In honor of Data Privacy Day 2014, Enterprivacy Consulting Group is proud to announce the publication by our very own consultant, Jason Cronk, of a new white paper on Privacy by Design (PbD) and Privacy Engineering. Published by the Ontario Information and Privacy Commissioner’s office and coauthored with Commissioner Ann Cavoukian and Stuart Shapiro of the MITRE Corporation, the paper explores the burgeoning field of Privacy Engineering and how it is supportive of the 7 Foundational Principles of Privacy by Design.

The paper can be downloaded here.

This paper surveys the emerging discipline of privacy engineering. Privacy engineers require multidisciplinary knowledge and skills. To be effective, they need to have an understanding of both technical and non-technical considerations. Privacy engineers are tasked with managing risks. The paper reviews several risk models that they can adopt, some based on Fair Information Practice Principles and legal compliance, others stemming from user-centric harms and integrity of context. Privacy engineers must then apply systematic risk analyses, using tools such as privacy impact assessments, to measure and quantify identified risks. Finally, privacy engineers must design controls to mitigate those risks, including privacy-respecting architectures, effective privacy policies, and a range of data management methods including minimization, anonymization, aggregation, and the use privacy-enhancing technologies.

There is a growing understanding that innovation and competitiveness must be approached from a “design-thinking” perspective – namely, a way of viewing the world and overcoming constraints that is at once holistic, interdisciplinary, integrative, creative, innovative, and inspiring. Privacy, too, must be approached from the same design-thinking perspective. Privacy and data protection should be incorporated into networked data systems and technologies by default, and become integral to organizational priorities, project objectives, design processes, and planning operations. Ideally, privacy and data protection should be embedded into every standard, protocol, and data practice that touches our lives. This will require skilled privacy engineers and common methodologies and tools. This paper seeks to promote a broader understanding and deeper practice of privacy engineering.

Enterprivacy Consulting Group is dedicated to promoting the nascent field of privacy engineering and helping corporations embed privacy into their product and service offerings. If you have questions or your company needs help in this area, don’t hesitate to contact us.