How to Build a Privacy Engineering Team
Privacy engineering is an emerging field. With advancements in privacy-enhancing technology and an increasingly complex regulatory environment, businesses are realizing the benefits of having privacy engineers on their teams.
However, the role still needs to be more clearly defined and better understood. Privacy engineers should consider how they can best use their skills, explain what they do, and demonstrate the value that privacy engineering brings to a business.
Privado.ai brings together some of the leading figures in privacy engineering to offer guidance and insights from their day-to-day work.
- Nishant Bhajaria: Director of Engineering - Assurance and Trust at Facebook
- Mira Olson: Privacy Architect at Doordash
- Pramod Raghavendran: Director of Privacy and Data Protection at Coinbase
- Ellen Nadeau: Engineering Manager, Privacy Engineering and Data Protection at Cruise
- Aaron Weller: Leader, Global Privacy Engineering Center of Excellence at HP
The panel provides actionable advice on:
- The main roles and responsibilities in privacy engineering.
- How privacy engineers can find their place within an organization.
- Measuring and proving the value privacy engineers bring to a company.
- Creating strategies to overcome challenges in privacy engineering.
The Main Roles and Responsibilities in Privacy Engineering
- Privacy engineering involves identifying and mitigating privacy risks, often requiring collaboration with legal and engineering teams.
- Privacy engineering encompasses a broad range of roles and responsibilities, from advisory services to proactive involvement in product design.
- Effective communication is essential in privacy engineering to facilitate collaboration and understanding across the whole organization.
Privacy engineering is a broad discipline, and different professionals take very different approaches to the work.
“Privacy engineering has become an overloaded term that can mean a variety of things,” said Coinbase’s Pramod Raghavendran.
“On one end are the people that work with other engineering teams and product teams and provide advisory services from a privacy standpoint,” Raghavendran explained.
“The other end of the spectrum is where you have software engineers building solutions that forward privacy along,” he continued.
Mira Olson from Doordash gave a coincidental explanation of her role.
"My scope of work is really identifying and solving for privacy risk and mitigating that risk for the business," Olson said.
“As an architect, I don't code, I'm not building the tools—but I am working with legal stakeholders, engineering stakeholders, internal and external-facing (teams) to understand legal risk, compliance requirements, internal policies, and ensure alignment with the tools that we're building.”
Cruise’s Ellen Nadeu explained that her company has two privacy sub-teams that are divided according to their roles and responsibilities: “Privacy Engineering Services” and “Privacy Infrastructure.”
“Privacy Engineering Services is the more consultative arm: Reviewing new features, new data processing, new applications… Delivering requirements, developing the playbooks for new markets—the proactive guidance and standards,” Nadeu said.
“And then we have Privacy Infrastructure. That's the team of security software engineers that are building out tooling and platforms to help us achieve our objectives.”
HP’s Aaron Weller argued that an important role for privacy engineers is to ensure their organizations can be agile and responsive.
“How do we build out the tools and the systems that will allow us to be compliant with laws that don't even exist yet? To build that flexible structure so we can manage risks and not have to run around like a lot of us did with GDPR...?”
For Weller, an overall goal is to build a “flexible engineering platform” that allows the organization “to adapt as the business changes, and the external environment changes too.”
The Place of a Privacy Engineer Within an Organization
- Privacy engineering functions vary significantly across companies, influenced by factors such as the company's lifecycle, privacy posture, and structure.
- The location of privacy engineering within a company (for example, under legal or engineering departments) impacts how privacy engineers are perceived and how effective they can be.
- A federated “Privacy Champions” program can help embed privacy across multiple departments, spreading privacy awareness and encouraging privacy advocacy.
Privacy engineers know that every team has a role to play in protecting personal information and privacy rights. So while privacy engineers might sit in a specific department, they can also have a presence across the whole organization.
“We have a central privacy team, but we also have distributed privacy teams, including engineering capabilities in business units,” said Aaron Weller.
Weller argues that, because of their broad skill sets, privacy engineers can act as intermediaries between different departments.
“I've redone the ‘hub and spoke’ model, where my team is a lot of those spokes that provide that translation between the legal guidance and what the engineers actually need,” he said.
But a privacy engineer can’t be everywhere at once.
“We're only a handful of individuals, and we have an endless need for more privacy resources or privacy advocates,” said Mira Olson.
One way to distribute privacy-conscious people across an organization is via “Privacy Champions.”
At Uber, Olson described Privacy Champions as a kind of privacy “first port of call,” providing quick answers to privacy questions and pointing people in the right direction.
“We're actively trying to build Privacy Champions in other orgs, individuals that can serve as that resource within their team,” Olson explained.
Ellen Nadeau described how privacy engineers are situated within the wider organization at Cruise.
“The privacy engineering crew sits within the security org, and then we work very collaboratively with privacy legal,” said Ellen Nadeau.
“We're really partnering with other teams, and they're actually doing the work implementing,” she continued.
Pramod Raghavendran agreed that privacy engineers and legal professionals often see eye-to-eye.
"There is a fundamental alignment between a privacy engineering team and a legal team in terms of the outcomes they want to achieve," he said.
Demonstrating the Value of Privacy Engineering
- It’s essential that privacy engineers demonstrate the value proposition of privacy engineering and show how privacy engineering prevents potential privacy issues.
- Privacy engineering goes beyond mere compliance and involves integrating privacy into the broader business and technology strategy.
- Different companies view privacy differently: As a compliance requirement, a trust factor, or even a product differentiator.
A key privacy-by-design principle is to be “proactive, not reactive”. Privacy engineers solve problems before they arise.
Preventing fires is obviously better than fighting fires. But, firefighters tend to get more credit than the health and safety officers that install smoke alarms.
"I think one of the challenges when it comes to privacy engineering is proving the value proposition,” said Facebook’s Nishant Bhajaria. “How do you make the case that something would have been worse if not for you?"
The solution, Bhajara says, is to “build techniques, communication methodologies, and metrics” that demonstrate that privacy engineering is working. But how?
Ellen Nadeau suggests working with your company’s research team.
“If you have a research team at your company that's actually conducting research with customers, are you able to work with them to include questions about how your customers see privacy-related topics?” Nadeau said.
“You're demonstrating that customers want this level of trust with your company and the products and services that you're offering.”
Aaron Weller discussed how privacy engineers can demonstrate their value by helping their organizations work with existing datasets.
“We've collected a lot of data over the years. For some of it, we have constraints on how we can use it,” said Weller.
“We might be able to use privacy-enhancing technologies and other ways of transforming that data where we're not breaking the original data set, but we're saying, ‘Hey, if you use this version of it, we can actually do more with the data you've already got,’” Weller proposed.
Mira Olson argued that demonstrating value partly comes down to attitude
“When teams hear ‘legal’ or ‘compliance,’ they hear ‘blocker,’” Olson said. “So if we can instead be an ally and gain their buy-in, then it's just going to be an easier process throughout.
Overcoming Challenges in Privacy Engineering
- As noted, a significant challenge in privacy engineering is proving the effectiveness and necessity of the work in preventing privacy issues.
- Privacy engineering requires a balance between reactive measures (addressing immediate privacy concerns) and proactive strategies (incorporating privacy in the initial stages of product development).
- Companies approach privacy differently, creating unique challenges for privacy engineers as they adapt to organizational culture.
To succeed in the role, Aaron Wells believes that privacy engineers should try to influence their organization’s culture in the long term. But they also need to respond to risks and incidents as they arise.
"There's a little bit of reactive in privacy, and there's a little bit of proactive,” Wells said. “What can we do today, with the things that we are building, to really help build privacy into the way people think—not just about the code, but also the user experience?"
A key challenge for privacy engineers is adapting to the culture of their organization—which can vary considerably between companies.
"There are some that think about privacy as a compliance checkbox... Whereas other companies think about privacy more through the lens of customer trust or even as a product differentiator," Pramod Raghavendran said.
“The stage of the company also matters, and the type of company or the domain that you operate in,” he continued.
“If you operate in the health space, or if you operate in the child product space, privacy is kind of an inherent part of what you're building. But with many other businesses, you typically start with the compliance lens and then perhaps transition into some of the more mature aspects of privacy along that spectrum.”
Overall, privacy engineers will succeed if they can find a way to integrate themselves across as many areas of the organization as possible.
“Please don't think of yourself as a central team that's either a moderator or a master,” advised Nishant Bhajaria. “Your job is to be co-collaborators, consultants, facilitators.”
Privado.ai provides tools, resources, and guidance for privacy and engineering professionals.
Robert is a writer covering privacy, security, and AI. He is a respected voice on privacy and has covered and has been working in the field since 2017.
Privacy by Design