1. Security at Flo

Reinforcing the Privacy and Security by Design Approach Through Collaboration with PwC

Flo is currently the #1 health app for women worldwide with over 180M downloads, and our audience is growing rapidly. As the company grows, our data privacy and security practices are also constantly evolving. 

Over the past few years, there has been an increasing discussion within society about how companies should protect personal data. The GDPR came into force, requiring organizations to adopt a more transparent approach to the data collection, processing, transfer, and protection. Following the GDPR’s passage, several U.S. states were proposing their own new data protection laws. The California Consumer Privacy Act (CCPA), passed in June 2018, was to become the most comprehensive data privacy law in the U.S. In short, regulators in Europe and the U.S. were making legislative changes at a state and federal level, along with introducing enforcement actions. These actions varied greatly in different geographic regions. Consumers themselves also started calling for more transparency in this field.

In 2019, the leaders at Flo engaged an independent third party to provide a  comprehensive assessment of our data security and privacy program. We have always strived to make our platform secure and private for millions of women around the world, and our company has robust, reliable compliance plans in place. 

Being a market leader, we could only assign this task to a reputable firm with in-depth expertise in the field, one that is committed to quality and trusted by global enterprises.

“We took an extra step to stay ahead of the compliance curve. We decided to partner with a highly reputable external advisor with the strongest expertise and the most stringent requirements. That is why we chose PwC.” — Timofei Savitski, Chief Legal & Compliance Officer

We opted for a partnership with PwC because the firm offered a comprehensive approach to assessing and enhancing the privacy framework. Moreover, PwC offered a one-stop service: from both privacy and security assessment, to strategy and execution. We wanted an advisor to thoroughly assess several different areas at once, and PwC was the perfect fit for our requirements.

We knew that PwC’s approach would be comprehensive, so we were ready for a lengthy and robust partnership. As in other business domains, in terms of data privacy and security, we followed the bar-raising principle.

The project was launched in summer 2019. The working group from PwC included experienced specialists with expertise in various domains, including data protection and privacy, information security, risk management and compliance.

The Flo working group included leaders from the engineering and legal teams, as well as employees who would later be involved in the decision-making process.

As a result of the 360-degree assessment, the PwC team identified areas for further enhancement. 

"Flo's ambition to further enhance their privacy framework was shown during the entire project, from their leadership and project team commitment to their pragmatic and positive approach. We were happy to support them in the process while meeting their high standards, agile way of working and expectations" — Bram van Tiel, PwC Cybersecurity and privacy engagement partner

Through our work with PwC, we did a comprehensive assessment of our practices and devised additional enhancements to our program.

“When we face new legal requirements or a new challenge, we do not need to reinvent the wheel. We operate according to a well-established framework and fall back on rebuilt processes.” — Timofei Savitski, Chief Legal & Compliance Officer

For example, various countries and regions have different approaches towards user rights with regards to the processing of their personal data In European countries, where the principles of GDPR apply, the law states user requests should be addressed within 30 days, while according to the CCPA, it’s within 45 days. There are various legal requirements in different countries, and even in different states, and these may change. Our task is to both monitor the constantly updated legislation in countries where we operate and also to have universal operating procedures that can be applied to any case.

In short, a refined framework allows us to promptly and consistently solve challenges  

As to security, we have started the process of preparing for ISO certification. ISO certification is a complex multi-stage procedure that confirms compliance with the rigorous international standard ISO/IEC 27001. The ISO 27001 standard contains numerous requirements for managing information security and assumes that the company has already adopted a systematic approach to this issue. These standards are developed in turn by the International Organization for Standardization — an independent, non-governmental, international organization.

For companies like Flo, achieving ISO/IEC 27001 certification signals that the company's practices, documentation, and procedures have met the rigorous standards. This is a strong indication to the market that this business partner is highly competitive, including in the area of personal data protection.

At Flo, we are committed to a privacy savvy culture. From our perspective, this is an environment where employees feel that data protection is relevant to them and that they're personally responsible for ensuring it. They understand it well and show a keen interest in learning more about it from privacy and security teams.

The challenge is in maintaining this type of environment as the company scales up. In the last year, the team at Flo has doubled in size and now includes over 300 people. Having the solid framework we’ve developed with the support of our partners from PwC enabled our dozens of new, highly skilled engineers, content creators, and product managers to navigate through the subject from the very start. 

“The privacy and security culture needs to be instilled in each new employee based on proven methodology and tools that work.” — Roman Bugaev, Chief Technology Officer

We have encouraged executives to model behavior and encourage an open dialogue between the staff and privacy and security leaders. On top of that, we have built habits among employees to design with privacy in mind.

Among other things, we provide training for all Flo employees on a regular basis. This applies both to those who have been working at the company for a long time and to new recruits. The latter receive training on the subject starting from day one.

In order to keep a wide audience engaged, we use interactive and short-format training tests. As part of these tests, we incorporate questions and examples that are closer to the environments in which our employees work.

We have also designated  Privacy Champions in teams. These are Flo employees who help promote the privacy and security program within their own departments.

We also hold company-wide events. This includes a program, on World Data Privacy Day, where our DPO talks about relevant topics, and “Launch & Learn” sessions, where leaders and managers in the areas of Security and Privacy explain complex concepts in simple terms.

We are proud of our partnership with PwC and our privacy and security. We believe that our privacy and security culture strengthens the effect of the program as a strategic objective. It also fosters an approach that makes privacy and security integral to our organizational priorities, project objectives, and development processes. And this is what a privacy and security by design product is all about.