March 21, 2025

“You want me to do WHAT??” exclaimed the product manager. I was sitting in a meeting with the product team, discussing a feature they’d been working on for 3 months. I was the unlucky one to have to tell them that the feature they’d been developing for the last 3 months cannot be released as it was currently developed, since it violated privacy regulatory requirements and, more importantly, the company’s own privacy policy. “I need you to change this element of the feature. It isn’t compliant and we can’t release it like this. I’m sorry.” Everyone in the room looked like they had daggers in their eyes, and I looked for a place to bury myself.

The truth is it’s not the first time – nor will it be the last – I’ve been in a situation like this. As a data protection officer I’m in charge of making sure that the companies I work with adhere to data privacy rules and regulations. And I often don’t work alone. The in-house data privacy and compliance teams do their best to steer the company in the right direction in order to avoid risk and potential legal and regulatory pitfalls. 

Unfortunately, classic compliance functions in tech companies have two major limitations that keep them from doing their job. The first is their limited visibility into ongoing feature development. The second is their lack of authority to enforce both the regulations and the company’s own policies effectively. 

Challenge 1: The Unseen Pitfall

Imagine a scenario – like the one described above – where a tech company, eager to maintain its competitive edge, introduces a groundbreaking feature without comprehensive scrutiny from the data privacy or compliance teams. This feature, developed in complete isolation from the company’s regulatory experts, inadvertently (or, even worse, purposefully) collects and processes user data in ways that contravene established policies. 

Limited visibility often results from disjointed communication channels between the engineering and privacy and compliance teams. Rapid development cycles and the pressure to innovate can lead to features being developed without comprehensive privacy assessments. This siloed approach can leave privacy and compliance teams in the dark, unable to proactively address potential issues before they escalate and become “problems”.

In a “best-case scenario” the feature is introduced to the privacy and compliance teams before its release – similar to the situation described above – when they can still advise and the engineering team can do something about it. In the “worst-case scenario” the feature is released in the next product update and the privacy and compliance teams are left to hear about it and handle it after the fact.

Challenge 2: Limited Enforcement Power

In another scenario, a diligent data privacy team identifies a potential violation of company policy during the development phase. However, due to the hierarchical structure of the organization and the fast pace and grueling demands by investors and management, implementing necessary changes becomes an uphill battle. The engineering team, focused on meeting tight deadlines, hesitates to prioritize regulatory adjustments, resulting in an internal standoff.

Limited power to enforce policies often stems from organizational structures that do not prioritize the collaboration between teams, and this culture is particularly pervasive in the interactions between privacy and engineering teams. The inherent tension between meeting development timelines and ensuring compliance can hinder the implementation of necessary changes. 

This lack of collaboration and timely resolution leads to the release of a product that falls short of compliance standards. The aftermath can be severe: regulatory penalties, a public relations crisis,  legal battles, damage control efforts, strained internal relationships and a loss of user trust. 

I once participated in a panel of experts that included data privacy regulatory specialists and technology engineers. A lawyer colleague of mine who advises on data privacy regulations bemoaned the fact that engineering teams scarcely involved him and his colleagues in product meetings to discuss new features. Why are you so surprised, retorted the engineer on the panel, 99% of the things we discuss have nothing to do with you. And they’re both right! There’s no reason to have compliance sitting in on every single product meeting. On the other hand, the product team needs to understand that there are decisions that they make which do have an impact on the regulatory compliance and risk profile of the company, in relation to which the compliance team must be consulted.

The question then becomes – how does one strike that balance? How do we ensure the privacy and compliance teams have the visibility they need, into what they need, when they need it, to have the ability to steer and guide the engineering team towards lesser risk, without filling up the engineering team’s calendar with meeting after meeting with the company’s privacy and compliance team? Perhaps there is a tech product that can help companies strike this balance.

Tillion

Enter Tillion. Tillion’s platform empowers data privacy and compliance teams by providing a comprehensive view of ongoing feature development, automatically checking it against the company’s own policies. The software meticulously analyzes the company’s code against the company’s established privacy policies, alerting privacy teams to potential inconsistencies before they become embedded in the final product.

This proactive and continuous approach ensures that privacy concerns are addressed during the development phase, preventing compliance issues and fortifying the company’s commitment to data protection. This ongoing monitoring approach also prevents “mission creep” (a phenomenon that occurs when data usage is increased incrementally, thus not immediately triggering any “red flags”, but eventually leads to negative outcomes). 

In addition, Tillion’s software offers a holistic solution by seamlessly integrating into the development pipeline. Issues are identified, flagged and automatically “pushed” to development early on, allowing them to be promptly addressed and corrected by the engineering team before they become “problems”, thus minimizing friction between data privacy teams and engineering. 

Tillion’s platform facilitates a collaborative environment where privacy policies are not merely observed but actively enforced, and the teams are able to seamlessly collaborate, creating a synergy that benefits both compliance and innovation.

The EU’s General Data Protection Regulation requires companies to “integrate necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”. By bridging the gap between development and privacy, Tillion is reshaping how tech companies approach data protection within their products, ensuring a secure, compliant future for both businesses and their users.