Enterprise-level technology companies are becoming more innovative with the privacy solutions they adopt in an effort to meet customer expectations and legal compliance goals. HP's Privacy Engineering Center of Excellence seeks to be a leading example of a cutting-edge privacy-enhancing solution.

The team running HP's program seeks to establish new company standards across business units to build a transparent user privacy experience for products and services. The key to establishing desired standards, according to team leader Aaron Weller, CIPP/US, CIPM, CIPT, FIP, is empowering engineering teams to design functional products and software to meet privacy requirements.

"HP is going through a bit of a transformation right now. Having a very transactional device-centric relationship with people only gets you so far, so HP has been shifting toward a relationship model for a while," said Weller, who joined HP in 2022. "That's where I think the urgency around embedding some of these (innovative) privacy practices is, because as we know more about people, there's more data collection, and there's a need for more mature privacy practices. There's a level of trust we have built up with our customers we have to maintain."

With an existing privacy program in place, Weller said his first year at HP was spent gathering input from stakeholders in each business unit to determine where privacy compliance issues were delaying product development and where privacy engineering solutions could be deployed to enhance productivity. He said HP is on to the "second wave of privacy engineering" for an enterprise-level technology company, on the heels of legacy Big Tech firms like Microsoft, centering privacy engineering into their product development. 

"(Listening to stakeholders) really helped me to identify and build out my roadmap for the Center for Excellence this year," Weller said. "We asked ourselves, where are we having pain? And how do we help address some of the problems that are not theoretical — such as 'Let's go and build the perfect program' — but more, how do we help with problems that are real to our colleagues right now where we can show return on investment?"

Establishing an enterprise-wide synergized privacy program across each of HP's business units is not a one-size-fits-all approach, Global Privacy Engineering Enablement Leader Sabrin Muhammad, CIPT, CIPP/E, said. For instance, the data privacy engineering needs of laptop or printer divisions differ vastly from the needs of software divisions.

Muhammad said the center's team surveyed each business unit to gain insight into their data privacy risks, the guidance on various privacy techniques engineers need and the privacy-enhancing technologies they would like to see employed to meet their goals.

"The difference between a printer and a laptop, even though it seems like these go right on the same desk, the setup, the data used to support the operations and the development is completely different," Muhammad said. "You've got to have centralized tools, techniques and infrastructure to be able to do privacy at scale. So, with the business units operating largely independently, that's the major challenge we face and the success story that we want to be able to speak to as well."

Principal Privacy Architect Carl Mathis is tasked with "removing friction" for various teams and projects in development. With the center, he said his goal is to establish "proactive technologies, proactive reference architectures, proactive, approved patterns" for privacy dilemmas to make business units more efficient and prevent situations where every team member has to train on disparate privacy techniques to solve their specific problems.

"Let's say a business unit is collecting personal data for a given product and they need to anonymize the data, but we know that standard is very hard to meet," Mathis said "What I'm working on is developing a self-service portal so they can go in and answer a few questions about the data. Then, through a series of machine learnings and automated reasonings, that portal can suggest several targeted (PETs) for the issue."

Muhammad said the privacy engineering maturity for each of HP's business units is variable depending on their product offering. However, HP's institutional history of embedding cybersecurity checkpoints into design phases of a product allows Muhammad's team to identify the right technique or PET that can improve data privacy for a given function.

"From the data infrastructure and enterprise architecture perspectives, we would like to move to where all of the business units are shifting left and we've got that privacy checkpoint in the beginning," Muhammad said. "So, if there is personal information as a part of most of those security reviews, they're immediately flagged to bring in a privacy review specialist. It's not where we aim to be today, but we have the infrastructure in place to build on our processes."