In this article, you will find out what the Privacy Services team at Schibsted does, who its members are and what challenges they will face in the near future. Perhaps you would like to be part of it?
The Privacy Services team – what do they do on a daily basis?
Since 2016, all countries associated within the European Union have faced the prospect of implementing the provisions of the GDPR (General Data Protection Regulation). It was then when the Privacy Services team was established in Schibsted. The main objective of the team, originally based in Oslo, was to guide the company through the announced legislative changes. In 2019, the team’s office was moved to Cracow, and the team is constantly growing in size. Following the constantly changing legislation, the scope of the team’s responsibilities was modified accordingly. Today, the Privacy Services team is one of the core teams in Schibsted. They are responsible for three basic solutions that allow users to control their data and help other teams comply with the GDPR.
The assumption behind the GDPR was to protect individuals with regard to the popularization of personal data processing. The GDPR specifies how such data are to be properly collected and managed. GDPR guarantees the users the right to information and data transfer, the right to be forgotten and the right to information and control over the processing of personal data. Therefore, the activities undertaken by the Privacy Services Team in Schibsted are divided into three areas, directly related to the platforms maintained and developed by the team: Privacy Broker, Privacy Settings and CMP.
Each of the working groups focused on one of the products, functions independently of the others – organizes their own stand-ups, two-week planning meetings, demo sessions, retrospectives and grooming. Such an approach allows to focus work and limit distractors. Once a month, individual groups meet in order to synchronize their activities – conduct a retrospective, share experiences and their largest achievements.
Below, you can find certain information on individual platforms maintained by each of the three working groups listed above.
Privacy Broker
The Privacy Broker allows the end-users to request that the data be removed or downloaded, supporting their right to information and data transfer, as well as the right to be forgotten. Schibsted data indicate that in 2020 alone, the Privacy Broker platform processed more than 12 million requests for data removal and more than 700 K requests for data download. We are currently monitoring over 40 identity providers (IdP) and over a thousand databases.
How it works each request created by users is sent to every registered Data Store (a place where the data are stored) and Privacy Broker supervises the process (including repeat attempts, monitoring and replacing people in error-prone work). It consists of two main parts: a group of backend micro-services (programmed in Java) and a back-office administration panel, used by multiple internal teams (programmed in JavaScript).
Privacy Settings
The Privacy Settings help users manage their consents, supporting their right to be informed and to exercise control over personal data processing. It uses saved preferences, in order to honour the user’s choices during the data processing. The platform consists of three main parts: a user interface provided to end-users (programmed in JavaScript), a group of backend micro-services (programmed in Java) and a back-office administration panel (programmed in JavaScript).
According to Schibsted data, in 2020, the platform users submitted over 3 million objections, gave more than 50 thousand consents, and their data were supervised by more than 60 Data Controllers.
CMP
The Consent Management Platform (CMP) supplied by an external provider (Sourcepoint) is the most recent solution maintained by the team. It supports the last of the users’ rights, i.e. the right to be informed and to exercise control over the processing of personal data. The platform implements three solutions: Privacy Settings Introducer, Cookie Consent and TCFv2.0.
Team
The Privacy Services Team in Schibsted consists of 5 back-end developers (Katarzyna, Jakub, Łukasz, Michał and Nazar) and an engineering manager (Wojtek) working together in Cracow. They are in close cooperation with two product managers (Maren and Zainab) from Oslo, UX Designer (Rita) and UX Writer (Benni). Despite the distance between Poland and Norway, the team is able to meet almost every day and this is made possible by a specific working mode, based almost entirely on online meetings.
The Privacy Services Team in Schibsted is also looking for new members. If you are interested in joining our team, you may send your application at www.schibsted.pl/career
Technological stack
Most of the Privacy Service apps in Schibsted are programmed in Java and JavaScript, but we also use Kotlin and TypeScript. All applications are launched in an AWS cloud via EC2 instance of Docker containers.
The team’s guiding motto is: “you build it, you run it”. This means that it supports Continuous Integration and Deployment (CI/CD) running on Travis CI and Spinnaker, infrastructure (maintained as a code with the use of CloudFormation) and monitoring (DataDog). In order to work effectively, the team uses the largest possible number of existing solutions supplied by other central teams, e.g. Developer Foundation supplying e.g. CI/CD tools, Kubernetes clusters. It is, however, quite free in choosing the best technologies needed for project implementation, which is seen in the team’s everyday work – the members of the Privacy Services team may use any language, framework or tool, accepted by the team, in order to solve problems.
For storing data, the team uses Aurora Databases compatible with MySQL and AWS DynamoDB in projects where NoSQL databases work better. It is very important for the team to build loosely coupled services – to this end, the team uses queues supplied by AWS (SNS, SQS) and Kafka. In everyday work, the team uses Github Enterprise as a tool both for code management and for working with Pull Requests.
Future
The future of the Privacy Services team is full of challenges. The company plans to develop new functionalities in each of the platforms and pay the technological debt. In the Privacy Settings platform, the team focuses on supporting the company in collecting consents at a global level, as so far, the consents were collected for each of the brands individually. Thus, it will be possible to analyse data for all brands, at the same time leaving the users to decide what data could be used and how. To this end, the team is working on a new user interface (supported by a new BFF and Gateway), migrates data and connects new clients to their platform (extending integration points available for internal customers).
An equally huge challenge for the future is also work related to Cookie Consent and Transparency Framework v. 2.0. arising from new EU regulations. The Privacy Services team in Schibsted is, therefore, trying to find a perfect balance between allowing users to exercise control over their data and not overwhelming them in messages and information in that regard. This requires many experiments with the UI and countless UX tests.
The biggest platform, Privacy Broker, currently requires improvement as part of paying off the technological debt, as well as supplying new functions. These include, for example, better management of outdated requests, new messages about currently handled requests for Data Store owners, support for Data Retention and many others. From the technical point of view, one of the biggest challenges faced by the Schibsted team would be the migration of data to Kubernetes. Its main objective is to facilitate and speed up the process of deployment, speeding up the scaling process and a significant simplification of development and provisioning. Also, the Privacy Services team is constantly trying to find a balance between the development of new functionalities and tasks related to technology.
Therefore, if you like such challenges and feel that these are the areas where you can demonstrate your skills, send your application at www.schibsted.pl/career.