What is Privacy Engineering and how does it act as an enabler of Digital Innovation?

In different parts of the world, privacy laws have been in development over the last 50 years or so. But Privacy Engineering is a relatively new concept that is experiencing a rapid rise in relevance due to lots of changes all around, including but not limited to:

• In business models, data availability, modes of engagement
• In customer expectations and awareness
• Data privacy/protection regulatory landscape
• Increased regulations as a result of technological developments – IoT, AI, 5G, drones, biometric recognition, cryptocurrencies, and more.

In the light of digital transformation and the adoption of the latest technologies like the cloud, there is a separation in the rights of ownership, management, and usage of resources and this increases the risk to privacy. Hence, this climate of change begs for a climate of innovation.

There was a time when security was an afterthought – a secondary feature at the periphery of the design process. But today, the aim of Privacy Engineering is to bring security to the center of the design process. Let’s delve into the concept.

What is Privacy Engineering?

Privacy engineering?is a methodological framework of integrating privacy in the life cycle of IT system design and development. It operationalizes the Privacy by Design (PbD) framework by bringing together methods, tools, and metrics so that we can have privacy-protecting systems.?With the pandemic, digital innovation has become the need of the hour and thus, has brought PbD even more in the limelight. The goal of privacy engineering is to make Privacy by Design the de-facto standard for IT systems.

Different bodies have different definitions of privacy engineering, but the gist is the same – To address the complete lifecycle of individual privacy and not just during data storage and analysis. Privacy engineering incorporates a more holistic approach covering legalities, risk analysis, and user sentiment.

US-based National Institute of Standards and Technology (NIST) defines privacy engineering as “a specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.”?The below image sheds more light on the objectives of Privacy Engineering:

Image Source:?https://ethics.berkeley.edu/sites/default/files/nist_8062.pdf

Privacy engineering, by making privacy an integral part of the designing and development process (SDLC), tries to reduce risks and to protect privacy at scale.

As per Gartner’s definition, “Privacy engineering is an approach to business process and technology architecture that combines various methodologies in design, deployment, and governance. Properly implemented, it yields an end result with both:

• Easily accessible functionality to fulfill the?Organisation for Economic Co-operation and Development (OECD) eight privacy principles?and,
• Mitigation against the impact of a breach of personal data by reimagining defense in depth from a privacy-centric vantage.

The process involves ongoing re-calculation and re-balancing of the risk to the individual data owner while preserving optimum utility for personal data- processing use cases.”

Thus, privacy engineering is the foundation of holistic privacy. It will help to build a structured framework and bring privacy as a mainstream concept for Organizations to focus on.

Privacy Engineering – bridging the gap between IT, Risk and Compliance, Privacy, Security, and Business

Privacy protection continues to be a very critical issue for individuals, businesses, and governments all across the globe. People in the form of consumers want personalized content and service deliveries, but at the same time they want privacy protections to be maintained at all costs and they expect organizations and businesses to take action to protect consumers and governments to protect citizens’ data.

A few common things that I believe are true regarding this scenario are:

• Consumers want transparency about how businesses are storing, processing, and utilizing their data.
• They are very concerned about how their personal information is used by advanced technologies like AI and any kind of abuse erodes their trust – completely.
• Many consumers don’t trust that private businesses will follow/have regulations and compliances in place to keep their data secure. So, they look up to their government to protect their data with laws, policies, and other enforcement mechanisms.
• Once the trust is lost, consumers take action to protect themselves and their data. They even switch companies or providers and move to the ones whom they trust can keep their data safe. Many terminate relationships with traditional and online businesses over data privacy.??

?With the advent of different privacy laws like EU’s GDPR and more, the framework has been formulated for Data Subject Access Requests (DSAR). Many privacy laws enable consumers to raise requests concerning their data and provide control in the hands of the consumers that they can take action if they are dissatisfied with how their data is stored, processed, or utilized.

Privacy engineering that bonds innovation with PbD, ensures that every IT system must provide the highest possible privacy to personal data. This increases the consumers’ trust that their data is safe because privacy has been ingrained in the system.

Pros and cons of Privacy Engineering

Privacy Engineering- helping the Digital Transformation programs

Digital transformation has become mainstream now. Organizations are embarking on this journey and realizing that if they don’t do it now, they will become redundant. This has given rise to a trend of adopting digital technologies. But this has also given rise to an explosion of data.

Privacy engineers play a very important role in Digital Transformation. They ensure that privacy considerations are integrated into product design. Privacy engineering results in better products increases customers’ trust and thus influences a company’s bottom line. Privacy by Design has gained importance more so with laws like IT Act, EU GDPR, etc. Experts have predicted that privacy will be an integral part of the technology revolution and those integrating privacy in the product lifecycle are doing the right thing and will succeed in the future.

Challenges associated with privacy implementation in organizations

The challenges to the implementation of privacy include and are not limited to the following.

• One can’t protect what one doesn’t know about. In most organizations, sensitive data is proliferated across different locations – on-premises, in the cloud, and with managed service providers. The challenge lies in locating the data, understanding where it originated from, and tracking it in a dynamic environment.
• For traditional, legacy systems, it is a challenge to bake data privacy into core system design.
• There is a tug of war between data privacy and data usability. It becomes difficult for organizations to find the right balance between usability and data privacy-protecting sensitive data without inhibiting business processes, is a matter of concern.
• There are no standards or best practices on how to integrate privacy into SDLC.

Best practices in privacy implementation in organizations

Best practices in privacy implementation are as follows.

• Do privacy impact assessment across the organization to understand the purpose of collecting personal data and processing activities undertaken.
• Across digital channels, cookie notices should be there to provide information about what and how cookies are used.
• Issue a privacy policy to the customers – this provides an easy-to-understand means to customers for principles of the organization.
• Trust framework should be there within layers across people, processes, and technology and I think that the

– People capabilities can be obtained with training, internal and customer privacy policies, data accuracy, entertaining customer request for Personally identifiable information (PII), and a holistic view of customer relationships.

– Process capabilities can be obtained with design changes to have privacy thinking at the core, data classification, maintaining CIA triad – confidentiality, integrity, and availability for personal data.

Moreover, customer consent plays a key role here. They can provide their data for better services, per their needs, provided you can create trust in them that their data is safe as an asset within the organization.

Being associated with ZNet Technologies, a leading distributor of?Acronis cyber-protection solutions?across the globe, I have seen that businesses manage security using a multitude of tools. These patchworks of tools make cybersecurity implementation a tiring and less-effective process. By integrating data protection and cybersecurity to protect systems, applications, and data, the risk from cyberattacks is reduced.

Businesses are more efficient when there is the automation of backup and recovery process, cyberattack prevention capabilities including ransomware anti-malware, virus scanning, patch management, vulnerability assessments, and more are taken care of from a single console.

Some recent developments in the Privacy engineering world

Privacy engineering, like the privacy profession, is a constantly evolving discipline. Efforts to address privacy using technical means are still scattered and disconnected.

• Privacy engineering guidelines have been created in 2019 by ISO: ISO/IEC TR 27550:2019 Information technology — Security techniques — Privacy engineering for system life cycle processes.?Click here to know more.
• NIST published Version 1.0 of the?Privacy Framework?on January 16, 2020. As per NIST,?The Privacy Framework is intended to be widely usable by organizations of all sizes, regardless of their role(s) in the data processing ecosystem. It also is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.
• In India, organizations like the OECD and NITI Aayog are supporting emerging values frameworks, including bias mitigation, fairness, and platform accountability.
• For making everyone aware, workshops and training are being conducted by industry bodies like IEEE.

I had recently participated in the 16th Edition of the Annual Information Security Summit (AISS) by NASSCOM-DSCI in which I spoke on the topic of Privacy Engineering along with other eminent speakers:

? Ivana Bartoletti, Global Chief Privacy Officer, Wipro

? Nitin Dhavate, FIP, CIPP(E), CIPM, CISSP, CISM, Country Head – Data Privacy, Novartis

? Ratna Pawan, Transformation Director – Risk Advisory, EY

? Tejasvi Addagada, Data Protection Officer – Axis Bank

Source: DSCI

You can watch the recording of the session below.

Source: DSCI

You can also read about the state of cybersecurity products and services industry in India in an interesting report here:?DSCI report on ‘India Cybersecurity Industry’ launched by Secretary, Ministry of Electronics & IT

What are your thoughts about the state of privacy in India? Do let me know in the comments section.

Featured image credit:?Acronis

The post was first published on ZNetLive Blog.