What is privacy engineering?

Every company is digital and data-driven and with that comes an increased risk to sensitive information being exposed, exploited, or mishandled. New tools, processes, and workflows are necessary for adapting to this new reality. Privacy engineering is one solution gaining attention. 

Privacy engineering is the systematic application of engineering concepts to prioritize and protect personal information. Best practices incorporate a framework-driven approach, built on a hybrid foundation of legal, governance, security, data science, and discretionary ethics. 

MITRE, one of the U.S.’s leading public interest innovation firms, has developed an internal conceptual framework for privacy engineering. The objective of the framework is to translate an organization’s “privacy principles, policies, and procedures into actionable engineering requirements applicable to the focus of the system.”

A successful privacy engineering program will mitigate against risks that accompany the collection, use, and dissemination of an individual’s personally identifiable information (PII). 

So how can companies begin implementing a comprehensive and effective privacy engineering strategy? Here’s a deeper look into the topic.

The importance of privacy engineering

There are two equally important stakeholders for a privacy engineering program — the first being business teams and applications that need access to the information, and the second being the customers whose personal data is being used. Business and customer privacy use cases are increasingly blending together.

A mix of policy, public awareness, and increased cybersecurity risks are driving the need for privacy engineering from a practical standpoint.  While cyberthreats have always been a concern, the rate of change is accelerating, and with it the costs to combat it, according to McKinsey. 

Emerging legislation will inevitably influence how companies develop, market, and sell products. 

Privacy itself has many functional use cases within engineering and product development initiatives, across a range of industries. Ultimately, getting privacy right is a critical part of earning trust with prospects and customers. Negative public sentiment poses risks including costs resulting from damage, loss of trust, and fines from potential data breaches.

“Trust is the basis for almost everything we do. It’s the foundation on which our laws and contracts are built,” write Frances X. Frei and Anne Morriss for Harvard Business Review. “It’s the reason we’re willing to exchange our hard-earned paychecks for goods and services, to pledge our lives to another person in marriage, and to cast a ballot for someone who will represent our interests.”

Privacy engineering puts businesses at the forefront of positive values, trust, and relationship building. With this foundation, businesses become stronger, more resilient,  and more forward-facing, overall.

How privacy engineering works

To be successful, privacy engineering programs must connect to a company’s core business model. It’s about empowering customers, employees, and other stakeholders with control over how their information can be used and shared. Perspectives from regulators are incorporated into systems by design. 

Privacy engineering requires direct, decisive, and informed leadership. That’s why the field is becoming more specialized, with some companies choosing to hire a dedicated privacy engineer. Example responsibilities include:

• Minimizing unnecessary data collection 

• Detecting potentially personal data

• Keeping track of privacy and compliance legislation

• Building a privacy-first culture through ongoing education throughout the organization

• Developing paths to implementing solutions

• Guiding engineering teams through product development

• Conducting technical and policy reviews, such as privacy impact assessments (PIAs)

• Responding to incidents and establishing paths to remediation

On a practical level, privacy engineers are responsible for driving stakeholder alignment across business and technical teams. In some situations, privacy engineering will require a direct line of communication with a company’s c-suite and general counsel.

Privacy engineers are responsible for establishing best practices and sourcing resources for support. Relevant solutions may include a mix of applications, tools, or 

frameworks that have been developed by think tanks, standards organizations. 

Examples include:

• Since the 1980s, the Organisation for Economic Co-operation and Development (OECD) has been developing recommendations to manage the free flow of data across borders. The organization has developed a set of privacy guidelines as a foundation for the protection of individuals. 

• MITRE, a long-running leader in security and human privacy, has published a table that describes how the OECD guidelines translate into practical objectives for systems engineering teams. 

• Academic researchers are continually developing privacy engineering frameworks such as SIED (Specification, Implementation, Evaluation, and Dissemination), which targets the overall privacy engineering and design process.

Privacy engineering best practices vary between organizations. One way to assess a company’s roadmap is to browse open job descriptions on systems engineering, legal, and governance teams.

The benefits of privacy engineering

Beyond strengthening trust with the public, customers, and other stakeholders, privacy engineering enables companies to tap into new business opportunities. With better control of data access and visibility, organizations can gain access to new data sources for building products and services at scale. Additional benefits include the following:

• Products and services may remain relevant in the market, longer, due to keeping pace with — or potentially staying ahead of — legislation.

• Organizations are better equipped to navigate compliance processes with more expediency and efficiency. 

• AI/ML teams can gain access to datasets that may have otherwise been unavailable.

• AI/ML models have the potential to become more precise and successful due to improved data accessibility.

• Researchers can more easily collaborate across institutions, without the risk of exposing private information.

• By better aligning with customers and regulators, privacy engineering can open doors for additional business opportunities by enabling access to existing data sets that may be siloed due to their sensitive nature.

Privacy engineering enables new opportunities for innovation, especially in industries with sensitive or heavily regulated data. Companies can conserve costs and expedite research and development (R&D) by reducing compliance friction. This R&D speed is essential to solving some of the biggest challenges of our time. 

Privacy engineering use cases

Privacy engineering isn’t just a tactical need. It’s the basis for an emerging economic movement based on a fundamental respect for human rights. In the years ahead, we are likely to see the emergence of new business models supporting the privacy-driven economy. Here are a few signals we’re watching.

• Technology companies are looking for ways to enable broader and faster access to data while maintaining customer trust and privacy. Similar to the use case for enabling immediate developer access to anonymized data, building processes for faster data access and experimentation is viewed as a competitive advantage when bringing new services and features to market.

• Financial companies are interested in creating marketplaces where algorithms can be developed on freely available synthetic data, and then sold or licensed to financial institutions that have access to the real data. 

• Health-tech companies are looking for ways to enable information sharing and monetize data while protecting the privacy of their patients, and minimizing biases that could be inadvertently learned by algorithms trained on shared datasets. 

Privacy is the foundation for everyday people to control their data — specifically, how information can be used or shared. Many companies are building their business model on this concept. Examples include Signal, DuckDuckGo, and Medium (which explicitly makes revenue from subscriptions, and does not sell users’ personal information). 

Final thoughts

Privacy engineering is about making privacy an engineering problem — built into the fabric of developer code and workflows, and as a result one that can be automated and scaled in the same way we have scaled building software.

While many of today’s successful privacy programs rely on manual and time consuming processes, the effort required to continue to scale privacy- even at the most successful tech companies of the world, requires more automation and a new way of thinking.