Deletion: From Startup to Scaleup | Privacy Applied Vol II
Explore how data deletion evolves from startup to scaleup in Lightbeam’s Privacy Applied eBook Vol II with Jonathan Wilde & Niramayee Sarpotdar.
Deletion: From Startup to Scaleup | Privacy Applied Vol II
Explore how data deletion evolves from startup to scaleup in Lightbeam’s Privacy Applied eBook Vol II with Jonathan Wilde & Niramayee Sarpotdar.
Transcript
So hello and welcome to yet another episode
of the Privacy Pros video series.
This is initiated by the size circle.
Size stands for Privacy and Security Circle.
As a part of this initiative, we published an ebook
with articles written by leading privacy experts.
We are also doing a series of short interviews
with them about their articles,
and I have once such expert with me today,
his name is Jonathan Wild.
Jonathan has worked at companies like, uh,
clubhouse and Meta in the past.
So welcome, Jonathan. It's a pleasure
to have you here today.
And for the benefit of our audience, could you please start
by giving a quick introduction of yourself and your work?
First of all, thank you so much for having me here today.
Hi, I am Jonathan. I'm a software engineer
and engineering manager
that's led privacy engineering initiatives at social media
companies, small and large,
all the way from executive buy-in
and strategy all the way down to, to implementation.
Mm-hmm. I write a newsletter entitled Real World Privacy
with Best Practices and Approaches Around This
[email protected]. Awesome.
So thanks, Jonathan. So you've written an article in our
ebook that's titled, uh, deletion from Startup to Scale Out,
and it talks specifically about, you know, the right
to be forgotten or, you know, any data subjects right.
To demand that their data be arranged.
Now, we know that GDPR has always had some guidelines
around this, but, um, we are seeing that, you know,
this particular law is being adopted in a lot
of other places as well in the us It's being considered in a
lot of states other than just California.
So in your own words, can you tell us a little bit about,
you know, why you think it's important
and what in particular, you know, compelled you
to write about this specific topic?
Absolutely. So deep down inside,
I've always loved startups, always love entrepreneurship.
Mm-hmm. My parents were entrepreneurs
and there's not a ton of privacy literature out there
that's really focused on startups.
Mm-hmm. This chapter in, in privacy applied interactive,
innovative aims to fill that gap.
Mm-hmm. And digitally, as we talked about is,
is really the focus of the chapter.
Mm-hmm. I focus the chapter on this
because data deletion is one of the first,
if not the first privacy considerations
that engineers building a new startup app
are, are going to face.
Hmm. First of all, consumers expect
to be able to delete their data.
It's a little disconcerting if you create a, a, a new, uh,
image or new document in a product,
and then you're like, wait, why can't I delete this?
Uh, I I didn't want this here anymore.
They expect to be able to delete their account
and there's more enforcement on this than ever.
So, so you mentioned GDPR,
but even beyond that Apple App Store review now requires
this, if you can sign up through the app,
apple requires you, uh, in many ways going above
and beyond what, what the laws are requiring
to provide a way in the app that's really nice
and easy to delete your account through the app,
and they won't let you launch without that nowadays.
And there's even this one TikTok clip
of a, of an entrepreneur.
He's excited to launch his Apple app store app
and then gets blocked saying, Hey,
you need this delete button.
And, and what actually walks is viewers through
that TikTok clip on how to set up deletion in their product
with, with something like Firebase,
which I think is really
indicative of what we're talking about.
And as your business scales deletion is something
that gets continuously tuned and scaled
and evolved as as your organization grows.
And so this chapter deletion from startup
to scale up explores this evolution
and gives engineers useful thought frameworks as they work
with their legal counsel and policy teams.
Mm-hmm. If they're a little larger to design, implement,
and scale deletion in their product
as their startup grows. Perfect.
I mean, you, you touched a lot about, you know,
just why this is important
and how it's becoming relevant, uh, you know, for everyone.
But you've also mentioned in your article,
you've written extensively about, you know, kind
of having a framework around
how organizations can start implementing this.
But I'm just curious, you know,
what has your experience been like
so far, you know, in the field?
What are the kind of challenges
that organizations face when they try
to implement this kind of framework?
So, so I think the key to thinking about data deletion is
that it's rarely one size fits all
and it will go on to effect almost every corner
of your organization.
And, and in the article we talk a lot about ha ha having a
strategy around this and being really thoughtful around,
around how you're approaching this holistically
around your organization
and the way that you go
to implement your deletion strategy will honestly vary a lot
by your stage of growth when you're first starting out.
The challenges are often more ideological,
like what's the right strategy at all around this?
What are the things that we wanna apply, uh,
pseudonymization to versus hard delete and,
and how do we wanna think about that?
And as you grow a lot larger, the strategy
challenges become significantly more operational.
How do you keep that strategy going as you have more
and more and more people at the organization?
It's also hugely dependent on your sector as well.
If you're in finance
and you're starting a banking product in the United States,
there's likely anti-money laundering records
that your general counsel is gonna tell you, look, we need
to keep this even if they close their account.
And, and if you're in consumer products, your,
your users might expect some pretty granular controls
to, to be able to delete their data.
If you, if you're thinking of a document product,
I certainly am gonna expect to be able to delete a document
that I create in the product as a consumer.
And so you'll need to make sure that your deletion strategy
encompasses what are the different legal
expectations, um, mm-hmm.
That you're hearing from your general counsel as well
as from a product perspective, just
what are your customers gonna expect in order
to be really happy customers with, with the product, right.
So one, keeping your customer expectations in mind,
or two, keeping in mind, you know, the stage that you're at,
uh, whether it's a, you know, a pretty small startup
or you know, like a pretty sophisticated
large scale organization.
Keeping that in mind.
And, you know, just like you mentioned now,
just keeping in mind the challenges
or the nuances that come with your own specific domain.
Uh, these are like three things that really drive what, uh,
what deletion strategies are adopted
by most organizations. Am I right?
Exactly. And, and, and,
and even like internal teams are going to have expectations
around the, that's the way that you, you manage your,
your data deletion even beyond the sort
of external expectations.
For example, uh, data analytics teams are going to,
to have some questions about, wait, so so
how do I perform a historical analysis if
consumers are deleting their data?
And so it's important to make sure
to pick a deletion approach that makes sure that you're able
to support the business stakeholders while still honoring
the rights of, of your consumers
and the expectations of your consumers.
That does make sense. Okay.
That brings me to my last question, which is basically we,
you've spoken about the challenges
and do you have, you know, overall any kind of advice
for your colleagues or organizations out there
that are just starting out?
Any last piece of advice that you'd like to give them?
Absolutely. Da data deletion or,
or any privacy strategy really that,
that touches the whole company shouldn't
be designed in a silo.
You really wanna approach this collaboratively
with the other leaders in your organization.
Don't just say, Hey, here's what,
here's the deletion strategy we're doing
because that likely won't be received very well.
Go around and actually don't sell the solution right away.
Sell the problem
to different leaders in your organization first,
who will have their teams impacted in different ways by
that strategy or, or who will wanna give input
and ask them, you know, Hey,
here's the problem that we're having.
How would you solve this? Right?
And, and don't pitch a solution too early at the core.
You're gonna get some really fast feedback on are you
explaining the privacy problem
or the privacy concept the right way to them?
You'll build some shared awareness right away
around the importance of the work.
And when it gets comes to the strategy
and implementation on it, you'll likely get a bunch of ideas
that you, you may not have previously thought of
that might be more robust
or easier to implement than, than your first approach.
And this leads to, to getting a better privacy strategy
that incorporates the nuance of all the different corners
of your organization has more buy-in
and is potentially easier to execute
because it's a shared project
that you're all working on together,
rather than this mandate that's coming out of, you know,
one corner of the organization.
Right. Thank you so much for, for having me here today.
And, and yeah, and definitely take a moment to check out,
uh, privacy applied, uh, interactive, innovative,
it's an incredible resource for engineers, legal,
and policy teams in the privacy space.
Thank you so much, Jonathan.
Thank you so much, one for giving us the time
to do this interview and of course
for writing the article itself.
This was just for our audience members.
This was a very small snippet
around the chapter that Jonathan has written.
In general, I would highly recommend you guys to read his,
uh, article at the latest ebook.
It's extremely detailed,
it provides a very nice framework for data deletion.
It has lots of examples
and guidelines that can be adopted by any organization,
you know, based on different sizes
that they're status that they're currently in.
So it's extremely insightful.
So thank you so much, uh, Jonathan.
And along with this article, we also have lots
of other great articles in the ebook,
so please do check out our data.
I would also encourage all of our viewers to follow,
you know, the privacy, security
and circle page on, um, LinkedIn.
And of course if you're, uh, curious about
what lightbeam does, which is, you know, data privacy,
innovation, and security, please go check out our website,
which is lightbeam AI and state tuned content.
Thank you so much.
of the Privacy Pros video series.
This is initiated by the size circle.
Size stands for Privacy and Security Circle.
As a part of this initiative, we published an ebook
with articles written by leading privacy experts.
We are also doing a series of short interviews
with them about their articles,
and I have once such expert with me today,
his name is Jonathan Wild.
Jonathan has worked at companies like, uh,
clubhouse and Meta in the past.
So welcome, Jonathan. It's a pleasure
to have you here today.
And for the benefit of our audience, could you please start
by giving a quick introduction of yourself and your work?
First of all, thank you so much for having me here today.
Hi, I am Jonathan. I'm a software engineer
and engineering manager
that's led privacy engineering initiatives at social media
companies, small and large,
all the way from executive buy-in
and strategy all the way down to, to implementation.
Mm-hmm. I write a newsletter entitled Real World Privacy
with Best Practices and Approaches Around This
[email protected]. Awesome.
So thanks, Jonathan. So you've written an article in our
ebook that's titled, uh, deletion from Startup to Scale Out,
and it talks specifically about, you know, the right
to be forgotten or, you know, any data subjects right.
To demand that their data be arranged.
Now, we know that GDPR has always had some guidelines
around this, but, um, we are seeing that, you know,
this particular law is being adopted in a lot
of other places as well in the us It's being considered in a
lot of states other than just California.
So in your own words, can you tell us a little bit about,
you know, why you think it's important
and what in particular, you know, compelled you
to write about this specific topic?
Absolutely. So deep down inside,
I've always loved startups, always love entrepreneurship.
Mm-hmm. My parents were entrepreneurs
and there's not a ton of privacy literature out there
that's really focused on startups.
Mm-hmm. This chapter in, in privacy applied interactive,
innovative aims to fill that gap.
Mm-hmm. And digitally, as we talked about is,
is really the focus of the chapter.
Mm-hmm. I focus the chapter on this
because data deletion is one of the first,
if not the first privacy considerations
that engineers building a new startup app
are, are going to face.
Hmm. First of all, consumers expect
to be able to delete their data.
It's a little disconcerting if you create a, a, a new, uh,
image or new document in a product,
and then you're like, wait, why can't I delete this?
Uh, I I didn't want this here anymore.
They expect to be able to delete their account
and there's more enforcement on this than ever.
So, so you mentioned GDPR,
but even beyond that Apple App Store review now requires
this, if you can sign up through the app,
apple requires you, uh, in many ways going above
and beyond what, what the laws are requiring
to provide a way in the app that's really nice
and easy to delete your account through the app,
and they won't let you launch without that nowadays.
And there's even this one TikTok clip
of a, of an entrepreneur.
He's excited to launch his Apple app store app
and then gets blocked saying, Hey,
you need this delete button.
And, and what actually walks is viewers through
that TikTok clip on how to set up deletion in their product
with, with something like Firebase,
which I think is really
indicative of what we're talking about.
And as your business scales deletion is something
that gets continuously tuned and scaled
and evolved as as your organization grows.
And so this chapter deletion from startup
to scale up explores this evolution
and gives engineers useful thought frameworks as they work
with their legal counsel and policy teams.
Mm-hmm. If they're a little larger to design, implement,
and scale deletion in their product
as their startup grows. Perfect.
I mean, you, you touched a lot about, you know,
just why this is important
and how it's becoming relevant, uh, you know, for everyone.
But you've also mentioned in your article,
you've written extensively about, you know, kind
of having a framework around
how organizations can start implementing this.
But I'm just curious, you know,
what has your experience been like
so far, you know, in the field?
What are the kind of challenges
that organizations face when they try
to implement this kind of framework?
So, so I think the key to thinking about data deletion is
that it's rarely one size fits all
and it will go on to effect almost every corner
of your organization.
And, and in the article we talk a lot about ha ha having a
strategy around this and being really thoughtful around,
around how you're approaching this holistically
around your organization
and the way that you go
to implement your deletion strategy will honestly vary a lot
by your stage of growth when you're first starting out.
The challenges are often more ideological,
like what's the right strategy at all around this?
What are the things that we wanna apply, uh,
pseudonymization to versus hard delete and,
and how do we wanna think about that?
And as you grow a lot larger, the strategy
challenges become significantly more operational.
How do you keep that strategy going as you have more
and more and more people at the organization?
It's also hugely dependent on your sector as well.
If you're in finance
and you're starting a banking product in the United States,
there's likely anti-money laundering records
that your general counsel is gonna tell you, look, we need
to keep this even if they close their account.
And, and if you're in consumer products, your,
your users might expect some pretty granular controls
to, to be able to delete their data.
If you, if you're thinking of a document product,
I certainly am gonna expect to be able to delete a document
that I create in the product as a consumer.
And so you'll need to make sure that your deletion strategy
encompasses what are the different legal
expectations, um, mm-hmm.
That you're hearing from your general counsel as well
as from a product perspective, just
what are your customers gonna expect in order
to be really happy customers with, with the product, right.
So one, keeping your customer expectations in mind,
or two, keeping in mind, you know, the stage that you're at,
uh, whether it's a, you know, a pretty small startup
or you know, like a pretty sophisticated
large scale organization.
Keeping that in mind.
And, you know, just like you mentioned now,
just keeping in mind the challenges
or the nuances that come with your own specific domain.
Uh, these are like three things that really drive what, uh,
what deletion strategies are adopted
by most organizations. Am I right?
Exactly. And, and, and,
and even like internal teams are going to have expectations
around the, that's the way that you, you manage your,
your data deletion even beyond the sort
of external expectations.
For example, uh, data analytics teams are going to,
to have some questions about, wait, so so
how do I perform a historical analysis if
consumers are deleting their data?
And so it's important to make sure
to pick a deletion approach that makes sure that you're able
to support the business stakeholders while still honoring
the rights of, of your consumers
and the expectations of your consumers.
That does make sense. Okay.
That brings me to my last question, which is basically we,
you've spoken about the challenges
and do you have, you know, overall any kind of advice
for your colleagues or organizations out there
that are just starting out?
Any last piece of advice that you'd like to give them?
Absolutely. Da data deletion or,
or any privacy strategy really that,
that touches the whole company shouldn't
be designed in a silo.
You really wanna approach this collaboratively
with the other leaders in your organization.
Don't just say, Hey, here's what,
here's the deletion strategy we're doing
because that likely won't be received very well.
Go around and actually don't sell the solution right away.
Sell the problem
to different leaders in your organization first,
who will have their teams impacted in different ways by
that strategy or, or who will wanna give input
and ask them, you know, Hey,
here's the problem that we're having.
How would you solve this? Right?
And, and don't pitch a solution too early at the core.
You're gonna get some really fast feedback on are you
explaining the privacy problem
or the privacy concept the right way to them?
You'll build some shared awareness right away
around the importance of the work.
And when it gets comes to the strategy
and implementation on it, you'll likely get a bunch of ideas
that you, you may not have previously thought of
that might be more robust
or easier to implement than, than your first approach.
And this leads to, to getting a better privacy strategy
that incorporates the nuance of all the different corners
of your organization has more buy-in
and is potentially easier to execute
because it's a shared project
that you're all working on together,
rather than this mandate that's coming out of, you know,
one corner of the organization.
Right. Thank you so much for, for having me here today.
And, and yeah, and definitely take a moment to check out,
uh, privacy applied, uh, interactive, innovative,
it's an incredible resource for engineers, legal,
and policy teams in the privacy space.
Thank you so much, Jonathan.
Thank you so much, one for giving us the time
to do this interview and of course
for writing the article itself.
This was just for our audience members.
This was a very small snippet
around the chapter that Jonathan has written.
In general, I would highly recommend you guys to read his,
uh, article at the latest ebook.
It's extremely detailed,
it provides a very nice framework for data deletion.
It has lots of examples
and guidelines that can be adopted by any organization,
you know, based on different sizes
that they're status that they're currently in.
So it's extremely insightful.
So thank you so much, uh, Jonathan.
And along with this article, we also have lots
of other great articles in the ebook,
so please do check out our data.
I would also encourage all of our viewers to follow,
you know, the privacy, security
and circle page on, um, LinkedIn.
And of course if you're, uh, curious about
what lightbeam does, which is, you know, data privacy,
innovation, and security, please go check out our website,
which is lightbeam AI and state tuned content.
Thank you so much.