Hey devs! Confused by EU privacy law? Pull out the FLASH CARDS
Microsoft and University of Nottingham boffins design a deck of memory-joggers
Microsoft and University of Nottingham researchers say developers should be taught to design privacy and security using flash cards if they find wordy regulation documents onerous.
The team including Redmond's Ewa Luger and the University's Lachlan Urquhart, Tom Rodden, and Michael Golembewski say regulation is out-of-touch and can be better explained with printable image cards.
The deck of cards, available for printing, are geared to push a human-centric approach to systems development in-line with the emergent European General Data Protection Regulation.
"Where once designers and systems architects were only subject to the influence of regulation at the point of product market entry, they are now being called to account from the minute pen hits paper," the research team say in the paper Playing the Legal Card: Using Ideation Cards to Raise Data Protection Issues within the Design Process [PDF].
"Privacy and security will soon be expected ‘by design and by default’ – and with this regulatory turn, comes a raft of responsibilities.
"Rather than bolting on onerous terms and conditions or parachuting in lawyers after the fact … what if we were to take our human-centered skills and approaches and methodologically ply them to advance the regulatory field?"
The quartet note that ideation cards have been successful at everything from family counselling to security awareness training, and say it helps define problems within a broader context.
The cards are designed following consultation with the legal community covering areas of privacy, consent, and data breach notification.
It is designed to convey the importance of accuracy over speed in terms of data breach notification; the need to gain meaningful consent from disinterested users, and the difficulty of balancing the commercial gain in personal data against the right to be forgotten.
They tested the deck with 21 programmers, engineers, and system architects of varying experience and found mixed results in terms of individual priorities and how each identified their roles.
Those IT professionals with skill gaps could benefit from some supplemental information in conjunction with the cards, the researchers say.
The team will look to expand the cards beyond the EU context so that it applies to US regulations with further international studies planned. ®
Sponsored: Becoming a Pragmatic Security Leader