Top 20 Privacy Engineering Resources
I am often asked about how and where people can learn more about privacy engineering and technical privacy topics. So, I recently compiled a list of my favorite privacy engineering resources and posted that to LinkedIn. Because there was so much interest in that post, I thought it only made sense to write an article that gives more context as to why I recommend each resource. Well, I wrote that article, which will soon be published by Privado. I hope that you find it helpful and that you share these resources with others seeking to get into privacy.
Courses
Technical Privacy Masterclass
Organization: *Privado.ai
Instructor: Nishant Bhajaria, Privacy Engineering Leader; Author of Data Privacy: a runbook for engineers; and Advisor to Privado.
Who is it for? Privacy Engineers, DevOps, TPMs, Privacy Operations
Cost: FREE
Time to Complete: 2.5 - 3 hours
Certificate of Completion: Yes. Certificate awarded if the student completes the course and quiz questions.
Certification Available: No. However, upon completion of the course, you will receive a certified credential that you can add to your LinkedIn profile to prove completion
Reason for Recommendation: Nishant does an excellent job of distilling down wisdom gained from his many years in privacy engineering in this engaging and strategic course. First, he makes the case for how privacy & security can enable engineering and reduce costs by building a Proactive Privacy Program. Second, Nishant details effective approaches for tackling common privacy engineering problems with illustrative use cases (e.g., data inventory & classification, technical privacy reviews & privacy code scanning); Then, he lays out the ways to successfully build privacy tools & infrastructure (e.g., DSAR & rights management, consent management, & building a 'Privacy Center'). Lastly, Nishant demonstrates how to scale & mature a Technical Privacy Program (e.g., KPIs, governance & maturity)
Modules and Topics:
- Introduction to Technical Privacy: Move Fast with Privacy; Why Privacy Is Hard; and, Making Privacy a Business Enabler
- Building a Proactive Privacy Program: Data Governance == Data Classification + Data Inventory; Technical Privacy Reviews; and Privacy Code Scanning
- Building Privacy Tools into Infrastructure: DSAR & Rights Management; Consent Management; Building a Privacy Center
- Scaling and Maturing a Privacy Program: KPIs: Governance and Maturity; Making Privacy work for Engineers; and, Making Privacy work for Customers
- Bonus: Accidental Privacy Engineer, Nishant’s Journey & Stories
Our Privacy Opportunity
Organization: OpenMined.org
Instructors: Andrew Trask, Founder and Leader at OpenMined, Senior Researcher at DeepMind, and PhD Student at the University of Oxford; and Emma Bluemke, PhD, Research Manager at Centre for the Governance of AI.
Who’s it for? Anyone interested in a holistic socio-technical approach to today’s privacy problems and the key privacy enhancing technologies that data scientists can leverage for sharing and using data in a privacy-preserving way
Cost: FREE
Time to Complete: ~8 hrs for the online modules + additional time if submitting for certification
Certificate of Completion? Yes, but only if you complete and pay for the full certification process. There is no certificate of completion for just completing the online course modules.
Certification Available? Yes. Certification is available for free if you complete the course in addition to review and acceptance of a submitted Sample Privacy Product Specification.
Reason for Recommendation: I was blown away by how well the instructors lay the case for a socio-technical perspective for privacy before they get into the technical weeds. This course does an outstanding job of detailing how privacy infrastructure is changing how societies manage information and information flows, and how baking privacy into infrastructure during this current period of technological advancement presents us with opportunity and disruption within nearly every corner of society. In addition, you’ll also come away better understanding the benefits of Privacy Enhancing Technologies, described in a way that is more impactful to society than your typical privacy compliance training. Andrew & Emma are incredibly engaging instructors who share how and when each type of PET can be used. They dive into: structured transparency, input and output privacy, input and output verification, and information flow governance.
Modules: Society Runs on Information Flows; Information Flows within Communities; Information Flows within Markets and Their Incentives; Limitations of Information Flows; Introducing Structured Transparency; Input Privacy; Output Privacy; Input Verification; Output Verification & Flow Governance; The Impact of Structured Transparency; and, Create a Privacy Product Specification (optional for certification)
Data Protocol’s Privacy Engineering Course Modules & Certification
Organization: Data Protocol
Who’s it for? Privacy Engineers, DevOps, TPMs, Privacy Operations
Cost: Free to complete all the course modules; $495 for the ‘final assessment’ and to attain official certification
Time to complete: ~5-6 hours
Certificate of Completion? Yes, but only if you complete the full certification. There is no certificate of completion for just completing the online course modules.
Certification Available? Yes. If you complete the curriculum, pass the comprehensive final assessment, and pay the final assessment fee, you will earn your Data Protocol Privacy Engineering certification and badge and you will receive a certified credential that you can add to your LinkedIn profile to prove completion.
Reason for Recommendation: This course is also led by renowned instructor, Nishant Bhajaria, where he dives into the basics of privacy engineering. You will gain the knowledge and skills you need to protect data privacy while designing and building products and processes. These eight courses and six hands-on labs test your ability to design secure data processes and address vulnerabilities. Data Protocol’s mission is to educate and engage developers and is designed to drive adoption, support education, and grow community; and it has a significant user base across the major tech companies. So, the value of its full certification program is increasingly becoming an indicator of baseline privacy engineering knowledge and skills.
Modules, Courses, & Labs:
- Governance Module: Data Classification Course; Data Classification Lab; Data Categorization Course; Data Categorization Lab; and Retrieval Lab
- Systems Module: Consent Management Course; Consent Management Lab; Security & Privacy Course; Data Deletion Course; Data Deletion Lab; Data Sharing Course; and, Data Sharing Lab
- Execution Module: Privacy Tech and Technical Privacy Consulting
CREATIVE PRIVACY ENGINEERING EDUCATION & AWARENESS
Organization: Imagine Privacy, Inc.
Founders: Mert Can Boyar & Gokhan Sari
What it is: Privacy Quest is a gamified learning experience that was inspired by Capture the Flag (CTF) style competitions in the application security industry. The founders designed Privacy Quest to help non-technical individuals enter the privacy engineering field by providing a comprehensive learning experience that covers the necessary IT foundations. It will soon expand to include modules for current privacy engineers to upskill to other areas. Privacy Quest is for beginners, intermediate learners, and advanced privacy professionals. The platform currently offers a variety of challenges and competitions to suit different skill levels and will be expanding into other overlapping areas soon, like ‘Privacy and AI.’
Who is it for? Privacy & Data Protection Managers, Privacy Lawyers, Privacy Engineers
Reason for Recommendation: Through the use of immersive storytelling, visual art, music, and a gamified learning platform, you will gain invaluable privacy and security knowledge. As you delve into the intricacies of privacy engineering through Quests, you will develop a deep understanding of concepts such as data protection, threat modeling, risk mitigation, and encryption. Privacy Quest equips you with the practical skills needed to navigate the complex landscape of privacy and security, providing a platform for continuous learning and growth. You can also connect with a community of privacy enthusiasts and professionals, showcase your expertise, and position yourself as a valuable asset in the privacy and security domain. Moreover, companies can leverage Privacy Quest to deliver privacy engineering education to their employees in a way that is memorable, engaging, and effective. Teams can even partner with Privacy Quest to create Privacy Awareness Day/Week activities that include: table-top games, escape-room events, and gamified workshops.
Bonus Material: The Hitchhiker’s Guide to Privacy Engineering (HGPE)
What is it? HGPE was created for privacy professionals with legal backgrounds who want to level up their knowledge of technical data privacy. With HGPE, you can grasp the technical mechanisms that keep privacy intact and speak with credibility when working with technical teams.
Who is it for? Privacy Lawyers
Reason for Recommendation: This creative passion project - also from Mert Can Boyar - combines his love for science fiction and data privacy to offer a fun, engaging, and immersive privacy learning experience for privacy lawyers to improve their technical privacy skills. HGPE is designed to provide a solid foundation in privacy engineering principles and practices, enabling privacy lawyers to better understand and address the complex privacy issues facing our digital society.
Books
Data Privacy: A Runbook for Engineers
Author: Nishant Bhajaria
Who is it for? This book is primarily for system designers, architects, and engineers who work with data, especially in highly-distributed architectures. However, anyone should read this book - from management to media to regulators to attorneys - to gain baseline knowledge that enables them to offer commentary and analysis rooted in context and expertise.
Reason for Recommendation: This is the first book in the era of cloud computing and identity graphs to help engineers implement complex privacy goals like data governance, technical privacy reviews, data deletion, consent management, etc. It teaches you how to navigate the trade-offs between strict data security and real world business needs. In this practical book, you’ll learn how to design and implement privacy programs that are easy to scale and automate. This includes workable solutions and smart repurposing of existing security tools to help set and achieve your privacy goals.
Chapters Include: Privacy Engineering: Why It’s Needed, How to Scale It; Understanding Data and Privacy; Data Classification; Data Inventory; Data Sharing; The Technical Privacy Review; Data Deletion; Exporting User Data: DSARs: Building a Consent Management Platform; and, Closing Security Vulnerabilities; Scaling, Hiring, and Considering Regulations
Privacy Engineering: A Dataflow and Ontological Approach
Author: by Ian Oliver
Who is it for? Software Developers, Software Architects, Systems Designers, TPMs
Reason for Recommendation: This book presents an approach based upon data flow modeling, coupled with standardized terminological frameworks, classifications and ontologies to properly annotate and describe the flow of information into, out of and across these systems. Also provided are structures and frameworks for the engineering process, requirements and audits; and even the privacy programme itself, but takes a pragmatic approach and encourages using and modifying the tools and techniques presented as the local context and needs require.
Chapters Include: Case Studies; Privacy Engineering Process Structure; Data Flow Modeling; Security and Information Type Classifications; Additional Classification Structures; Requirements; Risk and Assessment; Notice and Consent; Privacy Enhancing Techniques; Auditing and Inspection; Developing a Privacy Program; and, Conclusions
Practical Data Privacy: Enhancing Privacy and Security in Data
Author: Katharine Jarmul, Principal Data Scientist at Thoughtworks
Who is it for? Data Scientists and PET enthusiasts
Reason for Recommendation: I love how Katharine balances a deep technical perspective with plain-language overviews of the latest privacy technology approaches and architectures in data science work flows. Her book serves as an essential guide that will give you a fundamental understanding of modern privacy building blocks, like differential privacy, federated learning, and encrypted computation. She shares solid advice and best practices for integrating breakthrough privacy-enhancing technologies into production systems.
Chapters Include: Data Governance and Simple Privacy Approaches; Anonymization; Building Privacy into Data Pipelines; Privacy Attacks; Privacy-Aware Machine Learning and Data Science; Federated Learning and Data Science; Encrypted Computation; Navigating the Legal Side of Privacy; Privacy and Practical Considerations; FAQs and Their Answers; and, Go Forth and Engineer Privacy!
Strategic Privacy by Design, 2nd Edition
Author: R. Jason Cronk, Owner of Foryte Web Services / Enterprivacy Consulting Group
Who is it for? Operational Privacy Managers and Privacy Engineers. This book is one of the “official textbooks” published by the IAPP for studying for the Certified Information Privacy Technologist (CIPT).
Reason for Recommendation: I love how this book focuses on how to build and implement better processes, products, and services that consider individuals’ privacy interest as a design requirement. It is about how to build things that people can trust. Jason has included over 100 additional pages in his second edition of Strategic Privacy by Design. Jason refines his thinking, provides dozens of illustrative examples, a new chapter on threat modeling for privacy, an added glossary, and model answers to the exercises listed throughout the book.
Chapters Include:
- Introduction: What is Privacy by Design?
- Building Blocks: Actors & Their Roles; Harms I - Moral Consequences; Harms II - Physical, Mental, & Other Tangible Consequences; Controls; Pothole Application Example & Exercises
- Modeling: Threats, Interactions, & Relationships; Risk Analysis; Mitigating Risks; Pothole Application Example & Exercises
- Designing for Privacy: Design Methodology; Pothole Application Example & Exercises
- Glossary: Categories of Personal Information; Risk Terminology; Hierarchy of Controls; and Solove Taxonomy of Privacy Harm
Appendices: Privacy Engineering, Privacy-Enhancing Technologies & Privacy at Scale; Quantifying Risks; Model Answers to Exercises; and a Map to the CIPT Body of Knowledge
The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value
Authors: Michelle Finneran Dennedy, CEO of Privacy Code; Jonathan Fox, Director, Strategy & Planning, Office of the CPO at Cisco; Thomas R. Finneran (deceased)
Who is it for? Privacy Managers, Privacy Engineers and their Managers, CPO, DPOs, and IT Management
Reason for Recommendation: This seminal work in privacy engineering provides a systematic engineering approach to develop privacy policies based on enterprise goals and appropriate government regulations. Privacy procedures, standards, guidelines, best practices, privacy rules, and privacy mechanisms can then be designed and implemented according to a system’s engineering set of methodologies, models, and patterns that are well known and well regarded but are also presented in a creative way. This 2nd edition of this book is in the works, so you might want to wait before running out and getting a copy.
Chapters Include:
- Part 1: Getting Your Head Around Privacy [Chapter 1: Technology Evolution, People, and Privacy; Chapter 2: Foundational Concepts and Frameworks; and Chapter 3: Data and Privacy Governance Concepts]
- Part 2: The Privacy Engineering Process [Chapter 4: Developing Privacy Policies; Chapter 5: Developing Privacy Engineering Requirements; Chapter 6: A Privacy Engineering Lifecycle Methodology; Chapter 7: The Privacy Component App; Chapter 8: A Runner’s Mobile; Chapter 9: Vacation Planner Application; and Chapter 10: Privacy Engineering and Quality Assurance]
- Part 3: Organizing for the Privacy Information Age [Chapter 11: Engineering Your Organization to Be Privacy Read and Chapter 12: Organizational Design and Alignment]
Part 4: Where Do We Go from Here? [Chapter 13: Value and Metrics for Data Assets; Chapter 14: A Vision of the Future: The Privacy Engineer’s Manifesto; Appendix A: Use-Case Metadata; and Appendix B: Meet the Contributors]
Conferences
*Privacy Engineering Practice & Respect Conference 2024 (PEPR’24)
Watch PEPR’23 presentations: https://lnkd.in/d4QnUHPf
Organization: USENIX.org
2024 Program Chairs: Nuria Ruiz (Outschool.com) & Lawrence You (Google)
2024 Steering Committee: Lorrie Cranor (Carnegie Mellon University); Casey Henderson-Ross (USENIX Association); Lea Kissner (Lacework); Divya Sharma (Google); Blase Ur (University of Chicago)
What is it? PEPR is focused on designing and building products and systems with privacy and respect for their users and the societies in which they operate with the goal to improve the state-of-the-art and practice of building for privacy and respect and to foster a deeply knowledgeable community of both privacy practitioners and researchers who collaborate towards that goal.”
The 2024 USENIX Conference on Privacy Engineering Practice and Respect (PEPR '24) will take place at the Hyatt Regency Santa Clara, in Santa Clara, CA, USA, on June 3–4, 2024. View the Call for Participation. Submissions are due Monday, February 12, 2024.
Who is it for? Privacy Engineers and Technologists
Reason for Recommendation: The PEPR Conference is now my favorite annual conference, and because I love this community so much, I decided to join the PEPR Conference Programming Committee. To show you how much I love this conference, here’s a short example. I’m getting married this Memorial Day weekend, and I let my fiance know that we need to postpone our honeymoon by a week so that I can ensure that I make it down to the Bay Area to attend PEPR first. So, I’m not exaggerating when I say how much I enjoy this event.
USENIX makes for the perfect conference venue, as it is a non-profit engineering organization committed to education, and the founders of the conference are 2 stalwarts in the field: Lorrie Cranor and Lea Kissner. PEPR features a 2-day lineup of talks and panels from leaders across Privacy Engineering - a show and tell of privacy engineering practitioners, where we can gain insights from the lessons learned and network with this small but growing community. Last year, there were about 150-200 privacy engineers in attendance. Most of the feedback from others was how much we all felt invigorated by our discussions with one another and how it felt like a ‘love bubble’ of sorts. If you’re a privacy engineer, this is the one conference that I would be sure not to miss.
International Workshop on Privacy Engineering (IWPE)
Organization: IEEE. This Workshop takes place during the IEEE European Symposium on Security and Privacy, which is held in the EU each year.
Organizing Committee: General Co-chair: Jose M. del Alamo (Universidad Politécnica de Madrid); General Co-chair: Isabel Wagner (University of Basel); Program Co-chair: Kim Wuyts (PWC Belgium); Program Co-chair: Meiko Jensen (Karlstad University); Industry Chair: Isabel Barberá (Rhite)
What is it? This is a forum for concrete proposals for models, methods, techniques and tools that support data protection engineers and organizations in this endeavor are few and in need of immediate attention. IWPE is co-located with the annual IEEE European Symposium on Security and Privacy.
To cover this gap, the topics of the IWPE focus on all the aspects of privacy engineering, ranging from its theoretical foundations, engineering approaches, and support infrastructures, to its practical application in projects of different scale. This is broader than the USENIX PEPR Conference, which favors practical approaches over discussions of theoretical foundations.
The 2024 Conference will take place on July 8, 2024, in Vienna, Austria. There’s a call for submissions. Submit your lightning talk proposal or panel discussion by 15th April, 2024.
Who is it for? Privacy Engineers
Reason for Recommendation: While I have not personally attended this conference, I know many privacy engineers who have had a great time speaking at and attending this event. While it is pretty heavy on participants from academia, organizers have opened up an ‘Industry Talk Track’ to invite practitioners to share their experience, lessons learned or challenges faced with a wider audience.
Non-profit Organizations to Engage with
*Institute of Operational Privacy Design (IOPD)
Organizers: R. Jason Cronk (Enterprivacy Consulting Group) & Janelle Hsia (PrivacySWAN Consulting)
What is it? The mission of the IOPD is to define and drive the adoption of privacy design standards to provide accountability and public recognition for good privacy practices.
Who is it for? Operational Privacy Managers, Privacy Engineers
Reason for Recommendation: Until now, implementing ‘Privacy by Design and Default’ has been ‘squishy’, hard to define, and difficult to implement. The IOPD has changed this paradigm by developing the industry’s first standard for a repeatable and comprehensive process by which a company can reduce privacy risks. This standard is called the IOPD Process Design Standard.
- PbD Design Standard: By adopting the Standard, organizations will be able to reduce the complexity of the overall design process and create significant efficiencies thereby reducing cost while increasing customer trust. This standard covers the design process by which an organization designs its products, services or even other business processes. The goal of this standard is to ensure privacy is a forethought in the design.
- PbD Assurance Standard: The second standard, which we’ll be working on this year, will cover the end result – the product, service or business process – ensuring that it does, in fact, reduce privacy risks to an acceptable level. In theory, any product, service or business process designed and developed using the design standard, should result in meeting the subsequent standard, though the latter will have more rigorous risk tolerances included. Organizations that meet the requirements of the PbD Assurance Standard are able to display the IOPD Privacy Seal for their product, service, or business process.
- For members, the IOPD also hosts monthly discussions with movers and shakers in the space, called Privacy Engineering and Technology Education Discussion (or PETed).
Podcasts
*The Shifting Privacy Left Podcast
Host: Debra J. Farber, Privacy Tech Advisor at Principled LLC
Sponsor: Privado.ai
What is it? Shifting Privacy Left features lively discussions on the need for organizations to embed privacy by design into the UX/UI, architecture, engineering / DevOps and the overall product development processes BEFORE code or products are ever shipped. Each Tuesday, we publish a new episode that features interviews with privacy engineers, technologists, researchers, ethicists, innovators, market makers, and industry thought leaders. We dive deeply into this subject and unpack the exciting elements of emerging technologies and tech stacks that are driving privacy innovation; strategies and tactics that win trust; privacy pitfalls to avoid; privacy tech issues ripped from the headlines; and other juicy topics of interest.
Who is it for? Privacy Engineers & Technologists
Reason for Recommendation: I really enjoy producing and hosting The Shifting Privacy Left Podcast, and I think my passion for privacy engineering, privacy tech, and building community comes through to inspire others. We go deeper into technical privacy topics across guests with various backgrounds and interests, sometimes diving into implementation and tech stacks, while making sure to also look at problems holistically. Recently, the show just won the ‘Privacy Podcast People’s Choice Award’ in 3 categories: 2nd place for ‘Best Privacy Podcast,’ 1st place for ‘Best Newcomer,’ and 2nd place for Best Interviewer. From the feedback that I’ve received, people seem to really like my authenticity, practical perspectives, and provocative questions that nudge the audience to think differently and creatively.
The AI Fundamentalists
Hosts: Andrew Clark, Co-Founder & CTO at Monitaur; and Sid Mangalik, Research Scientist at Monitaur and Computer Science PhD candidate at Stony Brook University
Organization: Monitaur
What is it? A podcast about the fundamentals of safe and resilient modeling systems behind the AI that impacts our lives and our businesses.
Who is it for? Data Scientists, AI System Designers, Privacy Engineers
Reason for Recommendation: When I was seeking bite-sized podcasts for learning more about AI, I came across this podcast. After listening to just one episode on some of the drawbacks to using Synthetic Data and AI, I was hooked. Andrew and Sid are expert data scientists who have a very clear and practical communication style that resonates with me and cuts through the marketing fluff that many AI-focused companies put out. While their podcast is squarely one about AI, I felt that I needed to include a nod to their content here, as they often discuss the overlapping issues of privacy & AI on their show, and their podcast has truly rounded out my understanding of that intersection.
Partially Redacted
Host: Sean Falconer, Head of Marketing at Skyflow
Sponsor: Skyflow
What is it? This is a privacy engineering focused podcast show produced and hosted by Skyflow.
Who is it for? Privacy Engineers and Technologists
Reason for Recommendation: Partially Redacted focuses its episodes on a variety of topics around privacy engineering, hosted by Sean Falconer, Skyflow’s Head of Marketing in an interview-based format. The interviews - half of which are with Skyflow employees and half from outside guests - are packed with information and novel insights for a privacy engineering audience.
Threat Modeling Frameworks & Card Games
LINDDUN Privacy Threat Modeling for Software:
and LINDDUN GO Card Game:
Collaborators: Mina Deng, Kim Wuyts, Riccardo Scandariato, Wouter Joosen, Bart Preneel, Aram Hovsepyan, Dimitri Van Landuyt, Laurens Sion and Koen Yskout
What is it? LINDDUN is a recognized privacy threat modeling framework, developed by privacy experts at KU Leuven. It offers mature support to identify and mitigate privacy threats early in the development lifecycle. Adopting LINDDUN can therefore help build privacy into the system’s core.
Who is it for? Privacy Engineers, Security Analysts, Operational Privacy Managers
Reason for Recommendation: Privacy is increasingly important, yet often misunderstood. I really like how LINDDUN categorizes by ‘privacy threat type’ like Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, and Non-compliance. What is great about LINDDUN is that you can apply it to an actual software system for a thorough investigation. Adopting LINDDUN throughout the software design phase, helps you to uncover and fix relevant privacy gaps.
The creators have also included open sourced privacy threat types, threat trees, and methods. For those who learn by doing, you can even buy the LINDDUN GO Card Game. With 33 threat cards highlighting the most common privacy threats and system hotspots, this game transforms the privacy assessment process into an engaging, collaborative experience. Designed for structured brainstorming within a diverse team, LINDDUN GO requires only the card deck and a system sketch to kickstart your journey.
The Privacy Library Of Threats 4 Artificial Intelligence (PLOT4ai) Framework, which includes privacy:
And the PLOT4ai Card Game:
Creator: Isabel Barberá, Founder at Rhite
What is it? PLOT4ai is a library (currently) containing 86 threats related to AI/ML. The threats have been classified into 8 categories. There’s also a PLOT4ai Card Game to help AI teams with threat modeling for privacy and a free Self-Assessment Tool for your AI project. There’s also a paper, Threat Modeling Generative AI Systems, that you can refer to where the authors used PLOT4ai to create an open sourced library of potential threats for Generative AI Systems
Who is it for? Data Scientists, Privacy and Data Protection Managers, Privacy Engineers, Security Analysts, AI Governance Managers
Reason for Recommendation: I really like that Isabel Barberá created PLOT4ai based off of the LINDDUN threat model framework, though cataloging threats mapped to AI specifically rather than to software systems generally. It’s also notable that PLOT4ai is not solely focused on privacy and security by design. It covers the whole concept of responsibility towards the individuals that we want to protect and humanity as a whole. PLOT4ai helps you to connect with the people that are represented in your data and with the people that one day could be affected by your models.
Other Resources
IAPP: Privacy Engineering Section
What is it? This is where privacy professionals working in the IT and privacy engineering fields plug into the other areas of the privacy profession. The Privacy Engineering Section offers a range of programs, events, content and networking opportunities through which privacy pros working in IT and related fields can connect and advance.
Who is it for? Privacy Engineers, IT Privacy Managers
Reason for Recommendation: The IAPP has focused most of its services to the privacy community on the needs of CPOs, DPOs, privacy attorneys, consultants, and the GRC functions. If you are already a member of the IAPP, you may find it helpful to join the Privacy Engineering Section for networking, speaking and writing opportunities, etc. However, since the IAPP charges extra for attendance at the Privacy Engineering Section’s day-long line-up at its conferences, the costs are often prohibitive and the actual audience attendance can be anemic, with most of the speakers as the audience members. There’s a lot of potential for the IAPP to invest more in bringing technical content to its members, like how it’s currently investing in AI and privacy with a separate conference, but it’s not clear that they have the political will to do so.
(U.S. Gov) NIST Privacy Engineering Program Collaboration Space
What is it? Given concerns about how information technologies may affect privacy at individual and societal levels, NIST’s Privacy Engineering Program supports the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties. NIST's Privacy Engineering Collaboration Space is an online venue open to the public where practitioners can discover, share, discuss, and improve upon open source tools, solutions, and processes that support privacy engineering and risk management.
Who is it for? Privacy Engineers
Reason for Recommendation: Tools and use cases are currently focused on disassociability and privacy risk assessment. Anyone can submit open source tools and use cases to be included in NIST’s Collaboration Space.
- For example, NIST just added Privado Scan to the Collaboration Space - an open-source privacy scanner that allows an engineer to scan their application code and discover how data flows in the application. It detects hundreds of personal data elements being processed and further maps the data flow from the point of collection to "sinks" such as external third parties, databases, logs, and internal APIs. It allows privacy engineers to concretely verify and assess if a certain data collection policy set on an application actually matches the implementation right in the code itself - thus embedding privacy assessments in the developers' workflow.
- Another tool available in the NIST Collaboration Space is the FAIR Privacy Quantitative Privacy Risk Framework from R. Jason Cronk. This framework is based on FAIR (Factors Analysis in Information Risk), which examines personal privacy risks to individuals.
EU Gov - EDPS' Internet Privacy Engineering Network (IPEN)
What is it? The purpose of IPEN is for the European Data Protection Supervisor to bring together developers and data protection experts with a technical background from different areas in order to launch and support projects that build privacy into everyday tools and develop new tools that can effectively protect and enhance our privacy. It supports engineers working on (re-)usable building blocks, design patterns and other tools for selected internet use cases where privacy is at stake. It builds bridges with privacy and data protection experts from other disciplines and promotes wider understanding of the technologies enabling the protection of personal data. It facilitates exchanges to coordinate work and aims to create a community pursuing common objectives, by connecting existing initiatives, groups and individuals working on privacy engineering.
Who is it for? Privacy Engineers
Reason for Recommendation: IPEN events bring together privacy experts and engineers from public authorities, industry, academia and civil society to discuss relevant challenges and developments for the engineering and technological implementation of data protection and privacy requirements into all phases of the development process. Last year, their annual event focused on Explainable Artificial Intelligence. I also like that they maintain a Wiki for Privacy Standards and Privacy Projects. While I am unable to attend the events in the EU, I like to stay connected by subscribing to IPEN’s listserv, reading its blog posts, and referring to its wiki when needed.
* Debra is a paid Advisor to Privado and Imagine Privacy / Privacy Quest; and Privado is also a sponsor of her show, The Shifting Privacy Left Podcast. She is a pro bono Advisor to the Institute of Operational Privacy by Design (IOPD) and serves as a Program Committee Member for the 2024 USENIX Conference on Privacy Engineering Practice and Respect (PEPR’24).
Debra has shifted left to help companies seeking to unlock the value of their data with PbD strategies, PETs, and privacy engineering methodologies.