Privacy engineering (and engineers) are hot!

Privacy engineering has emerged as a vital function for almost every business. Privacy engineers can bridge the gap between legal and technology teams to deliver privacy enhancing and legal compliant processes, products and services. This emerging field is interesting – includes a variety of activities, most focused on embedding privacy into systems but also requiring the ability to operate successfully in an cross-functional role.

And privacy engineers are in high demand!

Here’s some information that might be helpful if you’re thinking about entering this exciting new field…

Why do we need Privacy Engineers?

The volume and complexity of data continues to increase, and businesses are increasingly interested in how they can collect and use data for lots of different purposes. However, until the last couple of years, with the introduction of significant new privacy laws and a growing understanding of the importance of ensuring  customer trust, the rapid evolution of data infrastructure rarely included consideration of privacy as part of the design or development process.

All this has changed in the last few years with the growing recognition of the importance of ensuring privacy is supported by technology and engineering.  And with this growing recognition has come the need for a technical discipline that can mediate privacy, GRC, technology and engineering needs. And so the privacy engineer is born!

What is Privacy Engineering?

Privacy engineering is the practice of building tools and processes that apply privacy protections to personal data. Privacy engineers take legal requirements, regulations, privacy policies, and other organizational priorities, and ensure that the product or service being developed actually delivers on those requirements, at a technical level.

Privacy engineers interface with different stakeholders with diverse training and priorities, from lawyers to product designers to project managers. So communication skills are also important.

Those in the field report a mix of technical and non-technical responsibilities.

Some of the things privacy engineers might do are:

  • Inspect code before deployment to assess privacy risk.
  • Identify and implement the best methods for anonymization or pseudonymisation across the data lifecycle.
  • Ensure that the minimum personal data required is collected.
  • Design clear privacy controls for users (e.g. in mobile app’s).

Hand holding a phone with whatsapp options, including remove whatsapp

What else do Privacy Engineers do?

Other things that privacy engineers might do include:

Supporting Data Subject Rights

Data subjects have many rights, including the right to access their information, to delete it and in some case to ask that it be made available in a format that makes it easily transferable to another platform.  Privacy engineers can assist in developing solutions that:

  • Ensure that all relevant data is made available and no data is overlooked (when responding to access requests);
  • Only the date required to be deleted is deleted without impacting essential referential integrity between databases in the business backend.

Privacy engineers also collaborate with designers to ensure that data controls are useful and usable, presenting clear and transparent options to end-users.

Data minimisation

Data minimisation is a key privacy principle, specifically referenced in the GDPR. Data minimisation means the processing of the minimum amount of data needed for an activity.  For example, if you are an online theatre ticket seller, you don’t need information about marital status or dietary preferences (unless food is included in the theatre experience).

Privacy engineers can prevent privacy issues by examining code for unnecessary data collection.  They can also ensure that data minimisation principles are implemented throughout the data life cycle, particularly in storage.

For more information about data minimisation, see our blog post here.

Privacy by design

Contemporary privacy engineering is about baking privacy into development of all your products and services, making privacy a key component of the design process.  A key tool for privacy engineering is the Privacy by Design framework. The framework, first developed by Dr. Ann Cavoukian, integrates privacy into the design process rather than only considering privacy retroactively.

For more information about Privacy by Design, see our previous blog posts here.

Where does the privacy engineer fit?

Because this is still an emerging field, there’s no real consistency with where privacy engineers fit within an organisation. Privacy engineering can be housed under a variety of teams: IT, Information, Design, GRC, Engineering or Security. Privacy engineers may also have a range of titles: “Software Engineer,” “Technical Program Manager,” and  Data Engineer,”

How do you become a privacy engineer?

As privacy engineering is an interdisciplinary field, a variety of different career paths may can lead to privacy engineering. In Australia there are currently few courses directed at creating privacy engineers though privacy is increasingly being included in technology and cyber degrees. As the field becomes more prominent and structured, specific training programs will likely increase.

CIPT logo

IAPP’s Certified Information Privacy Technologist

One option for those looking at moving into privacy engineering is to complete IAPP’s Certified Information Privacy Technologist (CIPT) certification.

The Body of Knowledge for the CIPT is broken into seven modules:

  • Module 1: Foundational principles
  • Module 2: The role of technology in privacy
  • Module 3: Privacy threats and violations.
  • Module 4: Technical measures and privacy-enhancing technologies
  • Module 5: Privacy engineering
  • Module 6: Privacy by design methodology
  • Module 7: Technology challenges of privacy

Those who take the IAPP training course also get access to two useful text books:

For more information about the CIPT, read some of our earlier blog posts:

Privacy Training by Privacy 108

If you’re uncertain what privacy training will benefit you in your career or help to advance your organisation’s privacy program, get in touch. Privacy 108 offers training courses for privacy industry certifications, including IAPP’s CIPT certification, as well as tailored privacy training for organisations. So, we would love to help you determine what education and training best meets your needs.  

Our privacy courses are led by IAPP-certified instructor, Dr Jodie Siganto. Jodie has close to 20 years’ experience as an educator and is widely recognised as one of Australia’s leading privacy professionals. 

Find more information here: https://privacy108.com.au/cipt/

Contact us

Contact us: hello@privacy108.com.au