What does this mean if privacy per se is a policy topic?
While the NIST description is specific to their efforts, a few common themes are for a manager’s own considerations of privacy engineering.
The first has to do with using secure systems— “trustworthy” systems —to protect privacy. If you are collecting data, it’s important to protect that data when it is stored or being transmitted— or in the parlance of the security world, “data at rest and data in motion.” This implies good cybersecurity practice. A good starting point is Securing Connected Devices for Consumers in the Home – A Manufacturer’s Guide (CTACEB33), free to CTA members.
The NIST mission also mentions measurement science. Privacy concerns are about the risk of breaches. Breaches of consumer data not only damage consumers, but tarnish the company’s reputation, expose it to government action and civil lawsuits, and potentially impact the stock price. Setting up privacy requirements for the organization is only logical. Like performance goals in an annual review, privacy requirements should be measurable — by test, observation, etc. Privacy engineering is also about measuring performance to privacy requirements.
The text also speaks of frameworks. CTA believes that prescriptive regulatory requirements hamper innovation and are quickly dated. Frameworks are a useful structure to establish the guidelines without such static requirements. When you use an established framework for a purpose, you can customize your program to your evolving needs. A privacy risk management framework can be helpful to understand and measure risk categories within the privacy space.
In short, privacy engineering is about managing privacy-related risks with tools and frameworks that help decide how to direct cyber security resources to protect the security of PII.
i3, the flagship magazine from the Consumer Technology Association (CTA)®, focuses on innovation in technology, policy and business as well as the entrepreneurs, industry leaders and startups that grow the consumer technology industry. Subscriptions to i3 are available free to qualified participants in the consumer electronics industry.