How to Manage Data Privacy in Software Development

A Quick Plan/Approach For CISO’s to Address AI Fast. As a CISO/CEO you have to stay on top of new ideas, risks and opportunities to grow and protect the business. As we all keep hearing and seeing LLM/AI usage is increasing every day. This past week my inbox is full of one question How do I actually protect my company's data when using AI tools? Over the last 9 years I have been working on, involved with and creating LLM/AI cyber and business programs and as a CISO I have been slowly integrating ideas about AI/cyber operations, data protection and business. Here are five AI privacy practices that I have found that really work. I recommend to clients, partners and peers. I group them into three clear areas: Mindset, Mechanics, and Maintenance. 1. Mindset: Build AI Privacy Into the Culture Privacy isn't just a checklist, it's a behavior. Practice #1: Treat AI like a junior employee with no NDA. Before you drop anything into ChatGPT, Copilot, or any other AI tool, stop and ask: Would I tell this to a freelancer I just hired five minutes ago? That's about the level of control you have once your data is in a cloud-based AI system. This simple mental filter keeps teams from oversharing sensitive client or company info. Practice #2: Train people before they use the tool, not after. Too many companies slap a "responsible AI use" policy into the employee handbook and call it a day. That's no good. Instead, run short, focused training on how to use AI responsibly specially around data privacy. 2. Mechanics: Make Privacy Part of the System Practice #3: Use privacy-friendly AI tools or self-host when possible. Do your research. For highly sensitive work, explore open-source LLMs or self-hosted solutions like private GPTs or on-prem language models. It's a heavier lift but you control the environment. Practice #4: Classify your data before using AI. Have a clear, documented data classification policy. Label what's confidential, internal, public, or restricted, and give guidance on what can and can't be included in AI tools. Some organizations embed DLP tools into browser extensions or email clients to prevent slip-ups. 3. Maintenance: Keep It Tight Over Time Practice #5: Audit AI usage regularly. People get busy. Policies get ignored. That's why you need a regular cadence quarterly is a good place to start where you review logs, audit prompts and check who's using what. AI is evolving fast, and privacy expectations are only getting tighter. What other ways are you using LLM/AI in your organization? 

The biggest mistake developers make with AI and healthcare data? They don’t think about privacy until it’s too late. I understand it’s exciting to build with new technology. But here’s what usually happens 👉 A developer gets access to a massive dataset—patient histories, clinical notes, lab reports. They build a model that works. It generates summaries, improves workflows, and seems ready to launch. Then reality hits: the model memorizes and regurgitates real patient data. Suddenly, you have a HIPAA compliance nightmare. So how do you avoid this? 1️⃣ Read the HIPAA guidelines. I know, it’s not fun. But it’s not that long. The healthcare industry is lucky to have clear rules on data safety. Following them upfront will save you headaches later. 2️⃣ Understand how the data will be used. Training a model on all patient data and then using it to serve individuals? That’s a huge privacy red flag. You need to think about privacy and compliance both in training and outputs. 3️⃣ Handle privacy from the start. The earlier you think about compliance and privacy, the faster you’ll move in the long run. Scrambling to fix privacy issues right before launch will slow everything down. Good AI doesn’t just work; it works safely. #AI #HealthcareAI #MachineLearning #DataPrivacy #HIPAA #AIGovernance #AICompliance #MedTech #HealthTech

How I enhance security and privacy for healthcare, financial services, and enterprise software customers using data classification levels but without extra complexity: I separate types NOT by the value of the data they describe but rather the handling procedures for the information, e.g.: 1/ Public 2/ Confidential-Internal 3/ Confidential-External 4/ Confidential-Personal Data 5/ Restricted 1️⃣ PUBLIC Can be posted on the open internet without restriction. At StackAware, we take the additional step of trying affirmatively to publish anything classified as “Public.” That’s because, if there is no risk in getting out there, then it might as well serve as marketing collateral. Building in public is part of our competitive advantage. 2️⃣ CONFIDENTIAL-INTERNAL Belonging to us not currently meant to be public, but which can be disclosed unilaterally with the approval of the data owner, without further coordination outside of our company. Below are some examples. If you were especially concerned about compartmenting data, you could create nested sub-categories using some or all of the below to restrict dissemination even further: - Material financial information - Internal source code - Machine telemetry - Business plans - Credentials 3️⃣ CONFIDENTIAL-EXTERNAL Information belonging to another organization not meant to be public, which our company is bound by confidentiality requirements to protect and cannot release without external coordination. While there should be an internally designated data owner, that person cannot release the information in question without permission from the relevant external party. 4️⃣ CONFIDENTIAL-PERSONAL DATA There are a variety of regulations governing the use of data which can identify natural persons (i.e. human beings), such as: - Personal information (PI), defined by the California Consumer Privacy Act (CCPA). - Personally identifiable information (PII), defined by various U.S. state laws and federal regulations. - Personal data, defined by the European Union (EU) General Data Protection Regulation (GDPR). The GDPR is the most restrictive and expansive of all of these categories. Thus, we use the blanket term of Confidential-Personal Data for everything that falls under this rubric. Different jurisdictions, however, have specialized requirements for handling different types of data, so it might make sense to create nested categories under the general category of Confidential-Personal Data. 5️⃣ RESTRICTED This is simply a way of collectively describing the aforementioned three types of Confidential information. For policy and procedure purposes, it can be helpful to have a single unifying term to describe all categories of data that can not be processed in a certain way (e.g. using uncertified systems per StackAware’s AI security policy). TL;DR - At StackAware, we use the data classifications: 1/ Public 2/ Confidential-Internal 3/ Confidential-External 4/ Confidential-Personal Data 5/ Restricted