With privacy now a board-level concern, some of the largest companies have added a new type of specialist to their workforce: the privacy engineer. Apple, Facebook and Google are among the companies staffing teams with these experts. They are just the start.
Privacy experts said more and more companies, including those outside of the tech sector, are hiring full-time privacy engineers or training existing developers on the principles of privacy engineering. This is in response to growing privacy concerns from regulators, executives and customers.
What is a privacy engineer?
A privacy engineer is a trained and skilled specialist who builds privacy into products and services at the technical level. This specialist can bring together the legal and compliance elements of privacy and work them into the organization’s systems as they are developed.
“The heart of it lies in ensuring that technical teams understand privacy principles,” said Caitlin Fennessy, research director at the International Association of Privacy Professionals and leader of its privacy engineering initiative. “It’s about building privacy into the technology, and that’s demanded now by both laws and by people’s expectations.”
Demand for privacy engineers and the discipline of privacy engineering has grown in recent years. The demand comes as organizations contend with more privacy-related laws and growing customer expectations around enterprise data. Organizations are also experiencing increased pressure to collect and access various types of data to drive digital services, automation and other competitive initiatives.
As a result, organizations need experts who understand regulatory restrictions, technology requirements and — perhaps most importantly — how they fuse together.
“Privacy engineering helps limit risk, and it also helps you get ahead of the legal landscape at a time when the legal landscape for privacy is changing so quickly,” Fennessy said. “If you start by designing privacy at the start of products and services, you’re able to stay ahead.”
Privacy as a priority?
Enterprise leaders are paying more and more attention to privacy.
ISACA’s “Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges” noted: “Boards of directors generally recognize the importance of a strong privacy program. Hefty fines for violating privacy regulations have made headlines, and reputational harm from violating customer privacy can be irreparable.” The report further said privacy is not just a cost center, but that it can add value by driving customer trust.
However, the adoption of privacy is not as widespread as it should be. In surveying more than 1,800 of its constituents, ISACA found 52% of privacy professionals believe their board of directors adequately prioritizes privacy. The same report challenged enterprise privacy programs. Nearly 50% of respondents said they had inadequate privacy budgets, compared to 34% who said their privacy budgets were adequately funded.
While 64% cited poor training or a lack of training as a common privacy failure, 53% of respondents listed failure to perform a risk analysis as a fault, and 50% listed bad or nonexistent detection of personal information.
The evolution of privacy professionals
Privacy leaders said they expect those figures to improve as more organizations adopt privacy by design and add privacy engineers to their teams.
Such moves will help enhance enterprise privacy, said Lorrie Cranor, engineering and public policy professor at Carnegie Mellon University and co-director of the master’s degree program in privacy engineering.
“When companies first started hiring for privacy, they hired privacy lawyers. But they realized over time that there were a lot of privacy issues that they really needed to solve with technology and not just with policy,” Cranor said.
In response, organizations hired technologists with privacy expertise or hired security experts and trained them in privacy. Neither group fully understood the IT component — either how to use technology to address privacy concerns or how to build digital products and tech services.
Thus, privacy remained an afterthought at many organizations. Product teams and enterprise leaders would often wait until the end of the development cycle, when issues were most difficult to address, to consider security, experts said.
“That’s not ideal for incorporating privacy best practices because, by that time, the products have already been worked on for months and it’s too late for changes to be made. There’s too much pressure to move forward,” said Tyrone Jeffress, vice president of engineering and U.S. information security officer at digital consultancy Mobiquity.
The need for privacy engineers who can work privacy into systems earlier in the process finally became more apparent.
“Privacy engineering makes sure organizations are embedding privacy best practices and key principles into the design and development of their solutions,” Jeffress said.
Hiring privacy engineers will most certainly improve security, he said, but organizations can still better their privacy posture by training developers in privacy engineering even if they never advance into full-scale privacy engineers.
“You don’t necessarily need the privacy officer or a privacy expert in every development meeting, but you do need someone at the get-go who is a privacy champion,” he said.