Have you ever tried driving in a small European town? It’s not exactly easy. Those towns were built hundreds of years ago, and the streets are designed for foot traffic and the occasional horse, not 21st-century SUVs and commuter gridlock.
Medieval streets are maddening to navigate without modern urban planning principles; alleyways, one-way streets, and the all-too-frequent absence of street signs can make it difficult to find your way. Not impossible, but difficult.
Compare driving in these towns to driving on the highway. We built highways in response to changing transportation patterns in the U.S. They’re fast (most of the time), efficient (most of the time), and built with plenty of rest stops to help drivers along the way.
Privacy engineering is like our modern transportation infrastructure. It’s a framework to help businesses tackle modern problems, i.e. consumer data privacy.
As an emerging field, privacy engineering can sometimes sound like a corporate buzzword, but it’s genuinely helpful. So let’s talk about privacy engineering: what it is, how it works, and how it can intersect with your data privacy program.
What is privacy engineering?
Privacy engineering is a relatively new field at the intersection of data privacy and technology.
Privacy engineers work across numerous domains—software development, system design, data science, IT infrastructure, user experience design, and more—to incorporate data privacy into technology systems and products using the principles of “Privacy by Design.”
What are the core principles of privacy by design? They include:
- Being proactive, not reactive
- Being preventative, not remedial
- Making privacy the default setting
- Embedding privacy into design
- Providing full functionality regardless of privacy choices
- Ensuring end-to-end security
- Maintaining visibility and transparency
- Respecting user privacy
The goal of privacy engineering is to build solutions that proactively address risks related to the practices of data collection, storage, processing, sharing, and disposal in accordance with industry standards and privacy regulations.
Put in a more accessible way: this approach centers privacy as a fundamental requirement of system design, rather as an afterthought or added feature.
Data privacy vs. data security vs. privacy engineering
Privacy engineering, while its own field, has overlap with the broader data privacy and data security industries. Think of it this way:
Data privacy: How and why are we collecting data? What are we doing with it, who are we sharing it with, and how long are we storing it?
Data security: How can we secure data against bad actors, exposure, and threats?
Privacy engineering: How can we build a strong infrastructure to support data privacy and secure individuals’ privacy rights through the right software applications and best practices?
How does privacy engineering work?
Privacy engineering is about creating a system that supports privacy by design.
Privacy engineering helps to bridge the gap between legal and technical requirements, along with cyber security and the potential human interaction with sensitive data. Privacy engineers may help businesses:
- Develop technical solutions to mitigate privacy vulnerabilities
- Analyze software designs from a privacy perspective
- Improve software design or operating procedures
- Research and document system vulnerabilities
- Reduce future privacy risk via software development or iteration
Because their work impacts multiple domains within a business, privacy engineers typically work as part of product or design teams, as well as IT and security teams.
Is privacy engineering required by law?
Most privacy laws today functionally require some degree of privacy engineering, even if it isn’t always explicitly stated.
According to Article 25 of the EU’s General Data Protection Regulation (GDPR), organizations must address privacy “by design and by default.” Per Article 25, businesses must, amongst other things:
- Implement “appropriate” technical measures to implement data-protection principles.
- Integrate safeguards in the processing of data to protect the rights of data subjects.
- Build technical and organizational measures that protect data subjects’ rights into policies, processes, and products.
In practice, this requires that businesses marry legal requirements with some degree of engineering and system design.
(And just in case you’re wondering—the GDPR isn’t just for businesses based in the EU—if you target or sell to EU residents, then your business falls under the GDPR’s jurisdiction.)
On the other hand, U.S. laws don’t directly mention “privacy engineering,” or privacy by design principles, but that doesn’t mean the groundwork hasn’t been laid. For example, some state privacy laws, e.g., the California Consumer Privacy Act (CCPA, as amended by CPRA) and the Virginia Consumer Data Protection Act (VCDPA), require businesses to put data protection measures into place.
They also require businesses to implement privacy practices that are akin to privacy by design, such as data minimization (and having a valid business purpose to process the data), security, and user rights.
Can you get in trouble for failing to provide adequate privacy engineering or follow privacy by design principles?
Great question! While businesses won’t get slapped for “not privacy engineering,” there is precedent for fees and fines for privacy missteps that could have been avoided through it. Let’s look at some examples:
- Deutsche Wohnen SE: This German real estate company was fined €14.5 million in 2019 for violating the GDPR principle of privacy by design; their data archiving systems didn’t allow for obsolete personal data to be deleted, and they were found to be storing tenants’ personal information without verifying whether it was legal or necessary.
- Google: The tech behemoth faced multiple fines between 2019 and 2022, primarily due to insufficient consent and transparency in ad personalization products. This could be regarded as failures in implementing privacy by design.
- Vodafone Italia: Fined €12.25 million in 2020 for aggressive telemarketing practices and storing customer information with multiple flaws, indicating a lack of privacy-conscious system design.
What are the benefits of privacy engineering?
Avoiding fees and fines is a significant benefit of privacy engineering, but it’s not the only benefit.
Privacy engineering also supports a sustainable data privacy program. Investing in privacy engineering can:
- Improve operational efficiency
- Reduce the risk of human error
- Build a stronger understanding of data privacy requirements across the organization
- Reduce the risk of a data privacy breach
Privacy engineering supports a culture of data privacy within an organization, and proactively works to protect privacy rights. This all helps to build trust not only with your customers, but also with your employees.
How can my company integrate privacy engineering into its privacy program?
Modern roads aren’t built overnight, and neither is anything involving privacy engineering. But the difference is that with privacy, you don’t have to wait for a physical structure to be built. With privacy engineering, you can start implementing new policies and procedures right away.
- Conduct Privacy Impact Assessments (PIAs): Regularly perform PIAs to identify and mitigate privacy risks associated with business operations.
- Implement technical measures: Use privacy-enhancing technologies such as encryption, authentication, and access controls to protect sensitive data.
- Foster a privacy-centric culture: Promote a mindset where privacy is prioritized, including training employees and aligning privacy goals with business objectives.
- Collaborate across teams: Work with legal, compliance, and technical teams to ensure privacy considerations are integrated into all aspects of the business.
- Automate privacy processes: Invest in automation to manage data lifecycle processes, such as data deletion and access controls, to ensure consistent privacy protection.
- Monitor and review: Continuously monitor and review privacy practices to ensure they remain effective and compliant with evolving regulations.
Want to learn more about data privacy?
Red Clover Advisors is dedicated to simplifying privacy and working with businesses to build flexible, compliant programs that build consumer trust. Build up your privacy knowledge by checking out our downloadable resources on topics like privacy notices, AI governance, and cookie management. You can also join our newsletter below to stay on top of the latest industry news and data privacy developments. Learn more about our privacy operations services here.
2024 Privacy Checklist
Check out our Privacy Checklist for tips and practical guidance to establish a sustainable compliance program.