The Emerging Role of Privacy Engineers

To keep up with legal requirements, reduce risk, and build trust, businesses are increasingly turning to privacy engineers. Privacy engineers help build products that harness personal data in a safe and efficient way that benefits both businesses and users.

As a career option, privacy engineering is relatively new. But the workload is varied, the money’s good (a yearly average of around $136,000, according to industry research), and protecting people’s right to privacy really matters.

To learn more about what privacy engineers do and how to become one, here are some highlights from Privado.ai’s recent webinar, The Rise of the Privacy Engineer, featuring the following senior privacy leaders:

• Nishant Bhajaria: Director of Engineering - Assurance and Trust at Meta (Facebook)
• Jay Averitt: Senior Privacy Product Manager/Privacy Engineer at Microsoft
• Roche Saje: Manager, Privacy Engineering at Meta (Facebook)
• Nandita Narla: Head of Technical Privacy & Governance at DoorDash

What Do Privacy Engineers Do?

Key takeaways:

• Privacy engineering encompasses a broad range of activities, including developing software, conducting technical reviews, and implementing privacy by design.
• The field of privacy engineering is evolving, and it includes people with diverse backgrounds—not just software or privacy-specific experience.
• Both privacy and engineering aspects are essential to the privacy engineer role.

"Privacy engineer… such an overloaded term that means so many different things in different contexts," said Meta’s Roche Saje.

“For most of my time in privacy, it's been really directly related to software engineering, like building privacy platforms,” Saje continued. “So in that respect, I would say maybe heavier on the engineering side with a deep love and care for privacy.”

Microsoft’s Jay Averitt recalls working alongside Saje at Twitter (now “X”). While Averitt and Saje were both privacy engineers, their day-to-day tasks varied considerably.

“We were doing sort of completely different things,” Averitt said.

“Roche was working more on doing privacy software development. I was working more on working with our engineering teams helping them do technical privacy reviews and ensuring that proper privacy controls were in place.”

But privacy engineering is not a vague or ethereal concept. DoorDash’s Nandita Narla proposed a core definition:

"Privacy engineering is the systematic application or inclusion of privacy requirements into the design, development, and operations of systems,” Narla said.

Why Has Privacy Engineering Become So Important?

Key takeaways:

• Regulatory changes like the passing of the EU General Data Protection Regulation (GDPR) have significantly influenced the privacy engineering landscape.
• Regulations act as a motivator for companies to invest in privacy.
• Privacy engineering evolves in response to regulatory requirements—but privacy engineers can add value over and above legal compliance.

"When I first got into privacy it was pre-GDPR ‘launch date,’ and that was the primary driver of the privacy work that my team was doing,” recalled Roche Saje.

“That is a huge motivator for companies to put their money where their mouth is and actually get some privacy done,” she continued.

Laws like the GDPR and the California Consumer Privacy Act (CCPA) might have been the seed from which the “privacy engineer” role grew.

“GDPR certainly began the creation of privacy engineering as we know it,” suggested Jay Averitt.

But while regulation might have driven investment, privacy engineering is not all about meeting legal obligations.

“I don't look at just what regulations call for,” Averitt said. “I look at: ‘How can we make the user experience better?’”

Are There Privacy Engineering Certifications?

Key takeaways:

• Formal training and certifications are available for those seeking structured learning in privacy engineering.
• Certifications can be a good starting point for breaking into privacy engineering, especially if you’re supported by employer reimbursement—but they aren’t essential.
• Experience remains important. Employers are unlikely to hire a privacy engineer based solely on their qualifications.

Looking to get started in privacy engineering, or level-up the technical side of your privacy skills? Privado.ai and Nishant Bhajaria’s Technical Privacy Masterclass provides 26 lessons and over 2 hours of video content—for free.

While privacy engineering is still a nascent field, several educational and industry bodies do offer relevant certification programs.

“Carnegie Mellon has a privacy engineering certificate program,” said Nandita Narla. “ISACA and IAPP both have their technical privacy certification.”

But certifications alone are not enough to get a foot in the privacy engineering door.

Job descriptions and hiring managers are not looking for those certifications,” Narla cautioned. “You will not get a job based on that certification.”

Nonetheless, certifications can be helpful for privacy engineering newcomers.

“If you're trying to learn about privacy—and specifically privacy engineering—and you are somebody who likes the structured program, who wants to take a test at the end, I would say certifications are not bad place to start,” said Jay Averitt.

How Do You Get Started as a Privacy Engineer?

Key takeaways:

• Privacy engineering is accessible to people from all sorts of professional backgrounds.
• Non-technical skills, like program management, can be highly valuable in privacy engineering.
• Volunteering for privacy-related projects or roles can be a good stepping stone into the field.

"Our job on this panel is to get more people excited to come in and help us address these problems,” said Facebook’s Nishant Bhajaria.

Bhajaria recalls the defining moment with a previous employer, WebMD, that focused his energies on privacy engineering.

“I realized that customers were sending us spreadsheets with PII (personally identifying information) without any kind of privacy protection. And I started writing macros to strip out PII.”

Nandita Narla discussed how a person could get privacy experience without leaving their current role.

“How do you get experience if you’ve never done privacy before and, and all of the jobs are asking for five years or six years of privacy experience?” Narla asked.

“Maybe do a 20% rotation with the privacy team. Find adjacent roles, like TPRM (third-party risk management) or security teams that are working on privacy projects, and volunteer to be part of those,” Narla suggested.

Can You Pivot into Privacy Engineering From Another Profession?

Key takeaways:

• Privacy engineering is relatively new, and most privacy engineers began their careers in other professions.
• Skills from other roles in domains such as security or data governance are transferable and highly-valued in privacy engineering.
• Regardless of your background, a passion for privacy and a willingness to learn are critical for making a successful transition.

"What would the journey be for a privacy professional with a non-tech background to dive into privacy engineering?" asked Nishan Bhajaria.

"I've definitely worked with a lot of incredibly talented privacy engineers who don't have a software engineering background,” said Roche Saje. “It might be like a program management role or a product management role.”

“None of that requires previous either engineering or privacy background,” Saje said.

“Don't eliminate yourself from a job just because it has the word ‘engineer’ in it,” Jay Averitt suggested. “Because you don't know what privacy engineering means to that company.”

How Can Privacy Engineers Demonstrate the Value of Their Work?

Key takeaways:

• Privacy engineers should emphasize how privacy engineering adds value within their organizations.
• It’s important to build relationships with other teams to demonstrate how privacy can enhance products and services.
• Privacy engineers should aim to change the perception of privacy engineering from being a compliance necessity to a strategic business advantage.

Privacy is increasingly recognized as a “value add” rather than a hindrance. Privacy engineers are perfectly positioned to demonstrate the benefits of embedding privacy in an organization.

“If something is a privacy issue, there's a good chance it's also going to be affecting somebody else in the business,” said Nishan Bhajaria. “So don't make it all about privacy. It's okay to talk about first principles.”

Privacy teams can help solve problems across many departments.

“Every time I see somebody's face twice, I pop 30 minutes on the calendar and ask them, ‘How can I help? What's troubling you? What does your team care about?’ said Saje.

Jay Averitt argues that privacy features can also appeal to end users.

“Let's get this feature out, but let's show all the cool privacy features that are also embedded in this feature. So it'll just delight the user when they're using it,” Averitt said.

What’s the Future of Privacy Engineering?

Key takeaways:

• The field of privacy engineering is expected to grow and evolve, particularly with the increasing importance of privacy from compliance, risk management, and public relations perspectives.
• Future developments in privacy engineering might include more formalized training and certifications.
• Privacy engineering is increasingly seen as an essential way to adapt to changing technologies and privacy concerns.

Regulations are getting more demanding, and individuals are becoming privacy risk-aware. But personal data remains a powerful resource for many businesses.

Expect companies to continue turning to privacy engineering as a practical way to reconcile these tensions.

“I think that compliance is inherently reactive, and it is the bare minimum,” said Nandita Narla. “Unfortunately, most companies are indexing just on compliance.”

“But solving for privacy and being proactive and respecting users—building products that respect users—actually future-proofs products that you're building against evolving requirements from regulators and meeting customer expectations,” Narla said.

Further Resources

Privado.ai provides tools, resources, and guidance for privacy and engineering professionals.

• Privado.ai and Nishant Bhajaria’s free Technical Privacy Masterclass: 26 lessons and over 2 hours of content.
• Our ebook about how privacy code scanning helps operationalize privacy for engineering
• Join Privado.ai’s Privacy Engineering Community to meet privacy engineers of all levels of experience.

Interested in privacy engineering training and certifications? Here are some of the qualifications and course referenced by the panelists:

• Carnegie Mellon University: Privacy Engineering Program
• Internation Association of Privacy Professionals (IAPP): Certified Information Privacy Technologist (CIPT)
• ISACA: Certified Data Privacy Solutions Engineer (CDPSE)

FAQs

What is the role of a privacy engineer?

A privacy engineer applies privacy to product design. They design, create, and analyze software to mitigate privacy risks and vulnerabilities. A privacy engineer helps apply privacy by design in numerous technical and organizational contexts.

How can I become a privacy engineer?

Privacy engineering is still relatively new, so there are many different routes into the industry. Courses such as Privado.ai’s Technical Privacy Masterclass and the IAPP’s Certified Information Privacy Technologist (CIPT) certificate are a good starting point. To build experience, seek opportunities to work on privacy-related projects in your workplace.

What are the KPIs of privacy engineers?

There’s no industry standard set of privacy engineering KPIs, but they should measure the effectiveness and efficiency of a company’s privacy program, including factors such as:

• Privacy rights:  How quickly can we respond to requests concerning personal data? How many people are happy with the responses we provide?
• Data governance: Do we have oversight of all our sources and recipients of personal data? Have we reduced the volume of personal data we handle by cutting out unnecessary data collection?
• Third party-risk: Have we conducted due diligence on any third parties receiving personal data from our organization? Do we have appropriate agreements in place with vendors that handle personal data on our behalf?