 Hello everybody. My name is Satya Krishnamurthy. I'm a TPM on WhatsApp. I've been with WhatsApp now for two years and two plus years and I've had quite a number of product and feature launches in my career at WhatsApp. I wanted to share some of the learnings on things that could affect your product life cycle with specific focus on privacy, integrity, security, and data. Here is the flow of how I'm going to walk through some of my learnings and in the end I will share some of the key takeaways I want you guys to take away as a part of this learning. This is your typical product life cycle. You start with an idea, you build a POC, you do some user research, you define success metrics for the idea, then once the idea gets flagged or approved, you basically go into a design cycle, you work on PRDs, you work on building your design as well as work with the tech lead on building the technical specs. Once that part of aspect is completed, then you go into a full development mode. In a agile environment, a lot of this becomes a hybrid mode where design and develop happens in parallel and finally you do have a test and validation and you come up with clearly a comprehensive launch plan identifying your target customers, identifying the countries where you want to start off and then you do a slow rollout. While you're doing a slow rollout, of course you're doing measurement and making sure that there are no regressions in anything, any of the key success metrics that you have identified as well as identify ways to improve for the follow-up feature or the version two of your feature. Now, this is your typical product design life cycle. Everybody is familiar with this, but we are missing a few critical elements as a part of this product life cycle. Now, as product managers and TPMs and engineering managers, one of the key things that we are trying to do is with this product life cycle, we are trying to estimate when do you think we can potentially land this particular feature, when do you think I can successfully release this feature, what will be the timeline because you need to inform your product marketing team, you need to inform the corporate marketing team, you need to inform the PR team. There is a whole lot of folks who need to be, you need to align and as a part of the process, you need to understand when the release is going to happen, when the rollout is going to happen so that all of the other cross-functional teams that you are working with, they can also synchronize their watches with your release cycle. But as I said, you are missing a few critical elements. Now, what are these few critical elements? Now, privacy. If your product is a consumer product or even if you are enabling businesses to reach consumers, which is a B2B2C, there are privacy misses that you need to be aware of. Some of the recent, I'm going to share as a part of the next few misses, some news articles that are relevant that basically talks about some of these privacy misses that we have gone through, that several applications have gone through and they've been reported in the news about some of these privacy misses. These privacy misses essentially can have an impact on your life cycle because you need to go back, pull the feature down and then make sure that you implement your privacy misses. Data misses, whether you are basically the type of data logging that you do, the type of data that you collect and making sure that the data has protections and controls and making sure that you are not collecting unwanted data, all of that are relevant here. And as you design your feature and as you design, go through the success metrics, you want to make sure that relevant data is collected so that A, you can validate the feature at the same time, you are also not over collecting or breaking some of the user privacy promises that you have made. Integrity, now the features that you developed, you want to make sure that you are not making this a bad experience or an unfavorable experience for your users. You want to make sure that the users feel comfortable using this feature, your consumers feel comfortable using this feature and this is not going to cause any unwanted impact. You do want to have tighter integrity controls on how this feature, how whatever feature that you're building is being used and integrity is going to play a key role in ensuring that you are able to accomplish that. Security, the data that you've collected, the integrity controls and the security controls that the controls that you have put in place, you cannot breach them. The data cannot, it should not be accessible by anybody. Even within the organization, you want to have tighter controls. Even within the teams, if it is a sensitive data, you want to have stronger controls. But some of these security measures can have a significant penalties and impact on your feature lifecycle, on the feature and how you're going to measure the success of this feature. Finally, policy. Policy is getting more and more complicated because each and every country has its own policy team. They have that own set of requirements that they are working through. Which means if you are building a global application, then you need to be cognizant of what each and every country policy is stating. Which country has what type of regulation that is currently ongoing? What type of event that is happening in this country that could potentially impact your product or feature release? We will discuss some of these things in detail. But missing this or not having a visibility into some of these global events could potentially impact your product release and product launch. And finally, costs of some of these things are not just your feature getting delayed or you have to roll back your feature or you are going to have some challenges in measuring successfully. It also has fines. A lot of the policy teams across multiple countries be it Brazil or Mexico or European Union, India, they all have very strict privacy violation fines. And any of these privacy violation fines could basically result in either users filing a class action or countries and their policy teams basically coming back with fines, which could potentially impact not just your feature, but overall credibility of the product. So overall, as you are thinking about your features, there are some new personas that you need to be user personas that you need to be thinking about, which needs to be added to the product lifecycle. You need to figure out, okay, I'm thinking about this user feature. What is the privacy aspect of this feature is going to be? Does it meet the product and corporate policies that has been established? What is a legal team is going to talk about? What is a legal team's view about the product and the feature and the commitments that we are making? What type of access controls are established when we create and log some of the new data and how am I deleting some of the unused or old data? Or how am I making sure that I'm having a policy around constantly deleting older data? Integrity, making sure that there is customer trust and customer value in the product and that persona is also something that you need to be thinking about as you are building this feature. And security, ensuring that the data and the application and the user security are very well understood and there are controls in place so that you are actually building your system and your feature with security in your mind. And finally, policy. It's not just about you're thinking about how you're launching the feature, but you're also thinking about what are the global events that are happening? What are the global policies about your feature that you need to be cognizant about? And how is it going to impact your product release? And how is it going to impact your overall schedule? It's something that you need to be planning for as a part of your product lifecycle. Digging deeper, there are a few things that you want to be cognizant about when you're dealing with privacy principles as well as data collection. And these are again, I'm going to go quote GDPR, which is one of the standards and how what are the generally accepted privacy principles are. In terms of these privacy principles, the key things that you want to think about as you are building it is, am I having a checkbox which basically identified every line item here is essentially, is fully wetted as I build my product, build my feature set, and build this logging and success metrics that are tied to these feature set. And having that kind of a checklist, having that kind of some kind of awareness around your product and your feature is going to basically make your product lifecycle much simpler. Now, in terms of data collection and flow, it is also not just your feature lifecycle that you need to be thinking about, you need to also understand the data lifecycle. The reason or reason is essentially as you start collecting data and application that you have built that is there in the App Store or be it an API driven platform that you're building, the data that you collect as a part of the process essentially goes through its own lifecycle. It basically gets collected, it gets stored in a particular system, it gets analyzed, and then certain recommendations are built based on that data, but then that data becomes stale, what happens to that data, how are we controlling it, as well as what type of risks and mitigations that that needs to be implemented prior to shipping these features that are tied to this data. As well, you need to basically making sure that how this data flows between these systems, is this data highly sensitive data? Can everybody access this data or should everybody access this data? If not, am I making sure that there are controls in my process, in my systems to ensure that enforce that these there are mitigations that are in place so that the data flows are tightly monitored and controlled. On protection and deletion, again, it's going to be another important critical aspect. You need to understand why this data is getting logged as a product manager or a TPM or an engineering manager, understanding why this data is getting logged and what type of personally identifiable information about the user or about a business that is being collected. You need to have a clear explanation and accountability on, which again goes back to the principles I was talking to you about, accountability on why this data was collected. For certain countries, you need to be clearly explaining why you are logging this and because it is tied to their country policy on basically having a title of controls around user data. Then having the right set of access control, we talked about this. As the data flows through your system at every single touch point, you have to make sure that nobody can access this data, be it a security breach or be it even internal users who are not authorized to access some of the sensitive data, cannot get access to it. Finally, data deletion policies are of course needed. The reason I emphasize on data deletion is that certain data deletion principles need to be in place to make sure that older data cannot be misused or misused and we will talk about this in future slides. Integrity. Now, integrity processes, again, we talked about making sure that app and your feature experience are not, feature experience are not turning out to be a nightmare or throwing a bad experience for your users and having an integrity team which basically ensures that there is a customer trust in product and features and we are not compromising the customer trust for a variety of a particular feature or just making sure that our access of a particular feature is going to be absolutely critical. We saw some of the examples of what are the types of customer trust, misuse of product or feature for personal gains. All of this is going to be very critical when you are dealing and working with the integrity team. As you are building some of the controls within your product and feature, you will be asked or you will be required to build in some of these additional controls so that any compromise in your product or feature can be addressed quickly. Some of the other personas that you might want to think about, commerce policy. Now, for products that are focused on trading of goods and services, it is going to be almost critical to work with your sanctions team, making sure that only allowed products and services to be sold in platforms. Certain countries do not permit certain type of products and services to be sold. Certain countries expect the trade with some other countries that are banned in the list to not have access to access to some of the products and services. Making sure that not only having a generally allowed list of products and services, but also making sure that complying with the commerce policies of the countries where you plan to roll out your feed product and feature is going to be absolutely important as a part of your understanding and working with the commerce and sanctions team. For products, we talked about user-facing products. I briefly mentioned the platform or the API-based products. Now, for products and features that provide API access for customers and partners to either internal data or internal features, again, going through some level of controls is going to be absolutely critical. Unauthorized access of the API, making sure that businesses and users who are accessing the API are complying with organization policies as well as the local government mandates. Also, if businesses are accessing some of the consumer data through API, then there is a tighter control, stricter control on how the access is provided, how the data is shared and how the business, how you are able to control the data flow, not just the data flow from your system, but also how the data gets used in the end systems are also going to be absolutely critical. So, having an end to an understanding of not just the API part, but having the data flow from your system to the party that is accessing the data is going to be critical. Finally, as we talked about various controls, various checklists, various policies and personas, it's going to be very important to think about how this implementation is happening. You might have identified all of this in your specs. You have identified a whole lot of the identified and documented all these personas, but a simple miss or a bug that can creep in into your coding could potentially derail your whole feature and functionality that could break some of the privacy, integrity, security, and data principles that you have established as a part of your feature development. So, having a compliance check and making sure the implementation review is happening whenever you are dealing with sensitive data or a sensitive feature is going to be absolutely important. And in some cases, having evidence and submission of evidence is going that ensures that all the safeguards are in place before you can even have one external user access to this feature would be something that might be absolutely needed. In some cases, it might be enforced saying that without the evidence, you cannot launch or in some cases, you might be asked to provide evidence at the later stage as the product starts rolling out. So, things to remember. Data access is again, it's going to be absolutely critical for you to have permissions and the right set of permissions before you launch a feature. The changes that you make, the feature changes and the product changes that you're going to make. Say you have released a version, one of the product, now you're thinking about version two of the features. You cannot change the data permissions or data policies just because your feature is getting upgraded. If you are building new use cases or new features or enhancements, they will definitely require new permissions or revisiting some of the old permissions and going through that whole process all over again. No overarching guidelines that you have established in your feature can be violated or you have to ensure that will not be violated by any other feature or future releases. So today's guidelines cannot be broken just because we are coming up with a new feature. So, which means as you're building today's feature, you should also be thinking about all the decisions that have been taken in the past to ensure that you're not just adhering to today's decisions, but also all the past decisions and past policies that have been enforced. As I said, as we are building more and more of these consumer apps trying to build some innovative features, the product lifecycle is definitely getting complicated as we need to think about all these critical elements or critical aspects of your product launch lifecycle. Finally, you would have done all of this. You would have gone through a variety of checks and balances. Make sure that you've gone through commitments, you've gone through implementations, you've gone through data checks, data controls, everything has been done. But even all of this, there are certain things that could impact your product or program release. These are what I would like to call as unknown unknowns. Now, local elections could definitely impact some of the feature releases because certain government would say, don't release this feature because this could potentially cause some kind of controversy due to this local election or there are some disinformation situations. There is a natural disaster that could potentially prevent you from launching a new feature because either it could cause disinformation or it could potentially impact the users from getting access to some of the critical services that your products and services are offering. Again, be cognizant of unknown unknowns because that again could potentially come back and even after doing all of these privacy, security, integrity and data checks and policy checks, you could still have impact to your product launch. There's one more thing that could disrupt your product launch and having that cognizance is going to be very critical. Finally, I do want to leave you guys with what is a modified product design lifecycle going to be. Privacy is going to touch every single aspect of your product design lifecycle, so having a constant touch point on privacy and privacy principles is going to be critical. Integrity is again going to be important as you design and develop the features, making sure that the user experience is not compromised in any way and users are not impacted in any way. It's going to be very important to understand data and data controls as you design, as you develop and start logging, thinking about collecting data and putting in control. Data is going to add additional impact. Security, as you build your feature, security is going to play a key role in making sure that all the features and feature sets comply with the security policies. There is no data breach that can happen. There is no access breach. Application user data is all secure and it is fully under lock and key. Finally, policy and having a clear idea on policy and things that could impact your launch, you are constantly in touch with the policy teams or constantly in touch with teams that are working with the local governments to make sure that your product launch in that particular country is not going to have any impact. Finally, the red line is your implementation review, making sure that whatever all said and done, all validated, your code does not have critical bugs that could potentially breach some of the product privacy, integrity, data and security principles that you have established. That is going to be something absolutely critical to make sure that whatever you have established as a spec is something that is what actually gets implemented and before the rollout happens. Finally, key takeaways. Privacy security, as you guys are thinking about product features, consumer facing product features or API based features, privacy, security, integrity and data should encompass all the aspects of product development lifecycle. Definitely do understand the impact of timelines and penalties when ignoring these challenges because any estimation that you make will be meaningless without taking into consideration some of these critical items that could potentially impact the timelines and could also cause some rollback or in some cases penalties. Watch out for current events and policy changes. If you are thinking about a global product or a global feature, definitely watch out for current events, policy changes because they could again come back to impact your timelines. Thank you and are there any questions or questions that I can answer?