The Advent of Privacy Engineering
Move over privacy attorneys, analysts, consultants, CPOs and DPOs. Let’s make room for the Privacy Engineers who can facilitate the technical implementation of privacy and data protection by design and default into products and services. Welcome, the emergence of Privacy Engineering.
The field of privacy has typically been the realm of lawyers and consultants responsible for developing and implementing policies, handling contractual risk to data, managing privacy risk in business processes, and ensuring effective notice and choice publishing practices. However, in order to effectively manage and govern how data is used in practical terms, we can now look to the growing discipline of privacy engineering and associated technologies and products.
After some high-profile privacy snafus and a slew of data breaches and leakages, companies are realizing how important it is to gain and maintain trust with their customers by hiring privacy-savvy technologists that can translate policy into practical terms, often lumped under the moniker of “Privacy Engineer.”
What data do we have? Who is using it? How is it moving around our corporate environment? Does our software leak personal information? What privacy-preserving methods should data scientists use for research? These are only a few of the questions that privacy engineers can help businesses answer, and privacy engineering roles are popping up across the country at leading data-first technology companies like Google, Uber, LinkedIn, and Oracle.
What is Privacy Engineering?
In their 2014 seminal work on the subject – The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value – authors Michelle Dennedy Jonathan Fox, and Tom Finneran describe “a systematic engineering approach to develop privacy policies based on enterprise goals and appropriate government regulations.” Only then can “[p]rivacy procedures, standards, guidelines, best practices, privacy rules, and privacy mechanisms…be designed and implemented according to a system’s engineering set of methodologies, models, and patterns that are well known and well regarded….”
Where privacy-by-design (PbD) provides a set of principles that businesses should follow to embed privacy and data protection into products and services, privacy engineers are the ones who actually implement PbD requirements into the development process.
Privacy Engineering Roles
Since the field is relatively new, there are many whose daily activities involve privacy engineering, and yet they don’t have a title that reflects such activities and tasks. To add to the confusion, “Privacy Engineer” has been applied to several defined roles within organizations. Here’s a breakdown of some of the bucketed roles within the privacy engineering ecosystem – note that others are likely to emerge.
Privacy Product Managers: These are the privacy experts who understand privacy regulations, the company’s privacy policies, and how that applies to the organization’s business objectives, and then document the specific business and product requirements for service delivery and product development.
To understand the core capabilities of privacy engineering for product development, we can take a look at how the core capabilities that Carnegie Mellon University prepares its students to apply upon completion of its Masters of Science in Information Technology – Privacy Engineering program:
1) Design cutting-edge products and services that leverage big data while preserving privacy;
2) Propose and evaluate solutions to mitigate privacy risks;
3) Understand how privacy-enhancing technologies can be used to reduce privacy risks;
4) Use techniques to aggregate and de-identify data, and understand the limits of de-identification;
5) Understand current privacy regulatory and self-regulatory frameworks;
6) Understand current technology-related privacy issues;
7) Conduct privacy-related risk assessments and compliance reviews, respond to incidents, and integrate privacy into the software engineering lifecycle phases;
8) Conduct basic usability evaluations to assess the usability user acceptance of privacy-related features and processes; and
9) Serve as an effective privacy subject-matter expert, working with interdisciplinary teams.
Developers: These are the software and hardware engineers with the technical skills to write code and build software products and internal privacy tools.
In the application security community, “Security Engineers” keep up-to-date with the OWASP Top 10 Security Vulnerabilities and then learn and apply secure coding techniques that help them avoid such weaknesses in order to prevent exploits. Similarly, developers who support privacy engineering efforts should study the OWASP Top 10 Privacy Risks, which provides a list of the most common privacy risks in web applications and related countermeasures. It covers technological and organizational aspects that focus on real-life risks, not just legal issues.
This OWASP effort provides tips on how to implement PbD in web applications with the aim of helping developers and web application providers to better understand and improve privacy.
Data Steward & Data Custodian: These are the people who are directly responsible for protecting personal data and information. Data Stewards manage all aspects of a subset of data with responsibility for integrity, accuracy, and privacy policies. Data Custodians manage access to data in accordance with access, security, and usage policies.
Project Test & Integration Engineers: These are the technical staff whose job it is to ensure privacy verification and validation for system integration, system test, and evaluation, and the transition to system operation and maintenance.
Data Scientists and Analysts: These are the mathematicians and statisticians who help derive value from data sets while protecting privacy. As big data projects continue to take off, we need these employees to ensure responsible and ethical uses of personal data. With assistance from Privacy Researchers, Data Scientists and Data Analysts are responsible for applying data minimization, aggregation, and de-identification techniques. They should also be able to select the appropriate privacy-enhancing technologies (“PET”) – like homomorphic encryption, differential privacy, and others – that protect the data during analysis while still providing value.
User Experience and Design: These are the employees who design for trusted experiences in the digital ecosystem, work to understand how the user will interact with the product or service, and ensure that privacy is embedded into that experience.
Privacy Researchers: Privacy Researchers understand the current technology that enables privacy and facilitates data protection. They create new machine learning algorithms, help develop prototypes, assist with privacy architecture, and select and deploy appropriate PETs to protect privacy. Many companies are hiring privacy researchers directly from academia.
Privacy Engineering = Privacy + Engineering
Privacy engineering as a discipline is still in its infancy, yet regulations like the EU’s General Data Protection Regulation (GDPR) mandate that organizations implement PbD. How can PbD be implemented without the appropriate technical staff, processes, and supporting technology? The answer is that they can’t. Therefore, it is imperative that organizations hire the right combination of privacy engineering experience and skills to design and embed the requirements. Besides making the right hires, it is imperative that companies also heavily invest in: infrastructure (i.e., enterprise architecture and design), privacy and data protection products that automate time-consuming tasks, PETs, consent management tools, recruitment efforts, and ongoing training for current and future privacy engineers as new techniques emerge.
Towards Standardizing Privacy by Design and Privacy Engineering
Privacy engineering is an evolving discipline that incorporates the 7 Foundational Principles of PbD, which were developed by Dr. Ann Cavoukian the former Information & Privacy Commissioner of Ontario. Last year, the National Institute for Standards and Technology (NIST) has put forth a privacy engineering primer that further delves into privacy engineering related to U.S. federal systems and reducing risk to information. Furthermore, efforts are currently underway to develop a global ISO/PC 317 standard for Privacy by Design for Consumer Goods and Services.
NIST recently announced its Privacy Engineering Framework draft – “a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible and effective privacy protection solutions, and enable individuals to enjoy the benefits of innovative technologies with greater confidence and trust.” In addition, efforts are also underway to develop a ISO/ISE PTDR2 7550, a global standard for Privacy Engineering and accompanying security techniques.
At BigID, we are watching the landscape very closely, and we are excited to be active participants in the ISO/PC 317 PbD standard-setting process.We’ve recently launched regular Engineering Privacy meetups in the following cities to help expand the community of practitioners and share knowledge: San Francisco, NYC, Seattle, Portland, Austin, Denver/Boulder, Minneapolis, Atlanta, Washington, DC, Boston, London, & Tel Aviv. If you engineering privacy into your job role, we hope that you can join us at one of our future meetup events.
Stay tuned for privacy engineering community-building events in both New York City and San Francisco.