Design principles for Privacy and Compliant software

Data is human

Jira Service Management began as a small add on to its big brother, Jira Software. Over the years, it grew into a mature standalone product. This growth brought in new responsibilities, especially as it expanded into enterprise. Designing for scale meant building infrastructure to manage large data sets. And when we talk about data, we have to talk about privacy.

This case study shares how I led early design strategy for privacy and compliance at JSM. I focused on unpacking the regulatory landscape, translating legal requirements into practical design principles, and guiding teams from feature checklists toward trust-building experiences.

OVERVIEW

Designing for privacy isn’t a legal checkbox

Not only does Atlassian as a company need to comply with laws and regulations. So do the businesses that use our products. We had seen incoming requests to support regulatory requirements such as HIPAA, fedRAMP and GDPR. But there was no clear strategy or experience lens to guide these conversations.

I wanted to understand the problem more deeply, not just what we needed to comply with, but why it mattered to our customers. I began with foundational research, looking beyond legal documentation into industry reports, customer feedback, and real-world case studies. I found compliance wasn’t just a legal box to tick but an opportunity to build confidence and transparency with users.

DRIVING DECISIONS

Translating insights into actionable design principles

Through my research, I uncovered three key insights:

• Good design builds trust.
  Users who perceive the product as high quality and easy to use are more willing to trust the company.

• Personal data types vary and so do user expectations.
  People want more transparency and control over what data is being collected.

• Privacy is personal.
  Data protection isn’t just a technical detail, it’s increasingly viewed as a human right.

Rather than patching UI patterns to meet compliance, I proposed we build privacy into the foundation, by establishing guiding principles that would steer future work across the platform.

Scaling trust before features

Building on one of Atlassian’s core design values, build trust with every interaction, I introduced three principles:

1. Build trust with transparency
   Privacy language and choices should be clear, timely, and easy to understand. Always notify users about things that will impact them.

2. Build trust for the future
   Sensitive information must be stored with integrity, and scale with the needs of growing teams and complex compliance standards.

3. Build trust in ownership
   Give users agency. Individuals should feel in control of their personal data. Organisations should feel empowered to manage it in a way that aligns with their obligations.

These principles informed early feature work, like Safe Notifications, and helped shift internal conversations from reactive compliance to proactive trust-building.

POST LAUNCH

Impact

This foundational work shaped how early privacy and compliance efforts were approached across Jira Service Management:

• Privacy principles were referenced by multiple teams as a lens for designing compliance-related features.

• Safe Notifications served as a practical example of how privacy could be embedded into existing features without compromising usability.

• Stakeholders began to align around a shared language when discussing privacy, security, and user trust.

Together, these shifts built momentum toward intentional, trust-centered design.

What I learned

This work reinforced the importance of stepping back before diving into solutions. By starting with research and clear experience principles, I helped shift privacy from being seen as just a legal checkbox to a core product responsibility. Trust is an experience, not a feature.