Privacy Engineering Section Forum

We’ve reached capacity for the Privacy Engineering Section Forum.

Tuesday, 19 November
14:00 – 18:00

New to the Congress for 2019! With the rising tide of products and services collecting and processing personal data, the time for real solutions is here.

Brought to you by the IAPP’s Privacy Engineering Section and held in conjunction with workshop sessions, this nitty-gritty half-day event will examine the nuts and bolts of integrating privacy management and product development. Come for in-depth discussions and real-world examples of privacy management at work.

Two registration options:

  1. Available as a standalone event
  2. Add it to your main conference registration


Schedule and Program

  • expand_more14:00 – 14:15
    Keynote Address

    Thomas Zerdick, Head of Unit, IT Policy, European Data Protection Supervisor

  • expand_more14:15 – 15:30
    ISO/IEC 27701 for Privacy Information Management: A Standardised Approach for PII Controllers and Processors

    Willy Fabritius, Global Product Champion for Information Resilience, BSI

    Paul Houzé, Standards Officer, Corporate Standards Group, Microsoft

    Swati Manocha, Manager, EY

    Alan Shipman, Managing Director, Lead Editor on ISO/IEC 27701, Group5 Training

    The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) recently published ISO/IEC 27701 as an extension to ISO/IEC 27001 and ISO/IEC 27002 to establish the privacy information management system standard. This new standard aims to provide a universal set of controls to help controllers and processors demonstrate accountability for processing of personal information. This standard builds upon the well-known ISO/IEC 27001 standard to strengthen connection between privacy and security. This session will explain the content of the new standard, how it maps to various privacy regulatory requirements, and its operational applications to controllers and processors. The presenters will also discuss the auditing process and audit preparation for ISO/IEC 27701.

    What you will take away:

    • Understand the content of the new privacy information management system standard
    • Learn how it maps to various privacy regulatory requirements
    • Understand this new standard’s operational applications to controllers and processors
    • Discuss the auditing process and preparations for ISO/IEC 27701
  • expand_more15:30 – 16:00
    Privacy Threat Modelling Methodology: Integrating Privacy Into Software Development Lifecyle

    Yuliya Miadzvetskaya, Legal Researcher, KU Leuven CiTiP – imec

    Mykyta Petik, Legal Researcher, KU Leuven CiTiP – imec

    Kim Wuyts, Postdoctoral Researcher, imec-DistriNet, KU Leuven

    We will discuss a risk-based approach to privacy and data protection using LINDDUN as a specific example. This topic will allow to explain practical application of privacy by design principles with LINDDUN methodology while keeping a bit of a legal element.

  • local_cafe16:00 – 16:30
    Networking Break
  • expand_more16:30 – 17:00
    Personal Information Leakage by Abusing the Right of Access

    Mariano Di Martino, PhD Researcher, tUL, Expertise Centre for Digital Media, Hasselt University

    Pieter Robyns, FWO PhD Fellow, tUL, Expertise Centre for Digital Media, Hasselt University

    The enactment of the GDPR has provided additional privacy-related benefits to natural persons (data subjects) when their data is processed by third parties (data controllers). One such example is the right of access, which allows data subjects to request their personal information from a data controller in a cost-free and timely manner through subject access requests. Here, it is crucial that the data controller correctly and securely verifies the identity of the data subject, such that their personal information is not wrongfully transmitted to a (malicious) third party. In this session, we will explore the results of our study, which investigated the data subject identity verification policies of 55 organisations from the domains of finances, entertainment, retail and others. For 15 out of these 55 organisations, we show it is possible to impersonate a data subject and obtain their personal data, which includes financial transactions, website visits and physical location history.

    What you will take away:

    • Learn various techniques that criminals could employ to achieve this goal
    • Understand best practices that organisations should implement in order to minimise the risk of leaking personal data via subject access requests
  • expand_more17:00 – 18:00
    Privacy and Security by Design: Methodology for IOT Devices

    Erik Boucher de Crèvecoeur, IT Expert, Commission nationale de l'informatique et des libertés

    Damien Cauquil, Senior Security Researcher, Digital Security

    IOT security and privacy have become major challenges for data controllers, manufacturers, developers and service providers. Using commercially available IOT devices, as well as material developed by CNIL such as the PIA guides and the open-source PIA software, we will showcase how stakeholders can integrate privacy by design in IOT devices. This step-by-step practical and technical journey will teach you to tackle critical, yet common, legal and security issues of IOT product development.

    What you will take away:

    • Learn practical steps to integrate privacy by design in IOT devices
    • Understand critical, yet common, legal and security issues of IOT product development
    • Learn about PIA guidelines and open-source PIA software that will allow stakeholders to showcase integration of privacy by design