Privacy Engineering

The National Institute of Standards and Technology (NIST) defines privacy engineering as:

A specialization within systems engineering focused on providing the guidelines necessary for reducing risks affecting privacy and enabling organizations to take fundamental decisions in relation to the allocation of resources and the effective implementation of controls in information systems.

For long time organizations have been conscious of the need to prevent unauthorised access to data systems. Systems engineering was developed as a discipline to prevent it. The collection of personal data in systems as complex as those that involve hyperconnectivity, automated decisions, profiling and large-scale monitoring can lead to some processing activities, still operating in the manner foreseen by their designers, contravening data protection regulations or citizens expectations with regard to privacy. While security engineering is an essential element for implementation of any kind of information policy in an organization, privacy engineering appears as complementary discipline when it comes to managing privacy risks associated with the planned and authorised function of systems that collect, use and disclose personal data.

Privacy engineering is a discipline that has the aim of translating the legal requirements that establish rights and freedoms into practical guides and tools that allow for the principles of privacy to be applied in a viable way from the design stage. Taking into account the effective implementation of a processing activity involving both organizational aspects of the organization as well as purely technical ones, the disciplines involved in Privacy Engineering include process management, risk management, quality, software engineering, information security, knowledge engineering and, of course, practical knowledge of data protection regulations.

Even though Privacy Engineering dates back to at least 2014 with the IPEN initiative (Internet Privacy Engineering Network ), in late 2018 it received the explicit support of the Institute of Electric and Electronic Engineers (IEEE Position “Statement In Support of Privacy Engineering”) as a differentiated specialization in which it is necessary to complete important work to support the development of systematic methods, standardization, and the training and commitment of professionals.

The reality of the market imposes itself in relation to privacy engineering and professionals with the specific profile are already being sought (employment offers published by Facebook, Google y HP) which is why training in the specialization already appears in the prospectuses of prestigious universities like Carnegie Mellon and Johns Hopkins .

There is still a long way to go before Privacy Engineering reaches a level of maturity comparable to other disciplines. That's why initiatives such as the NIST Privacy Engineering Program’s (PEP) , have been undertaken, which has the mission of creating environments and standards such as the PDP4e Project (Privacy Data Protection for Engineering), which also aims to develop engineering methods and tools that incorporate the principles of the GDPR, among other projects.

For the same purpose, the Spanish Data Protection Agency created the Unit of Evaluation and Technological Studies which not only develops guides, studies and tools to implement the principles of privacy as established in the GDPR in particular but also other principles of proactive responsibility from the Design stage. The AEPD is developing this initiative in collaboration with national, European and international organizations, promoting the development of the principles of Privacy from the Design stage, and is engaged, specifically, in dissemination work in these areas, compiling information and results on its website at the following address (english version).