What Is Privacy Engineering?

Privacy Engineering is an emerging field that has come to the fore in recent years dealing with the concept of protecting user privacy in the realm of software and other emerging technology.  Privacy Engineering is a mid to senior level role, dealing with the analysis of constraints and application of controls on software design in order to ensure privacy by design & privacy by default or to fulfill legal obligations. 

This blog post will discuss the skill sets, activities and resources available for those interested in Privacy Engineering.

Skill Sets

As a more advanced role, there are certain prerequisites which should be considered before deciding to align a career path into privacy engineering, these include, but are not limited to:

• A love of reading.  Privacy Engineers read a lot of information.  This isn’t always the most thrilling content either – they review policy changes, regulation changes, requirement documents, and the like extensively.  
• A love of change.  The Privacy industry is advancing rapidly.  Over the past few years technology changes and new laws and regulations have forced changes to companies on how they collect and process data.  Being a privacy engineer means that you will need to become aware of these changes, and adapt recommendations and processes accordingly
• The ability to work on a cross-functional team.  Privacy engineers speak to and work with other engineers, designers, leadership positions (including the C-Suite), business analysts, lawyers and more.  Being able to speak to, and understand, their concerns is critical to be effective.

Software Design Life Cycle / Data Life Cycle

Privacy Engineering activities take place across the entire Software Design Life Cycle.   They assist in requirement construction, code reviews and QA activities.  They need to understand how to best work with-in the software design methodology (waterfall, agile, etc.) in order to ensure that privacy concerns are met.

They also need to develop an understanding of the Data Life Cycle, and determine which controls to apply in the various phases and ensure that requirements built in and are met in regard to data use and data deletion (for example).

Finally they need to understand the various technical measures and controls, from overall system design to techniques such as hashing, encryption and various security controls which may need to be applied to the software being built.

Given the body of knowledge (from a technical perspective) privacy engineers are commonly more Senior Engineers, Technical Leads, or Architects within an engineering organization. 

Frameworks

Privacy Engineers may have to apply one or more frameworks during consideration of design requirements or implementation of code & configurations.  These may include:

Standards Based

• Payment Card Industry Data Security Standard (PCI-DSS)
• GAPP Maturity Model
• ISO 27701
• NIST Privacy Framework

Regulatory Based

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• The Health Insurance Portability and Accountability Act (HIPAA)

These standards may need to be applied both in the context of a single system, as well as in the context of a distributed system which sends data between systems, companies or countries.

Harm and Risk

Privacy engineers may be responsible for, or assist in, the quantification of potential privacy related harms and risks involved in the collection or processing of data.  These items may be required under law to be documented for the purposes of Data Protection Impact Assessments and so may carry some legal weight in the event of an investigation.

Calculation of possible harms may include application of multiple frameworks, such as Calo’s Privacy Harms or Solove’s Privacy Taxonomy.  These (and related) frameworks evaluate privacy risks from both objective and subjective standards, so that potential controls can be applied as mitigation measures.

On the risk side of things, risk modeling, such as the identification of possible threat actors is done in order to determine where controls may need to be applied.  Activities here investigate risks (both a direct risk and an indirect risk) and develop plans for how to manage that risk.

Collaboration

Privacy Engineers often have to work with other groups they don’t have direct control over, and so the ability to understand the concerns of each group and speak to them persuasively is often critical for success.  Many of these groups may not be technical, and so the ability to speak to less technical stakeholders is required.

In particular a privacy engineer may have increased access to both legal / compliance groups, as well as leadership (all the way up to the C-Suite) and so should be able to tailor messaging appropriately for the various groups. 

For interactions with Legal specifically, the privacy engineer may be asked to help translate regulation into technical requirements, and then communicate those requirements to the rest of the engineering organization.  While not required, an understanding of regulation and contract law can be very helpful in these discussions and can lead to more productive communication with lawyers.

Activities

The Privacy Engineer is often called upon to speak to harm, risk, potential privacy threats, violations and related controls.  They work with a number of stakeholders across an organization to quantify and mitigate harm and risk.  They also may be consulted in product planning, requirements gathering or related activities.  They are heavily involved in Data Governance and related discussions.

They may also be involved in documentation and have input into some of the following documents:

• Data Processing Agreements
• Data Protection Assessment / Data Protection Impact Assessment
• Risk Assessments
• Transfer Impact Assessments
• Privacy Impact Assessments

Certifications

There are two certifications that deal with Privacy Engineering.

Certified Information Privacy Technologist (CIPT)

The CIPT certification is offered by the International Association of Privacy Professionals (IAPP). This ANSI/ISO accredited certification tests across seven different domains.  The test establishes that the taker understands privacy concepts and understands when to apply various techniques to enhance privacy.

A description of the body of knowledge can be found here.  

The exam cost $550 for the initial attempt, retakes are $375.  The certification also requires maintenance, both with a fee (free with IAPP membership) as well as a continued education requirement. The certification lasts for two years before needing to be renewed.

Training can be purchased from both the IAPP, as well as various partners.  It is however possible to pass with just reading the two textbooks.

I passed this certification in December of 2022 and can say that it is very much aimed at those with a technical background.  Those who are not familiar with Enterprise IT processes, security and the like, can expect to need to study for 30 or more hours prior to attempting the exam.

Certified Data Privacy Solutions Engineer (CDPSE)

This certification is offered by ISACA.  The exam covers three domains related to privacy governance, privacy architecture and the data lifecycle. 

It also requires a minimum of 3 years of professional work in the privacy engineering space. Details on this and other requirements for certification after passing the exam can be found here.

ISACA offers a planning guide for more information for those interested in the exam.  The cost of the exam is $575 for ISACA members, and $760 for non-members.  Once the exam is passed, an additional $50 fee applies for certification processing.

The CDPSE also has maintenance requirements including a fee,  continued educational requirements and related requirements, which can be found here. 

College Courses

The only college course I know of discussing Privacy Engineering is a Master’s level course from Carnegie Mellon University.  Details on application and course work can be found in the handbook.

I have not taken the course – but include it here for consideration in case folks are interested in professional college level training.

Organizations

My recommendation here would be the International Association of Privacy Professionals (IAPP).

Conferences

Conferences vary, the IAPP offers several world wide.  You can often find at least one session at most industry conferences related to privacy and security – but few focus on privacy extensively.

Superweek is another good conference which typically has some privacy discussions related to the analytics and marketing industries.

Books

My Top 5 Recommended Books (in no particular order) would be:

Privacy space in general:

Data Reimagined:  Building Trust One Byte at a Time

Privacy Engineering:

• The Privacy Engineer’s Manifesto
• Data Privacy:  A runbook for engineers
• An Introduction to Privacy for Technology Professionals
• Strategic Privacy by Design, Second Edition

Podcasts / Blogs / Webinars

There are very few Privacy Engineering centric podcasts – most are privacy related in general and occasionally touch on privacy engineering.  Some that come to mind are:

• She Said Privacy / He Said Security
• Life After GDPR Podcast
• Masters of Privacy
  

I often speak on privacy topics.  You can find a list of my previous appearances here.