A year ago, I talked to some people in a web-project that was run in an agile fashion. One of my questions was how they managed requirements related to the upcoming GDPR regulations. The answer was that we put them in the backlog. Formally correct from an agile perspective, I don’t think it’s the right approach for regulatory requirements.
I would rather see the requirements for Privacy by design (Inform, Control, Enforce, Demonstrate, Minimize and limit, Hide and protect, Separate, Aggregate, Data protection by default) as product requirements and taken care of in each sprint. Or at least before you deliver a minimal viable product.
But in order to comply with the regulations for Privacy by Design, you have to document more than the developers assumed.
You also have to add more features and think about the life-cycle management of personal information in your application. In essence, more architecture work in sprint 0 to prepare for things not delivered in the first internal releases.
Then, there is everything related to security, and that it’s a topic of itself.
If you would like to listen to other aspects of Privacy by design, view episode #73 from Architecture Corner..