In different parts of the world, privacy laws have been in development over the last 50 years or so. But Privacy Engineering is a relatively new concept that is experiencing a rapid rise in relevance due to lots of changes all around, including but not limited to:
- In business models, data availability, modes of engagement
- In customer expectations and awareness
- Data privacy / protection regulatory landscape
- Increased regulations as a result of technological developments – IoT, AI, 5G, drones, biometric recognition, cryptocurrencies and more.
In the light of digital transformation and adoption of latest technologies like the cloud, there is a separation in the rights of ownership, management and usage of resources and this increases the risk to privacy. Hence, this climate of change begs a climate of innovation.
There was a time when security was an afterthought – a secondary feature at the periphery of the design process. But today, the aim of Privacy Engineering is to bring security at the centre of the design process. Let’s delve into the concept.
What is Privacy Engineering?
Privacy engineering is a methodological framework of integrating privacy in the life cycle of IT system design and development. It operationalizes the Privacy by Design (PbD) framework by bringing together methods, tools and metrics, so that we can have privacy protecting systems. With the pandemic, digital innovation has become the need of the hour and thus, has brought PbD even more in the limelight. The goal of privacy engineering is to make Privacy by Design the de-facto standard for IT systems.
Different bodies have different definitions of privacy engineering, but the gist is the same – To address complete lifecycle of individual privacy and not just during data storage and analysis. Privacy engineering incorporates a more holistic approach covering legalities, risk analysis and user sentiment.
US-based National Institute of Standards and Technology (NIST) defines privacy engineering as “a specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.” The below image sheds more light on the objectives of Privacy Engineering:
Privacy engineering, by making privacy an integral part of the designing and development process (SDLC), tries to reduce risks and to protect privacy at scale.
As per Gartner’s definition, “Privacy engineering is an approach to business process and technology architecture that combines various methodologies in design, deployment and governance. Properly implemented, it yields an end result with both:
- Easily accessible functionality to fulfill the Organisation for Economic Co-operation and Development (OECD) eight privacy principles and,
- Mitigation against the impact of a breach of personal data by reimagining defense in depth from a privacy-centric vantage.
The process involves ongoing re-calculation and re-balancing of the risk to the individual data owner while preserving optimum utility for personal data- processing use cases.”
Thus, privacy engineering is the foundation of holistic privacy. It will help to build a structured framework and bring privacy as a mainstream concept for Organizations to focus on.
Privacy Engineering – bridging the gap between IT, Risk and Compliance, Privacy, Security and Business
Privacy protection continues to be a very critical issue for individuals, businesses and governments all across the globe. People in the form of consumers, want personalized content and service deliveries, but at the same time they want privacy protections to be maintained at all costs and they expect organizations and businesses to take action to protect consumers and from governments to protect citizens’ data.
Few common things that I believe are true regarding this scenario are:
- Consumers want transparency about how businesses are storing, processing and utilizing their data.
- They are very concerned about how their personal information is used by advanced technologies like AI and any kind of abuse erodes their trust – completely.
- Many consumers don’t trust that private businesses will follow/have regulations and compliances in place to keep their data secure. So, they look up to their government to protect their data with laws, policies and other enforcement mechanisms.
- Once the trust is lost, consumers take action to protect themselves and their data. They even switch companies or providers and move to the ones whom they trust can keep their data safe. Many terminate relationships with traditional and online businesses over data privacy.
With the advent of different privacy laws like EU’s GDPR and more, framework has been formulated for Data Subject Access Requests (DSAR). Many privacy laws enable consumers to raise requests concerning their data and provide control in the hands of the consumers that they can take action if they are dissatisfied with how their data is stored, processed or utilized.
Privacy engineering that bonds innovation with PbD, ensures that every IT system must provide the highest possible privacy to personal data. This increases the consumers’ trust that their data is safe because the privacy has been ingrained in the system.
Pros and cons of Privacy Engineering
|PROS OF PRIVACY ENGINEERING||CONS OF PRIVACY ENGINEERING|
|Reduces dependence on external security enforcements||Requires laws and policies – most are still under development phase|
|Privacy is the default setting as it’s embedded in design. It provides proactive protection, not remedial one.||Violations possible because of some mistakes during design or development phase, bad actors, government mandates, availability of new technologies etc.|
|It provides end to end security with complete protection of system lifecycle.||Some may find it expensive to implement as this requires skilled engineers.|
|It respects user privacy – ensures that the technology and systems remain user centric.||Some may find it restrictive to innovation.|
|It helps businesses to increase customer trust and avoid penalties and future liabilities.|
Privacy Engineering- helping the Digital Transformation programs
Digital transformation has become mainstream now. Organizations are embarking on this journey and realizing that if they don’t do it now, they will become redundant. This has given rise to a trend of adopting digital technologies. But this has also given rise to an explosion of data.
Privacy engineers play a very important role in Digital Transformation. They ensure that privacy considerations are integrated into product design. Privacy engineering results in better products, increases customers’ trust and thus influences a company’s bottom line. Privacy by Design has gained importance more so with laws like IT Act, EU GDPR etc. Experts have predicted that privacy will be an integral part of the technology revolution and those integrating privacy in product lifecycle are doing the right thing and will succeed in the future.
Challenges associated with privacy implementation in organizations
The challenges to implementation of privacy include and are not limited to the following.
- One can’t protect what one doesn’t know about. In most organizations, sensitive data is proliferated across different locations – on premises, in the cloud and with managed service providers. The challenge lies in locating the data, understanding where it originated from, and tracking it in a dynamic environment.
- For traditional, legacy systems, it is a challenge to bake data privacy into core system design.
- There is a tug of war between data privacy and data usability. It becomes difficult for organizations to find the right balance between usability and data privacy – protecting sensitive data without inhibiting business processes, is a matter of concern.
- There are no standards or best practices on how to integrate privacy into SDLC.
Best practices in privacy implementation in organizations
Best practices in privacy implementation are as follows.
- Do privacy impact assessment across the organization to understand the purpose of collecting personal data and processing activities undertaken.
- Across digital channels, cookie notice should be there to provide information about what and how cookies are used.
- Trust framework should be there within layers across people, processes and technology and I think that the
– People capabilities can be obtained with training, internal and customer privacy policies, data accuracy, entertaining customer request for Personally identifiable information (PII) and holistic view into customer relationships.
– Process capabilities can be obtained with design changes to have privacy thinking at the core, data classification, maintaining CIA triad – confidentiality, integrity and availability for personal data.
Moreover, customer consent plays a key role here. They can provide their data for better services, a per their needs, provided you can create trust in them that their data is safe as an asset within the organization.
Being associated with ZNet Technologies, a leading distributor of Acronis cyber-protection solutions across the globe, I have seen that businesses manage security using a multitude of tools. These patchworks of tools make cybersecurity implementation a tiring and less-effective process. By integrating data protection and cybersecurity to protect systems, applications, and data, the risk from cyberattacks is reduced.
Businesses are more efficient when there is automation of backup and recovery process, cyberattack prevention capabilities including ransomware anti-malware, and virus scanning, patch management, vulnerability assessments, and more are taken care of from a single console.
Some recent developments in the Privacy engineering world
Privacy engineering, like privacy profession, is a constantly evolving discipline. Efforts to address privacy using technical means are still scattered and disconnected.
- Privacy engineering guidelines have been created in 2019 by ISO: ISO/IEC TR 27550:2019 Information technology — Security techniques — Privacy engineering for system life cycle processes. Click here to know more.
- NIST published Version 1.0 of the Privacy Framework on January 16, 2020. As per NIST, The Privacy Framework is intended to be widely usable by organizations of all sizes, regardless of their role(s) in the data processing ecosystem. It also is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.
- In India, organisations like the OECD and NITI Aayog are supporting emerging values frameworks, including bias mitigation, fairness and platform accountability.
- For making everyone aware, workshops and trainings are being conducted by industry bodies like IEEE.
I had recently participated in the 16th Edition of the Annual Information Security Summit (AISS) by NASSCOM-DSCI in which I spoke on the topic of Privacy Engineering along with other eminent speakers:
✅ Ivana Bartoletti, Global Chief Privacy Officer, Wipro
✅ Nitin Dhavate, FIP, CIPP(E), CIPM, CISSP, CISM, Country Head – Data Privacy, Novartis
✅ Ratna Pawan, Transformation Director – Risk Advisory, EY
✅ Tejasvi Addagada, Data Protection Officer – Axis Bank
You can watch the recording of the session below.
You can also read about the state of cybersecurity products and services industry in India in an interesting report here: DSCI report on ‘India Cybersecurity Industry’ launched by Secretary, Ministry of Electronics & IT
What are your thoughts about the state of privacy in India? Do let me know in the comments section.
Featured image credit: Acronis