Or it could be as simple as you have a privacy policy, where you have said that you will only collect x data elements. And if that that becomes a guardrail for your product development, if data collection goes more beyond than that, that's a privacy risk. That's something that Privado can flag. So privacy

Jodi Daniels 18:12

programs encompass people process and technology like we've just described. So if you think about, you know, this tool is obviously geared for engineers, but engineers might not always be raising the flag that says, Hi, I really need to know everything about the privacy risks in my code. So who do you find tends to own the privacy tech in a company? And then the second part is how does Privado intersect with building and maintaining this on an ongoing, ongoing basis?

Vaibhav Antil 18:44

Yeah, sure. So I mean, if you take a step back, right, like, it's essentially like the data problem inside a company is owned by like, multiple people, and that what makes the answer a bit complex? And like, if you talk to any privacy tech vendor, you will find the answer to be a little different, right? From our perspective, essentially, like the privacy team is interested in two things like getting the visibility on personal data, and how personal data flows and the use of personal data, right governance of personal data inside the company. Also, like security teams are super interested because they want to make sure customer data is protected. So they want to, they want to know if you have credit card number, or is that credit card number, going to logs and if yes, they want to make sure that doesn't happen or if it's being shared with a third party. So that's what they are interested in. So I would say like a chief privacy officer or a data protection officer, or a CCE, who are the ones who benefit the most from the reporting of Privado. So they are they are the ones who find Privado. They're the ones who are consuming the reports or the Privado on the users is typically like it could be anyone on the privacy side like a privacy manager or an analyst. We're trying to drive things like data mapping group reports and privacy by design, or a privacy engineer who's interested in getting like 100% visibility into data I suppose in the engineering systems and applications, we also have security engineers as the end users who are trying to see the data security vulnerabilities that could arise from the bottom. I mean, that could arise from personal data either leaking to logs, or, or which database is this data being stored, so that they can predict it better. So that's how we see it typically, like, you know, Privado is being bought and used today. And I would say the end users are always developers, right? So they are at the receiving end of these alerts, these assessments, so they have to really liked the product, they have to really adopt the product. But ultimately, the reports are consumed by someone in the privacy, security and the data governance. I think you're right. Yeah. I think you also had a question on how does Privado help in building and maintaining privacy? So yeah, I think like, let's take like one simple example of data mapping, right? That's probably like the foundation of any privacy program, right? When it comes to engineering that.

Jodi Daniels 21:02

Just celebrating that data mapping is the foundation of a privacy program.

Vaibhav Antil 21:08

Oh, yeah, that's 100%. Correct. If your data map is outdated, like your privacy policy is incorrect, your group reports are out of date. You can't honor this request, because you don't know where your data is. So how would you honor deletion request for that subject access. So if we take that as an example of building a privacy program Privado really automates that entire process for for your engineering teams, by scanning the code automatically, so you plug Privado in, and within minutes, you start to see this data map building for each of your product and application. And that's, that's what we what we really going for as well like that speed and how fast you can get that visibility. And from our maintain perspective, I think the biggest problem is once you create these data maps the way, whatever way you create it, when it comes to engineering, they're shipping code every two, three. So what Privado really enables is, the moment in code changes push, we do two things. One is we read that and update your data maps. So your privacy policy is updated, your Rupa reports are updated, you have a accurate inventory of where all you need to delete the data in case a deletion request comes in. And so that's the maintaining part of your data map. But also from a privacy medicine perspective, we can ensure all your top down privacy commitments you have made in a privacy policy, or your GDPR requirements are heard. Because if the software development goes beyond that, we create an alert, we can stop that code from going live, we can educate the developer on why that happened. And then we can enforce that during the software development lifecycle.

Justin Daniels 22:38

Super fun. So recently, you had a blog post about how proactive AI could have prevented a massive data breach? Could you share more with our audience about AI? And this idea?

Vaibhav Antil 22:53

Yeah, so it was I think less to do with AI. But it was more about like, I think that was about API electroactive API discovery, but like the concept just is the same, right? It's basically, as more and more software is developed, it's it's been developed faster than ever, you have more engineers in a distributed team working on it right. And the more it happens, you will end up in situations where you have a product where there is an API connected to a production database. And that's not protected, right. Or it has some weak security or weak authentication. So I think the core concept is the same wherein on two levels. One is that in all your security threat modeling, you need to add personal data there, because that can really help you prioritize that you have an application where there is an API, which is insecure. And also you can access personal data or a database with personal data, that is super high risk, you need to fix it. So that's like, number one, was the argument that you were making that you need to add personal data to your security threat modeling examples. And the second thing was the need to be available to developers as they are building it so that the changes are caught early on, and remediated early on before they're pushed to production. So that's like the core argument behind that login insight, like anything we do at Privado is how can you shift the entire privacy testing the entire privacy risk management earlier in the development lifecycle, and so you can prevent costly data breaches.

Jodi Daniels 24:24

So with that in mind, we like to ask sometimes people with their big crystal ball, where do you think privacy is going in the next couple of years? Yeah, great

Vaibhav Antil 24:35

question. I mean, of course, I think about that problem a lot since I'm building in this space. But yeah, I think, as I was saying, and I will try to tie it back to the core challenge, which is our privacy teams or security teams, or companies in general, are all are in this firefighting mode because of this privacy that they have built over time. And the thing is, like with all the tooling in the market, all the investments in but it's still not solved. That's the reason you have fines. That's the reason companies are saying they don't know what's happening with data. And I, you really think there will be a shift left for privacy moment like it was for application security, probably like, you know, 810 years back, and privacy will become embedded in the software development lifecycle. I do believe every code change, which will be pushed to production by a company will go through a privacy code scanner. And that will make sure it does not violate any privacy law, like GDPR, or CPRA, or your own privacy commitments that you've made to your end users. And if you do this, right, if the shift left approach works, you know, privacy truly, truly becomes like an engineering enabler. And again, like tying it back to your introduction initially, basically, you can meaningfully build products, which are not only user centric, but has trust at the heart of it, because you've taken care of it right at the level where it was being developed. And it's not bolted on later, you don't have that tech to fight. So I really think that this year, there will be this strong ship lift moment for Christ.

Jodi Daniels 26:08

Everything we've been talking about is actually going to come to fruition. My wife who's a chick today,

Justin Daniels 26:15

I want to know what lottery Well, lottery ticket I want to play for this crystal ball.

Jodi Daniels 26:20

We said lottery tickets, like a billion dollars that was handed out last week. And I missed it.

Justin Daniels 26:28

Okay. Well, what is your best personal privacy tip you'd offer to your friends? If you're at a cocktail party on the top of the building like we were on Sunday on Saturday?

Vaibhav Antil 26:43

Don't use internet No, No, I'm joking. You can't escape escape? No. You use the internet. On a serious note, I do think like simple things, right, like using VPN using browsers like Ray so I truly think privacy will become a differentiator for consumer products. There will be companies whose actions are differentiation will be privacy. And, and those are the companies we have to look for, and and sort of adopt them more. And I think that's happening already. It'll happen more and more. So yeah, my advice would be to use tools like VPN brave, clear your cookies. I think those things work would be my personal privacy.

Jodi Daniels 27:27

So now, when you're not building a Privacy software company, what do you like to do for fun?

Vaibhav Antil 27:35

Yeah, I would say listening to music. I think that's my de stressor. I do that all the time. And I probably have been doing that since. I don't remember when. But yeah, listening to music from across the world. Amazing. Indian music music from you know, like classic rock. That's been one of my favorite genres and instrumental rock. Yeah, that's what I do.

Justin Daniels 27:55

But Classic Rock Band, do you like the best? Guns and Roses?

Vaibhav Antil 28:00

I've seen them twice.

Jodi Daniels 28:05

So how can people find you and learn more?

Vaibhav Antil 28:11

Yeah, sure. So you can visit our website privado.ai. And, you know, all the information is there in case you want to speak with us. I'm also I mean, I'm on LinkedIn, feel free to connect on LinkedIn, and we can chat there as well.

Jodi Daniels 28:28

That sounds excellent. We're so grateful that you joined us today. Thank you for sharing all of this very helpful and interesting. Third level information.

Outro 28:42

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven't already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.