The intersection of privacy by design and privacy engineering

Collecting and analyzing massive quantities of data has revolutionized enterprises, helping them reduce costs, streamline processes, minimize inefficiencies and improve customer experiences.

With these benefits, however, comes a major question: How do organizations use data, while simultaneously ensuring the privacy of their employees and customers?

"One of the objectives of privacy by design and privacy engineering is to provide technical and managerial safeguards to privacy, while enabling a high degree of utility," said William Stallings, author of Information Privacy Engineering and Privacy by Design.

The proactive processes of privacy by design and privacy engineering foster trust by integrating privacy into the development cycle, rather adding them on pre-deployment.

Compliance regulations are also changing the way privacy is approached. GDPR, for example, mandates privacy by design and privacy by default. CCPA does not explicitly require privacy-by-design practices, but organizations must identify personal data within their designs to ensure users are notified about data use.

With immense quantities of data, growing public concerns and stricter regulations, it's more important than ever for organizations to incorporate privacy into their development cycles.

Here, Stallings, who has more than 30 years of technical experience, discusses how privacy by design and privacy engineering operate together, who is responsible for implementing these processes, how organizations can balance utility and usability with privacy, and more.

Editor's note: This transcript has been edited for length and clarity.

How do privacy by design and privacy engineering operate together?

Click here to learn more about
Information Privacy
Engineering and Privacy
by Design by William Stallings.

William Stallings: Privacy by design is the keystone of information privacy management. It assures privacy features are designed into a system before implementation begins. It dictates how privacy is realized at every stage of the systems development lifecycle [SDLC]. Specifically, it involves privacy planning and policy, privacy risk and impact assessment, and the selection of privacy controls.

Privacy engineering covers privacy during the entire lifecycle of information and communication technology systems. This process ensures privacy is incorporated during system integration, privacy tests, evaluations, auditing and incident response. One company that is a leader in privacy engineering is the Mitre Corporation. Mitre developed a free privacy engineering framework and uses the same framework as the basis for its privacy work.

In the SDLC, privacy by design precedes privacy engineering. Privacy by design translates privacy requirements into an implementation plan. Privacy engineering, on the other hand, is the actual implementation, operation and maintenance.

How are these concepts different from how privacy was addressed in the past?

Stallings: The contemporary approach is much more systematic and complex. It borrows concepts such as risk analysis from information security. Two primary trends have converged. First, privacy regulations from government bodies, such as GDPR, and standards, such as ISO 27701, have spelled out more elaborate requirements and dictated specific technical and management approaches to satisfying these requirements.

Second, organizations, particularly midsize and larger organizations, have developed institutional privacy governance policies and personnel to develop privacy policies and procedures. Most organizations now have a chief privacy officer [CPO] and other full-time privacy employees.

As an indicator of the interest in privacy engineering, technology career site Dice.com has more than 400 job openings for privacy engineers as of November 2021.

What is required to change mindsets and achieve the goals of privacy by design and privacy engineering?

Stallings: A workforce with a high level of privacy awareness and appropriate privacy training is as important, if not more important, than any other privacy countermeasure or control. Organizations should have a comprehensive program consisting of four levels:

1. Awareness. This set of activities explains and promotes security, establishes accountability and informs the workforce of security news. Participation in security awareness programs is required for all employees.
2. Cybersecurity essentials. Intended to develop secure practices in the use of IT resources, this level is needed for all employees involved with any IT systems, including contractors. It provides a universal baseline of key security terms and concepts.
3. Role-based trainings. Provide the knowledge and skills specific to an individual's roles and responsibilities. Training helps personnel understand and learn how to perform their security role.
4. Education and certification. These integrate all the security skills and competencies of the various functional specialties into a common body of knowledge and add a multidisciplinary study of concepts, issues and principles.

Who is responsible for privacy by design? For privacy engineering?

Stallings: In midsize and large organizations, several people will hold responsibilities in this area. CPOs should have the authority to lead and direct their organization's privacy program. They must ensure compliance with all relevant privacy laws and regulations.

A data protection officer [DPO] has the responsibility to highlight any issues or concerns related to their organization's compliance with privacy regulations and laws. The DPO is typically responsible for performing internal audits and handling complaints.

The term privacy leader is becoming increasingly widespread. In general, a privacy leader is head of privacy compliance and operations. The privacy leader is responsible for developing, implementing and maintaining a privacy program to manage privacy risks, develop and evaluate privacy policies, and ensure compliance with all applicable statutes, regulations and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personal information by programs and information systems.

How can privacy engineers ensure privacy is integrated without disrupting operations?

Stallings: A great deal of research and development has been done to address this issue. The NIST Computer Security Resource Center has a vast collection of documents widely used in industry. These documents include an extensive, well-described set of privacy controls, both computer-based and management-based, as well as documents for privacy engineers.

How can privacy teams quantify utility over privacy and vice versa?

Stallings: Utility and privacy are competing requirements. Any access of data that contains or is derived from personal data has the potential to leak important information. On the other hand, increasing privacy restrictions on information limits the flow of useful information. It is difficult to quantify utility or privacy on a common scale, and thus, more subjective measures must be used, such as by relying on user surveys and on the degree of perceived risk that has been reduced.

How can usability and privacy be balanced?

Stallings: Usability and utility are distinct concepts. Usability refers to the ease of use of privacy features. Utility refers to the functionality available for databases containing personal data with privacy protection in place. Both concepts need to be considered through the design, implementation and operation of IT systems containing personal data. Even more than with utility, usability can generally only be assessed by subjective measures. Again, privacy by design and privacy engineering best practices are intended to ensure a high level of both usability and privacy.

William Stallings

About the author
William Stallings has made a unique contribution to understanding the broad sweep of technical developments in computer security, computer networking and computer architecture. With more than 30 years of experience, he has been a technical contributor, technical manager and executive with several high-technology firms. Stallings has authored 18 textbooks and, counting revised editions, a total of 70 books on various aspects of these subjects. He holds a Ph.D. from MIT in computer science and a Bachelor of Science from Notre Dame in electrical engineering.