Privacy Engineering Section Forum

Wednesday, Sept. 30
8 a.m. – 4:30 p.m.

With the rising tide of products and services collecting and processing personal data, the time for real data privacy solutions is here. The ever-closer connection between people, privacy and technology will be the focus of the next Privacy Engineering Section Forum, brought to you by the IAPP’s Privacy Engineering Section . This full-day event will take a nuts-and-bolts view of integrating privacy management and product development. Come for in-depth discussions and real-world examples of privacy management at work.

Schedule and Program

  • local_dining7 – 8 a.m.
    Check-In and Breakfast
  • person8 – 8:30 a.m.
    Welcome and Keynote Address
  • expand_more8:30 – 9:30 a.m.
    Practical Responsible Use: Ethics Framework for Cloud

    Euan Grant, Artificial Intelligence and Research Privacy, Microsoft

    David J. Marcos, CIPM, CIPT, Ethics and Society, Responsible Innovation Compliance, Microsoft

    Artificial intelligence and continued cloud computing advancements are forcing privacy programs to broaden scope into larger ethical considerations when developing software solutions. As responsible innovation comes to the forefront, practical ethical risk frameworks are a necessity. This discussion will describe Microsoft’s initial efforts to develop its responsible innovation framework for the cloud and artificial intelligence, detailing the basics of ethical evaluations as well as the practical implementation and monitoring of activities, leveraging data governance capabilities Microsoft has developed and continues to evolve pursuant GDPR engineering efforts.

    What you will learn:

    • A framework to rationalize ethical considerations.
    • Scaling ethical computation to the cloud.
    • Evaluating and measuring ethics risks within information technology.
  • local_cafe9:30 – 10 a.m.
    Refreshment Break
  • expand_more10 – 10:45 a.m.
    Addressing Privacy in Medical Device Engineering

    Abhishek Agarwal, CISO, Fresenius Medical Care

    Ahmad Sharif, CMIO, Fresenius Medical Care

    Technology enabled medical devices collect, process and transmit sensitive information that may be governed by privacy regulations such as U.S. Health Insurance Portability and Accountability Act (HIPAA) or EU General Data Protection Rules (GDPR). The complexity, number, and diversity of medical devices — especially network-connected devices — expose healthcare networks to a broad range of security and privacy risks. The problem of medical devices on sensitive networks has been latent for years. But today three trends are converging to make it an immediate risk: 1. Sharp rises in the security attacks due to malware that increases the likelihood of data breaches; 2. Increasing vulnerabilities of medical devices to malware, hacking, and data theft; 3. New government incentives and mandates to share patient information electronically, simultaneous with severe penalties for any loss, diversion, or exposure. This session we will outline the privacy and security risks introduced by networked medical devices, then present results from a case studies by the College of Health Information Management Executives (CHIME) to gain the perspective of industry insiders. Finally, panelists will review privacy related technical options available to help hospitals, diagnostic centers, and clinics assess and address issues introduced by networked medical devices.

    What you will learn:

    • Understand the unique challenges of balancing security and privacy with safety and effectiveness.
    • Prevailing networked medical devices security and privacy threats.
    • Building safer, stronger, more secure medical device environments.
  • expand_more10:45 a.m. – 11:30 a.m.
    Genetics and Privacy

    Moderator: Nathan Good, Good Research

    Ramon Felciano, Chief Technology Officer and VP, Strategy QIAGEN

    Gunnar Kleeman, Genticist and Data Scientist PHD Princeton, Austin Capital Data

    Genetic information presents a unique challenge for practitioners seeking to address regulatory requirements and provide customers with a trusted experience. Privacy rules around genomic data varying significantly across countries, and sometimes even within countries. Common technical tools such as de-identification is more difficult to implement in the context of genetic information. The limitations of current technical methods require new ways of confronting ever-evolving requirements. For example, genetic data is relatively useless on its own; it needs to be plugged into and combined with other data (e.g. medical records data or other lab experimental data) to yield good insights. As such, technical approaches need to allow for mixing and integrating data. Furthermore, we’re in the very early days of understanding genomic biology. As such, we cannot pre-enumerate all possible uses of a person’s genetic data. This poses some real challenges for things like consent forms that technology could solve.

    What you will learn:

    • An overview of what is genetic information and its relation to privacy.
    • The challenges and opportunities that exist from an engineering perspective in the space of gaining value from genetic data while protecting and managing user privacy.
  • local_dining11:30 a.m. – 12:30 p.m.
  • expand_more12:30 – 1 p.m.
    Privacy Architecture for Data Collection and Sharing

    Nishant Bhajaria, Privacy Architecture and Strategy, Uber

    How can companies create a framework to classify and inventory the data they collect? Such a framework is vital to secure data and maintain customer trust. This session will walk you through the policy, cross-functional process and engineering tools required to build a governance framework. Building on the policies and technical architecture that manage data collection, how can you create a privacy architecture for data sharing? You will learn several techniques, and real-world scenarios to help drive privacy decisions. This talk will feature personal stories, lessons learned, and specific examples. It will help you create data governance and technical architecture in the context of societal and legal sentiment vis a vis privacy. Whether you are an attorney, engineer, policy professional or a stakeholder in privacy, this talk will provide actionable insights.

    What you will learn:

    • How do you drive a centralized privacy governance in a largely decentralized company?
    • How do you combine technical tooling with legal policies as part of the privacy governance?
    • How do you combine various data-sharing techniques to provide privacy protections to your users?
    • How do you measure success for such a program and how do you communicate it to C-Level stakeholders who lack a privacy background?
  • expand_more1 – 1:30 p.m.
    Data Use Strategy

    Ojaswani Suley, Principal Program Manager, Microsoft

    Data use transparency helps us map to our internal policies, customer commitments and regulatory requirements. Categorizing data use and monitoring seamless flow of data from the point it was collected to when it was processed by engineering helps us understand if we are using the data based on the purpose of collection. This session is about understanding how we can enable our customers, engineering and our leadership to have a seamless story on data use. The focus of the session will be leveraging data use governance to reduce an organization’s risk, make it implementable for our engineering teams, and responding to regulatory inquiries and audits. Discussion will also cover withholding data from first- and third-party services and restricting its use to what was listed as primary purpose of data collection.

    What you will learn:

    • Build a data use strategy for your organization.
    • Enable data-driven decisions through engineering implementation of data use workflow.
    • Data use transparency to build customer trust.
  • question_answer1:30 – 1:45 p.m.
    Joint Q&A Privacy Architecture for Data Collection and Sharing & Data Use Strategy
  • expand_more1:45 – 2:45 p.m.
    Navigating and Implementing the NIST CSF and Privacy Frameworks

    Lisa McKee, Senior Manager Security and Privacy, Protiviti

    NIST complicated navigating and implementing its Cybersecurity Framework (CSF) in 2019 when they released the Privacy Framework. NIST designed the CSF and Privacy frameworks to complement each other. This session will review the sections and controls of each framework and identify the overlapping controls and differences in the CSF and Privacy frameworks. Participants will take away key considerations and ways to implement both frameworks. Learn how to overcome implementation challenges; strategies for getting stakeholders buy in to using the frameworks; and the importance both frameworks have to support an organizations security and privacy programs.

    What you will learn:

    • High-level overview of the sections and controls of the NIST CSF and Privacy Frameworks.
    • Implementation challenges and presenting to stakeholders.
  • local_cafe2:45 – 3:15 p.m.
    Refreshment Break
  • expand_more3:15 – 3:45 p.m.
    Privacy in Mobile Apps — What You Need to Know

    Anshu Gupta, VP, Security,

    As users move to the world of mobile apps, it becomes important to understand their security and privacy risks. This session will delve into issues like third party SDK security, cryptographic storage, and IP protection, among others. We will also talk about some of the risks and best practices around ensuring privacy and security while doing mobile application development.

    What you will learn:

    • Security and privacy risks of mobile apps.
    • App-level security and privacy models of iOS and Android.
    • OS/platform-level security issues and protections available.
    • Application/code-level security and privacy mitigations that developers can use, with code examples.
    • Mobile-specific privacy issues and available technical mitigations.
    • Mobile third-party SDK level security and privacy issues.
  • expand_more3:45 – 4:30 p.m.
    Geolocation and Privacy

    Sarah Lewis Cortes, CIPP/E, CIPM, CIPT, FIP, Privacy Assurance and Engineering, Netflix

    Some laws and regulations across jurisdictions require collection/retention of certain data for a minimum time period, others forbid it or dictate a maximum time for retention. Data processors must be careful not to delete data they are required to keep, nor to keep data they are required to delete. Examples of minimum retention expectations include tax data, with a six-year minimum retention, and data on litigation hold. Examples of maximum retention include PII. When navigating the myriad, sometimes conflicting laws across jurisdictions, privacy engineers are more and more frequently confronted with a need to implement geolocation techniques to correctly apply laws to consumers subject to jurisdictions. Many technical approaches, including some surprising ones, have been developed for geolocation. This session will review geolocation techniques and technology, and issues and implications for the use of each.

    What you will learn:

    • Geolocation techniques and technical options.
    • Categorization of location and other data as PII, including IP address, and governing laws/frameworks.
    • Legality of geolocation.
    • How to maximize privacy while maximizing compliance.

Register Now