Translating Compliance Requirements to User Stories for Agile Development

Agile software development has played a crucial role in making the development process more efficient. However, software development teams struggle when it comes to building software that aligns with standard privacy regulations, an ever-growing concern in the world of technology. Recently, three of our Security Compass employees, Farbod, Mina, and Nat, authored an article titled, “A tagging approach to PIAs in agile software development,” published on the International Association of Privacy Professionals (IAPP) website. Broadly speaking, this article focuses on finding a solution to privacy compliance issues in development projects, through a ‘tagging approach’. The authors assess how tagging methodologies can guide the development of software that’s compliant with the General Data Protection Regulation (GDPR), specifically with regard to privacy impact assessments (PIAs) and data protection assessments (DPIAs).

Put simply, the crux of the issue is this: developers don’t understand large-scale privacy regulations, like the GDPR. Conversely, privacy professionals don’t understand how to implement their privacy policies in applications. So, there’s a fundamental communication issue.

How can these two groups achieve compliance?

The solution presented and evaluated in the article is the ‘tagging system.’ At Security Compass, we recently implemented the GDPR rules in our platform, SD Elements, but the tagging concepts we used are compatible with virtually any privacy regulation or internal policy.

You can think of this tagging system as a ‘layer of abstraction’ between developers and privacy professionals, built to simplify the collaboration process. Essentially, these tags facilitate a map that organizes incoming information from both ends. That is, the tags act as concept categories used to guide policy input on the privacy professionals’ end and procedure input on the developers’ end. The privacy professionals’ policy input involves using privacy regulations to identify controls needed in the application. On the other hand, the developers’ procedure input involves taking Users Stories, which are customers or administrators’ software requirements, and creating tasks to fulfill them. Ultimately, the ‘tags’ act as the common language between the privacy professionals and the developers.

How does this system work?

First, a standard set of tags are defined. Though this process requires intensive definition work, the tags are adjusted until the set is as coherent as possible. These tags cover concepts in security, privacy, and data protection, and they’re grouped into various common sense categories. An example of a ‘category: tag’ might be ‘Consent: Acquisition/Withdrawal’ of ‘Data Protection: Authentication.’ Assuming that the organization has a Policy to Procedure platform (such as our own SD Elements) that outlines privacy requirements, the developers and security professionals can go through the database and tag the tasks according to the definitions. This has actually already been done in SD Elements.

A privacy professional would then go through the regulation and tag all of the identified controls according to the definitions, using the same set of tags. When the tagged regulation is uploaded to the SD Elements platform, it becomes self-mapping. That is, it automatically identifies tasks in the database which link to and activate appropriate controls in the regulation. Additionally, once the appropriate controls are identified, they can create nuanced User Stories that developers can easily understand. This is called the “agile angle.”

What’s an example of the “agile angle”?

Take this User Story, currently in SD Elements, as an example:

§Name: Access: Removal/Erasure: A § Description: As a user, I want to be able to remove my PII from a system under certain conditions, so that I can limit how my data is used. [GDPR: Article !b/Recital b3, Article !6/Recital bb]

This User Story makes a request for a software change as well as a privacy privilege. Assuming that this User Story is tagged with the correct controls, it will automatically be linked with the tasks in the SD Elements database, where it can be fulfilled by developers.

The tagging system shows promise for improving privacy regulation in agile development projects. Though precise tag definitions are still a work in progress, tagging systems are a step in the right direction.

To learn more, contact us here.

 

Previous Article
COO Rohit Sethi writes about GDPR Article 25 compliance for Information Management
COO Rohit Sethi writes about GDPR Article 25 compliance for Information Management

Learn what Security Compass COO, Rohit Sethi, has to say about GDPR Article 25.

Next Article
A New Risk Policy Feature for SD Elements
A New Risk Policy Feature for SD Elements

Security Compass has recently announced an update to its flagship policy-to-execution platform, SD Elements...