TrustArc Blog

Using Privacy Engineering To Make Your Company More ‘Likeable’

March 31, 2015

By Alexandra Ross, The Privacy Guru

Last week I had the pleasure of speaking at the Privacy Innovations & Technology event, “Demystifying Privacy Engineering” hosted at the TRUSTe offices. In a lively session, we discussed the basics of Privacy by Design (PbD) and Privacy Engineering, including examples of how to implement Privacy Engineering, career opportunities as a privacy engineer, and how Privacy Engineering can be used as a competitive advantage.

 

At this year’s SXSW, Deepti Rohatgi, head of policy at Lookout, a cybersecurity company, encouraged developers to think about privacy as a product. Lookout, which offers an open source privacy policy generator, believes in the measurable impact of privacy engineering. Lookout recommended A/B testing of thoughtfully designed privacy policies and features, and encouraged the use of privacy engineering to increase customer trust and a company’s overall “likeability.”

Should this idea be revolutionary? Perhaps not, but it’s a departure from how many developers and tech executives regard privacy practices. The era of “bolt on” and stop-gap privacy patching is coming to an end. The stakes are high, as users are growing increasingly more aware of privacy issues.

What Is Privacy Engineering and Why Does it Matter?

Privacy Engineering is a method for implementing Privacy by Design principles using engineering methods. It’s been said that privacy engineering provides the “how” – a methodology for inclusion and implementation of privacy requirements as an integral part of systems engineering.

The drive for innovation often overlooks privacy. Privacy engineering can bridge the gap, shedding light on where the crucial concepts of PbD and innovation must be reconciled. Privacy engineering is not only an insurance policy against costly lapses in privacy compliance—it also helps companies build more robust products users can trust. Wired Magazine’s recent article The Privacy Revolt: The Growing Demand for Privacy-as-a-Service should help underscore the point: Privacy engineering is not a competitive advantage for the distant future. The future is right now in terms of customer demand.

As noted in the article:

“No matter what market you’re in, no matter what service you provide or product you sell… from right now until the end of time, you’re in the privacy game. Welcome.”

 

How Do We Implement Privacy Engineering?

Though it depends on the maturity and structure of each organization, engineers and legal teams must work together to incorporate effective PbD principles into the development and product review cycle. This involves keeping policy and implementation in alignment, and planning for ongoing compliance beyond the initial launch.

One tool is the Privacy Impact Assessment (PIA), which defines the objectives of the system in terms of privacy risk analysis. This Privacy Engineering Whitepaper from the Information and Privacy Commissioner of Ontario includes a discussion of the core steps of a PIA. It also discusses the concepts of data minimization, obfuscation, abstraction, aggregation and integration of user controls. These design strategies are the “how” and point developers to tangible requirements they can incorporate into the design and development of products.

Marketing teams also need visibility into privacy engineering implementation and can perform a valuable role in understanding attitudes about privacy. A recent article in Marketing Land, “Marketers’ Balancing Act Between Value And Privacy” provides a compelling view of the need for technology that is privacy-conscious by default and explains how privacy is a complex, personal issue for users.

 

Where Do We Find Privacy Engineers?

You’re not the only one with that question. The White House has also been on the hunt for privacy-minded technology professionals, and they’ve found them in the private sector. Demand for privacy engineers will continue to rise.

As Ann Cavoukian, former Privacy Commissioner in Ontario, Canada has said:

“To embed privacy by design into all things involving information technology, we will need to have privacy engineers, of which there are currently very few.”

Fortunately, there are institutions working to expand the profession, including Carnegie Mellon’s Master of Science in Information Technology-Privacy Engineering program.  The MSIT-PE degree is a one-year program designed for computer scientists and engineers who wish to pursue careers as privacy engineers or technical privacy managers. A detailed list of privacy engineering skills can be found on the Carnegie Mellon website and are aligned closely with PbD principles for privacy engineers (PDF).

Privacy engineers are privacy champions! We thank you for your great work!