.jpg?noresize&width=390&height=400&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=400&height=150&name=DataGuard%20epp%20event-27%20(1).jpg)
You don’t document privacy, you live it.
This was the key takeaway from the fireside chat Privacy by Design, where DataGuard Co-founder and Co-CEO Kivanc Semen interviewed John Harbison, Director of European Product Privacy and Privacy Governance at Meta.
The conversation explored how organizations can embed privacy into the DNA of their products, ensuring compliance without slowing innovation. Here are the main points.
Shifting expectations: Privacy as a baseline
The fireside chat opened with a telling statistic: nine out of 10 Europeans are not openly embracing AI technology because of privacy concerns. While companies invest in winning the AI race, they must also face the fact that for more and more users, privacy is no longer a “nice to have.” It is as essential as data security.
This shift marks a cultural change. Data security has become the baseline, while privacy is now the differentiator. Companies that embrace this reality will not only gain trust but also build stronger, more sustainable customer relationships.
Making privacy practical
Harbison emphasized that while strategies and policies are important, they must be translated into measures that engineers can actually follow. Otherwise, companies will struggle to make any progress towards meaningful change.
At Meta, pre-built compliant code segments are available when building new products or features. These not only save time but also show engineers what “good” looks like, especially to new joiners who are just getting accustomed to risk assessments and review processes. In addition to that, Harbison mentioned that their Compliance functions include engineers dedicated to checking the final code before a launch even gets greenlit.
Where possible, Meta also embeds consultation sessions early in the development cycle and makes privacy experts available during key events like Hackathons. This way, teams can ask questions before their projects go too far down a non-compliant path. In short, privacy must be integrated at the start, not bolted on at the end.
Balancing speed and compliance
One of the enduring tensions in product development is the drive to “ship fast” while meeting complex regulatory requirements. According to Harbison, the key to managing this is early consultation and integrating reviews into different development stages.
For example, Meta classifies products into different tiers. A “Platinum” tier product undergoes the most rigorous assessments, involving cross-functional collaboration across legal, compliance, and engineering.
As product development progresses, each milestone is accompanied by a risk assessment that looks for potential issues before they become more complicated to fix. Addressing the issues flagged in these smaller assessments makes passing the big overall review a faster and more manageable process.
And yet, Harbison tries to remain realistic: “If everything worked perfectly, I wouldn’t have a job. You do need certain conversations along the way.”
Compliance as part of culture
When asked about metrics for success, Harbison noted that compliance should not be treated as an incentive or bonus—it should be part of business as usual. Engineers know that their products cannot launch without meeting compliance standards, and this reality creates a built-in motivator.
“The engineers that focus more on compliance and have a greater awareness of privacy launch features and products more consistently. Other engineers want to emulate that.”
Leadership buy-in is another critical factor. By educating senior leaders on regulatory developments—sometimes even bringing US executives to Europe to talk to regulators—internal privacy leaders create a culture of awareness and accountability.
Harbison also suggested bringing engineers to regulator meetings, so they can hear first-hand what the regulators’ concerns are. In his experience, fixes materialize within days, rather than months.
Integrating privacy and security
Privacy and security often overlap, and Harbison stressed that both must be pursued simultaneously. Meta, for example, has invested billions into a comprehensive system with specialized teams for engineering, cybersecurity, data access, and privacy.
One of the ways Meta streamlines this is through automation. For example, access rights to sensitive data are tied directly to job roles, with automatic adjustments when responsibilities change. This ensures that employees only have access to the data they need, minimizing risks and reducing human error.
Looking ahead: Striking the right balance
As the session drew to a close, Harbison reflected on the future. He emphasized the need to carefully balance innovation, economic progress, and regulatory oversight. While overregulation could stifle creativity and growth, under-regulation could erode trust and harm users.
His hope is that as both industry and legislators explore ways to tackle privacy concerns around new technology, they can define a middle path—one where privacy and innovation coexist, fueling both progress and user confidence.
Key takeaways for your teams
The discussion between Kivanc Semen and John Harbison offered a candid look at how one of the world’s largest technology companies approaches Privacy by Design. The lessons are relevant for organizations of any size:
- Start early: Integrate privacy at the product idea stage, not at the end of development.
- Make it practical: Provide tools, code, and consultation that engineers can use immediately.
- Balance speed with rigor: Tier products by risk and use technology to accelerate reviews.
- Build culture: Treat compliance as standard practice, not a bonus.
- Think holistically: Align privacy and security strategies, supported by automation.
As user expectations rise and regulatory landscapes evolve, Privacy by Design is no longer optional. It is the foundation for trust, innovation, and long-term success.
.jpg?width=250&height=130&name=DataGuard%20epp%20event-27%20(1).jpg)
.jpg?width=250&height=130&name=DataGuard%20epp%20event-78%20(1).jpg)
_EasiestSetup_EaseOfSetup.svg?width=200&height=200&name=ConsentManagementPlatform(CMP)_EasiestSetup_EaseOfSetup.svg)