Privacy engineering will be central to the privacy profession going forward.
That is an easy assertion to make. Privacy professionals have long discussed the importance of building privacy in rather than bolting it on — aka privacy by design. But as technology has raced ahead, the need for privacy engineering has evolved and intensified.
When I began working at the IAPP, I was tapped to lead our privacy engineering initiative — i.e. better define what it is, why it matters and how we can support the professionals doing it. I want to share some of what I have learned from leading practitioners and renew our call for continued engagement from those working in this exciting field.
What is it?
In short, privacy engineering is the technical side of the privacy profession. Privacy engineers ensure that privacy considerations are integrated into product design. The longer answer is that it depends who you ask. Some practitioners view it as process management and others see it more as technical knowhow. Both views seem equally valid and integral. Privacy engineers today work as part of product teams, design teams, IT teams, security teams, and yes, sometimes even legal or compliance teams. The Privacy Engineering program at Carnegie Mellon describes the need for practitioners who “understand technology and [are] able to integrate perspectives that span product design, software development, cyber security, human computer interaction, as well as business and legal considerations.”
Regardless of where they sit, privacy engineers must serve as translators between these teams, turning privacy requirements into technical realities.
Why does it matter?
Privacy engineering matters not only because it leads to better products, but because it can significantly influence a company’s bottom line.
Increasing lawyers’ technical knowledge, helping engineers understand the “why” behind privacy requirements, and ensuring that everyone considers user experience will lead to better products from a consumer perspective. Consumer trust can be a market differentiator so that is clearly one good reason to invest in privacy engineering. Increasingly, though, it is only one of many.
Today, it matters because laws, regulators, and automation demand it.
Legal requirements
Privacy laws today mandate privacy engineering in practice.
The EU General Data Protection Regulation's Article 25, “privacy by design and by default,” comes close to requiring it by name. It demands that organizations “implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects.”
Organizations must implement technical and organizational measures to ensure that “only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” The GDPR is clear that requirements must not only be integrated into policies and processes, but also built into products. When lawyers lack an understanding of new technologies or technical approaches or product, design, or engineering teams lack an understanding of privacy principles, meeting these requirements is tough.
The California Consumer Privacy Act calls for privacy engineering less directly. It requires privacy professionals to develop a deeper understanding of how vendors analyze, use and share the personal data businesses provide to them. This means understanding technologies and business practices, particularly those related to data analytics and targeted advertising. That technical understanding will inform the category into which vendors are placed — service provider or third party — and whether “do not sell” requirements apply to them. It will help organizations determine whether contract updates are needed and the extent to which doing business with certain vendors increases privacy risk. The CCPA also places deidentified and aggregate data outside the scope of the law (as does the GDPR). Understanding how and when data is deidentified will increase the options available to businesses seeking to use data in privacy protective and legally compliant ways.
Many other laws and legislative proposals are approaching these issues similarly.
Regulatory enforcement
Perhaps more importantly, regulators are increasingly backing up demands for privacy engineering with enforcement actions.
The U.S. Federal Trade Commission recently demonstrated its willingness to hold companies to account through the largest privacy enforcement action in history — its $5 billion settlement with Facebook. That settlement faulted Facebook for failure to translate public statements and privacy policies into technical realities for individuals, lack of due diligence concerning third-party data handling, inappropriate default privacy settings associated with facial-recognition technology, and deceptive reuse of personal information provided for authentication purposes.
The FTC and other regulators around the world have invested directly in understanding privacy engineering to inform and assist in such regulatory actions. The U.K. Information Commissioner’s Office recently introduced a regulatory sandbox to help organizations and regulators incorporate privacy protections into innovative new products and services. The Irish Data Protection Commission introduced the Technology Research Unit to maximize “the effectiveness of the DPC’s supervision and enforcement teams in assessing risks relating to the dynamics of complex systems and technology.” The French CNIL’s employs a director of technology and innovation to oversee the IT experts department, the IT operations department, the innovation and foresight unit, and the CNIL labs. Other regulators have likely done the same.
Automation needs
Lastly, if another reason is needed, the ability to make wise investments in automation should be considered.
Privacy professionals have suggested that 2019 is the year for automation. In 2017 and 2018, countless businesses significantly revamped their privacy programs to comply with the GDPR. Now, many are turning to the CCPA.
Practitioners have found that the manual processes underpinning those programs are wholly insufficient. Automation has become a must. Perhaps that is why the growth of privacy tech vendors has been so dramatic. The IAPP’s just-released 2019 Tech Vendor report surveys more than 200 companies. These vendors offer services to automate or assist with access requests, activity monitoring, data mapping, consent management, data discovery, website scanning, de-identification, and incident response services. Any of those services might or might not meet an organization’s needs. Understanding which will help and which could create new complications requires at least basic familiarity with legal requirements for privacy, business processes and the system and technologies with which they must integrate.
Privacy engineering knowledge is again key.
How can it be done?
Professionals who want to improve their understanding of privacy engineering have a growing number of options.
Higher education is a great one, but, due to time constraints, is not accessible to many working professionals. Those with several years to devote could study privacy engineering with Lorrie Cranor, CIPT, at Carnegie Mellon or law and computer science with Woody Hartzog at Northeastern. Others could chart their own path, building a hybrid curriculum that integrates courses in business, law, design, and computer science — a program that doesn’t exist today, but hopefully will at some point. An increase in graduates who understand how to bridge these disciples is sorely needed.
For those who need to integrate privacy engineering into their knowledge base and organizations more quickly, three new options are worth exploring.
It seems noteworthy that the first overarching U.S. privacy framework is likely to be one focused on privacy engineering rather than legislative principles.
First, the National Institute of Standards and Technology will release its Privacy Framework by year’s end. The framework, modeled on NIST’s Cybersecurity Framework, lays out a set of privacy controls to help organizations identify, internalize and address privacy risk. Some controls are more technical and others less so. Overall, the framework is designed to provide legal, technical, design and product teams a common rubric to pursue privacy engineering. NIST sought the IAPP’s feedback on whether the current privacy workforce is equipped to implement the forthcoming framework.
In response, the IAPP mapped the Privacy Framework’s Core to our Certified Information Privacy Management body of knowledge and found that they align closely, suggesting that a growing number of privacy professionals are already approaching privacy management as NIST envisions. It seems noteworthy that the first overarching U.S. privacy framework is likely to be one focused on privacy engineering rather than legislative principles.
Second, last week, the IAPP announced a significant update to its Certified Information Privacy Technologist certification. IAPP Certification Director Douglas Forman said that the updates are based on the recognition that privacy tech and engineering are "taking more of a central place with how organizations meet regulatory obligations." Half of all topic content will be new and designed to better reflect evolutions in the field.
Third, just this week, the International Standards Organization released what it characterized as “world’s first International Standard to help organizations manage privacy information and meet regulatory requirements.” ISO/IEC 27701, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, outlines requirements for a privacy-specific information security management system. In announcing the standard, Clare Naden at ISO touted the standard’s benefits in helping organizations meet regulatory requirements across jurisdictions, including those stemming from the GDPR. ISO is also working to a develop ISO/PC 317, a global consumer privacy standard that can be embedded into the design of products and services. The IAPP recently joined the Technical Advisory Group and will continue follow this work closely.
What’s next?
Privacy engineering, like the privacy profession writ large, is a constantly evolving discipline. While I hope my take on the what, why and how is useful to those just beginning to explore it today, it will likely be different tomorrow. I have greatly appreciated the insights shared with me by privacy engineering practitioners. Continued engagement by privacy pros will be critical to help us and our members understand the issues and initiatives on which to focus going forward.
Photo by Bill Oxford on Unsplash