Privacy Tech and Privacy by Design

Image

Privacy Tech and Privacy by Design Topic Page

Navigate by Topic

Here, you can find the IAPP’s collection of coverage, analysis and resources related to privacy technology and privacy by design. The IAPP Resource Center includes separate topic pages for Artificial Intelligence and Cloud Computing, as well as a “Privacy Engineering Section,” which offers a range of programs, events, content and networking opportunities through which privacy pros working in IT and related fields can connect and advance.

Featured Resources

BOOK

An Introduction to Privacy for Technology Professionals

In this IAPP textbook, leading minds in the field address how privacy and technology intersect and examine critical areas of concern in the industry.
Read More

BOOK

Strategic Privacy by Design, Second Edition

Designed for both the individual who knows privacy by design and the individual who is just starting on their privacy journey, this book presents a methodology for building privacy into a product, service, or business process, and takes an unconventional approach to privacy by design.
Read More

REPORT

Privacy Risk Study 2023

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Read More

INFOGRAPHIC

AdTech: A Look Back

This infographic traces how adtech law, policy, litigation and enforcement have grown and evolved in 2023.
Read More

BOOK

Cybersecurity Law Fundamentals

Almost as swiftly as cybersecurity has emerged as a major corporate and public policy concern, a body of cybersecurity law has developed. The purpose of Cybersecurity Law Fundamentals is to give a coherent summary of this incoherent body of law.
Read More

CHART SERIES

Privacy Engineering Domains

This is a multipart series intended to provide privacy professionals with an overview of privacy engineering domains, with each covered domain having its own chart.
Read More


Privacy Engineering

A look at HP's Privacy Engineering Center of Excellence

Enterprise-level technology companies are becoming more innovative with the privacy solutions they adopt in an effort to meet customer expectations and legal compliance goals. HP's Privacy Engineering Center of Excellence seeks to be a leading example of a cutting-edge privacy-enhancing solution. The team running HP's program seeks to establish new company standards across business units to build a transparent user privacy experience for products and services. The key to establishing desired st... Read More

How to Operationalize Data Mapping for Engineering

Original broadcast date: 20 Sept. 2022 In this web conference, panelists discuss challenges with data mapping for engineering, reasons why records of processing activities reports are incomplete, inaccurate and out of date, how to do data mapping on the application level and why developers love that and more. Read More

Privacy Engineer Your Operations for Excellence

Original broadcast date: 12 May 2022 In this web conference, panelists explain how to avoid ripple effects from immature privacy practices, but also clearly show how privacy controls can contribute to better data quality, lower storage costs, and an overall business strategy of trust. Founders, product managers, engineers, and legal privacy professionals alike will walk away from this web conference with a better understanding of the essential building blocks of applying privacy principles in practice, why it makes sense to invest in privacy-by-design when building and maintaining products and systems, and how to get one’s team up to speed. Read More

How to get started in privacy engineering

Published: August 2020Click To View (PDF) Privacy engineering is a rapidly growing field in our increasingly data driven world. This infographic offers advice on how to jump start a career in this dynamic profession. It offers tips for pursuing a cross-disciplinary education, searching for career opportunities beyond Big Tech, writing about privacy issues, networking with other professionals, becoming an expert in your own privacy, earning privacy credentials, staying informed about privacy i... Read More

Privacy engineering is evolving daily: Join the conversation about its future

Regulations and policies alone won’t get us to a world that effectively respects privacy. To get there, we need multiple things: (1) systems we can trust to robustly implement policy, (2) technology that enables better choices than the ones we have today and (3) a deep understanding of the wide spectrum of humans who interact with our systems. In short, we need privacy engineering. Organizations’ understanding of privacy engineering and their need for it is evolving rapidly alongside new techno... Read More

Privacy-Preserving Methods for Feature Engineering Using Blockchain: Review, Evaluation, and Proof of Concept

This study, published in the Journal of Medical Internet Research, compares data privacy methods for effectiveness at protecting data privacy and evaluates their findings. The study tested traditional approaches of using a trusted third party, cryptographic hardware and blockchain techniques. In conclusion, it found combining methods with blockchain techniques was the most secure approach. Read More

Privacy engineering: Comprehensible access control lists

When a user is taking an action, they need to know who, what and where. But what happens once they’ve taken that action? When a user shares something with another user, like a photo or a document, they need to know who, why and how to make it stop. First, let me differentiate sharing and sending. Sending is when someone transmits data to another entity and that data passes into the possession of that entity. For example, if you were to send me an email, that email goes into my inbox. You can’t ... Read More

Additional News and Resources

IAPP Privacy Tech Vendor Report

This edition of the “Privacy Tech Vendor Report” finds the industry at a crossroads of sorts. As privacy has shifted from an afterthought to a necessity within the last decade, the conversation today regarding its place in product development has evolved from the abstract to the technical implementation of an array of solutions. Read More

Synthetic data: What operational privacy professionals need to know

One of the joys of operational privacy professionals is getting that random, Friday afternoon Slack from someone on the product team asking, "Can we [insert questionable action] with our customer data?"  Our responses are thoughtful yet formulaic, often based on what's been outlined in the company's privacy policy. But wouldn't it be nice if we could simply say, "Of course! Go right ahead!" and insert a cute on-trend gif and win the rare praise from teams who often think of compliance as a road... Read More

Empowering users: A universal interface for digital ad preferences

A study published earlier this year by the European Commission, and conducted on its behalf by AWO, found numerous negative impacts of the digital advertising market on advertisers, publishers, users and society. For example, disinformation websites are funded through digital ads, harming democracy and diverting revenues from legitimate publishers. Furthermore, the market's complexity and lack of transparency prevent advertisers from ensuring their ads aren't placed next to content that may hur... Read More

A 'slippery slope' of 'sousveillance'

I first stumbled upon the term "sousveillance" a few years back, when my sister sent me a link to an article called "The psychology of privacy in the digital age." Coined by Steve Mann, the neologism "sousveillance" draws upon the French word sous, meaning below, and refers to a member of the public, rather than a company or authority, recording someone's activity. Its applications are varied — ranging from "policing the police" instances of civilians filming encounters with law enforcement, to... Read More

Building a modern data protection technology stack

In today's digital landscape, businesses face increasing challenges in effectively managing privacy, security and data protection. With the proliferation of data and the ever-evolving regulatory landscape, organizations have many tools to choose from to address concerns and run effective data protection programs. But with many different tools comes confusion, and with confusion comes challenges. In the landscape of privacy, governance and security tools, privacy professionals often face the cha... Read More

In an AI-powered world, marketers need a new data strategy

Consumer data is the lifeblood of modern marketing — but in a world powered by artificial intelligence, leveraging data effectively while avoiding costly slip ups has never been more challenging. Today's marketers deal with consumers who know the value of their data, and expect to be treated with respect by the brands they permit to use it. They also have to navigate a fast changing regulatory landscape patrolled by muscular privacy enforcers. Simultaneously, marketers have to adapt to an indu... Read More

EU DPAs seek proper clampdown on adtech industry

The recent binding decision from the European Data Protection Board on Meta's personalized advertising practices might just be the tip of the iceberg for advertising technology companies and ad-based business models in the EU. Industry-wide impacts are expected from the decision and the potential enforcement of Meta's move to an ad-free subscription model for EU Facebook and Instagram users aimed at rectifying EU General Data Protection Regulation violations. But EU data protection authorities ... Read More

'Pay or consent:' Personalized ads, the rules and what's next

In a widely discussed move, Meta gave Facebook and Instagram users the choice between paying for an ad-free experience or keeping the services free of charge using ads. The legal reality behind that choice is more complex. Users who continue without paying are asked to consent to the processing of their data for personalized advertising. In other words, this is a "pay or consent" framework for the processing of first-party data.  Even though Meta's "pay or consent" framework is now reportedly a... Read More

EDPB issues binding decision banning Meta's targeted advertising practices

An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising. The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection author... Read More

The case for static code analysis for privacy

Privacy technology is undergoing a radical transformation and many exciting technologies are available to help companies create better privacy programs and do right by their customers. Data is at the heart of privacy. If we simplify privacy, the top-level questions to ask should be: What type of data is processed; what or who is processing that data; and why is an entity processing it? Enterprise platforms generate data at record speed and if a privacy team even attempts to answer these three ... Read More

Privacy professionals need to be aware of tech abuse

Features designed to improve privacy and protect children in online services, apps and networked devices also make it easier for abusers to maintain control in abusive relationships.  "Ever since caller ID and GPS became part of our lives, we've known that digital technologies can be used by abusers to harm or track their victims, and that's only become more complicated and more prevalent as technology has," Clinic to End Tech Abuse Director of Operations Lana Ramjit told an audience of cyberse... Read More

AEPD publishes guidance on PETs

Spain's data protection authority, the Agencia Española de Protección de Datos, published guidance on the use of privacy-enhancing technologies in data systems, noting they can be used to implement governance policies, and increase trust and data sovereignty. "PETs can be, and should be, 'dual-use' technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy," the AEPD said. Full story... Read More

ACLU report examines impact of edtech surveillance industry

A report by the American Civil Liberties Union examines the education technology surveillance industry and its potentially harmful impact on students. The ACLU said the report found companies are "using fear-based tactics to sell surveillance products that not only fail to keep our kids safe but actually increase discrimination, invade students' privacy, and erode trust between students and educators."Full story... Read More

The flawed IT asset management paradigm: Key considerations for privacy professionals

For privacy professionals to appropriately serve their organizations, they often delve into obscure, unexpected functional rabbit holes. One rabbit hole is the current conflicted dynamic between information technology asset management and IT asset disposition, which hides ongoing regulatory noncompliance and results in a growing and unsustainable risk.  The ITAM/ITAD status quo Modern organizations are brimming with IT assets that require management. Organizations batch this into two big bucke... Read More

IAB discusses adtech's state privacy law compliance concerns

Following the passage of several U.S. comprehensive state privacy laws in the last year, the Interactive Advertising Bureau gauged advertisers on their ability and preparedness to comply with incoming statutes. In an interview with MediaPost, IAB Executive Vice President and General Counsel Michael Hahn and Assistant General Counsel Tony Ficarrotta said survey results issued to both sell-side advertisers and buy-side advertisement technology companies showed almost half of respondents "do not fe... Read More

Is this the end of consent-less tracking by online platforms in the EU?

Like most of the "free" internet, online social media is funded through online advertising tailored to individual users' behavior and interests. The Court of Justice in the European Union decision in Case C-252/21 relates to one such platform, Meta, regarding its online social network, Facebook. The case is noteworthy for the advertising industry because it involves a competition authority determining data protection issues and calls into question whether platforms can carry out personalized adv... Read More

Leveraging technology and innovation to ensure privacy

How data moves so quickly between clouds, data centers and jurisdictions is abundantly clear. One of privacy professionals' tasks is to consider the current progress of the technology. In this data-driven economy, privacy pros, architects, data scientists, engineers, researchers, regulators and industry groups should focus their attention on technologies that protect privacy and support security principles without losing the utility and functionality of the data: so-called privacy-enhancing tec... Read More

Embedding privacy by design to enforce responsible use of data

Original broadcast date: 24 May 2023 In this webinar, we will discuss recent privacy by design guidelines and what they mean for privacy programs looking to evolve beyond compliance to enforce responsible use of data. Our experts will discuss understanding ISO 31700, the privacy by design standard, and how to implement it, as well as understanding the link between privacy and data governance, practical steps toward effective partnership and why purpose is key to enabling responsible use of data without disrupting the rhythm of business. Read More

Breach of privacy by design and default: Privacy's good beyond privacy

Over the last few weeks, it has been nearly impossible to avoid news relating to the explosion of generative artificial intelligence, like Google's Bard or OpenAI's ChatGPT. Through it all, many in the privacy community have questioned what role privacy professionals should play in the governance of AI. How do we explain in a privacy notice how AI collects and uses personal information? How do we modify data protection impact assessments to adequately assess AI models? How can we "untrain" an AI... Read More

PrivTech Talks: Emerging privacy-enhancing technologies

In this LinkedIn Live, we will discuss the development and evolution of privacy-enhancing technologies by examining the current state of various types of PETs, including the benefits they provide and their limitations. Our speakers, the Royal Society Senior Policy Advisor and University of Cambridge Centre for Science and Policy Fellow June Brawner, Ph.D, Tumult Labs Staff Scientist Damien Desfontaines, KU Leuven professor, COSIC, and Zama Chief Academic Officer Nigel Smart, Ph.D, and moderator IAPP Principal Researcher, Technology, Katharina Koerner, CIPP/US, will then focus on the maturity of PETs, explore proofs on concept and resources for their implementation, and assess which PETs are ready to being used in production. Read More

The latest in homomorphic encryption: A game-changer shaping up

Privacy professionals are witnessing a revolution in privacy technology. The emergence and maturing of new privacy-enhancing technologies that allow for data use and collaboration without sharing plain text data or sending data to a central location are part of this revolution. The United Nations, the Organisation for Economic Co-operation and Development, the U.S. White House, the European Union Agency for Cybersecurity, the UK Royal Society, and Singapore’s media and privacy authorities all r... Read More

Generative AI: Privacy and tech perspectives

Launched in November 2022, OpenAI’s chatbot, ChatGPT, took the world by storm almost overnight. It brought a new technology term into the mainstream: generative artificial intelligence. Generative AI describes algorithms that can create new content such as essays, images and videos from text prompts, autocomplete computer code, or analyze sentiment. Many may not be familiar with the concept of generative AI; however, it is not a new technology. Generative adversarial networks — one type of gene... Read More

Mozilla Android unveils 'Total Cookie Protection'

Firefox Android launched its "Total Cookie Protection," which reportedly stops cookies from tracking users as they navigate from website to website, according to a company blog post. Total Cookie Protection maintains separate "cookie jars" that isolate cookies embedded to that webpage alone and do not allow other websites to access data collected from a given user. Full Story... Read More

PrivTech Talks: Privacy tech in health care and medical research

Original broadcast date: March 30, 2023 Join us in this LinkedIn Live as we dive into various privacy-enhancing technologies and how they can enable gaining insights from data that is not shared, such as in federated learning or multiparty computation, from data that stays encrypted while being computed upon, like homomorphic encryption, or is only mimicking the patterns of the original information, such as in synthetic data. Canada Research Chair in Medical Artificial Intelligence and Universi... Read More

Standardization landscape for privacy: Part 3 — W3C and IEEE

As privacy concerns become top-of-mind for web developers and systems engineers around the world, privacy standardization efforts become more important. The World Wide Web Consortium and the Institute of Electrical and Electronics Engineers are leaders in this domain, assisting privacy professionals by drafting standards and other reference material to ensure compliance with global privacy regulations and advocating for privacy best practices. Parts one and two of this article series explore oth... Read More

Standardization landscape for privacy – Article Series

Standards and frameworks provide real benefits for privacy management. They can fulfill compliance obligations, build trust, benchmark against industry best practices, strengthen internal governance and practices, and enable global interoperability. This series provides a general overview of existing standards and frameworks in the realm of privacy. Read More

Federated learning: Supporting data minimization in AI

Artificial intelligence applications, such as language translation, voice recognition and text prediction apps, typically require large-scale data sets to train high-performance machine learning models such as deep neural networks. There can be challenges when the data needed to train the model is personal or proprietary. How can ML algorithms be trained on multiple data sets when, potentially, those data sets cannot be shared? With its capability to train algorithms on various data sets without... Read More

EU policymakers have adtech in sight for future regulation

With the EU elections in May 2024 fast approaching, policymakers in Brussels are scrambling to close open files, plan their next move and set the groundwork for the upcoming mandate. At this stage of the legislative cycle, the European Commission assigns external studies that provide significant indicators of its future areas of interest. Online advertising seems to have caught the regulators’ attention in the digital domain. The appetite to regulate this sector became evident during negotiatio... Read More

'Neurorights' and the next flashpoint of medical privacy

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More

NIST's Reva Schwartz on the new AI Risk Management Framework

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-source systems such as ChatGPT, AI is now consumer-facing and usable. The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems t... Read More

Five ways to build a bulletproof PBD program with your security partners

Original broadcast date: 14 Feb. 2023 In this web conference you will learn, strategies on how privacy and security can create processes for pre-deployment insights from product and engineering teams, how to leverage privacy and security teams’ shared needs on third-party vendor reviews and record of processing activities and battle-tested tips on how to avoid getting ambushed for last-minute approval requests from the business. Read More

US NIST publishes AI Risk Management Framework 1.0

The U.S. took a big step in the development of a national artificial intelligence strategy with the release of the U.S. Department of Commerce National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework 1.0, Jan. 26. Required under the National AI Act of 2020, the framework is the product of 15 months of work by NIST scientists who compiled public comments from more than 240 AI stakeholders through multiple listening sessions and workshops, while producing... Read More

Data clean rooms: An adtech privacy solution?

Business goals and competition are pushing advertisers, publishers and retailers to get creative with user outreach and engagement. Personal data collection and user tracking are paramount to these efforts, but doing so with regulatory compliance and user trust is proving more difficult as time goes on. Challenges include the anticipated deprecation of third-party cookies, use of Apple's App Tracking Transparency framework and increased regulation of targeted advertising in the EU and at the st... Read More

EDPB’s Meta decisions explained: Resolving the adtech dispute

Original broadcast date: Jan. 19, 2023 In this LinkedIn Live event, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, joins EDPB Head of the Secretariat Isabelle Vereecken and EDPB Head of Activity for Legal Coordination Carolina Foglia for a discussion on what the EDPB's Meta decisions mean from the regulators’ perspective and what is now expected of those engaged in behavioral advertising across the EU. Watch the full recording on LinkedIn. Access the IAPP's Linked... Read More

Unpacking DPC Ireland's Meta decisions: AdTech and beyond

In this LinkedIn Live event, IAPP President and CEO J. Trevor Hughes, CIPP, IPG Kinesso Global Chief Digital Responsibility and Public Policy Officer Sheila Colclasure, CIPP/US, Digiphile Managing Director Phil Lee, CIPP/E, CIPM, FIP, and Future of Privacy Forum Vice President for Global Privacy Gabriela Zanfir-Fortuna discuss the Irish Data Protection Commission's final decisions invalidating Meta's contract basis for seeking user permission to collect data for personalized advertising on Facebook and Instagram. Read More

Model Written Information Security Program

This model Written Information Security Program from VLP Law Group’s Melissa Krasnow addresses the requirements of Massachusetts' Data Security Regulation and the Gramm-Leach-Bliley Act Safeguards Rule. This document provides general guidance for developing a WISP as may be required by other state and federal laws and best practices. Read More

Irish DPC fines Meta 390M euros over legal basis for personalized ads

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

Self-sovereign identity: a primer for privacy pros

In this LinkedIn Live event, IAPP Principal Technology Researcher Katharina Koerner, CIPP/US, walt.id co-founder and CEO Dominik Beron, Microsoft Senior Identity Standards Architect Kristina Yasuda and Identity Woman Kaliya Young discuss the idea of self-sovereign identity and its privacy implications. Read More

Are cookies a new currency for the online world?

A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies. In order to understand the weight of the Garante's words, we must look back to June 10, 2021, when the DPA issued a new set of cookie guidelines and changed the rules for online behavioral advertising in Italy. The Garante mandated website operators to show a cookie banner as soon as a user accesses the website and present a user-friendly option to express ... Read More

Synthetic data a key to privacy by design practices in new Canadian smart city partnership

Cities around the world are getting smarter. For municipalities, becoming a smart city requires utilizing numerous data sets containing residents’ and visitors’ personal information in order to provide better services. However, municipal IT systems are often targets for cyberattacks. Compounding the issue are some cities that may have outdated cybersecurity infrastructure safeguarding personal data. In Canada, a new effort was launched to help cities transition from using personal data to usi... Read More

Data transfers: Could a technical solution be the future?

International data transfer regulation is rooted in heavy manual processes and paperwork. It impacts business decisions and leaves room for risk. Legal and regulatory teams have to jump through a host of complexities — requiring the assessment of specific circumstances of data transfers like relevant country laws and practices and any additional contractual, technical or organizational safeguards. As tedious as international data transfers may be, they are an essential pillar for global economi... Read More

The FTC’s rapidly evolving standards for MFA

Two recently settled enforcement actions by the U.S. Federal Trade Commission, combined with new guidance from the Cybersecurity and Infrastructure Security Agency, represent a big leap forward in the expectations placed on data custodians for use of multifactor authentication. Read together, they require privacy and information security professionals to reassess their organizations’ approaches to controlling employee, contractor and affiliate access to enterprise systems that contain personal i... Read More

Is GPC the new 'do not track'?

In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse. This January, the team behind the GPC announced a major milestone through the GPC's adoption by major publishers and consent management platforms. Despite this, the GPC only recently gained wider traction with the privacy and compliance communities after California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetic retailer Sephora for v... Read More

Where is my personal data bill of materials?

As privacy concerns mount — both cyber threats and legal requirements — a clear, formal, standard model of data components and their history has become necessary. Here, we introduce the concept of the data bill of materials or personal data bill of materials, a comprehensive inventory of personal data used in software systems. The DBoM records the ownership, sharing history, storage and collection purpose of a unit of data. The purpose of a DBoM is to identify personal data as an asset and an e... Read More

What does the newest U.S. privacy bill mean for cybersecurity?

On Tuesday, June 14, the U.S. House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act discussion draft — a leading contender for a comprehensive federal privacy framework. The famed sticking points of individual redress mechanisms, preemption of state laws and the role of the U.S. Federal Trade Commission — the law’s likely federal enforcer — were among the slew of debated aspects. However, the cybersecurity provisions and data security requirements ... Read More

Privacy Engineer Your Operations for Excellence

Original broadcast date: 12 May 2022 In this web conference, panelists explain how to avoid ripple effects from immature privacy practices, but also clearly show how privacy controls can contribute to better data quality, lower storage costs, and an overall business strategy of trust. Founders, product managers, engineers, and legal privacy professionals alike will walk away from this web conference with a better understanding of the essential building blocks of applying privacy principles in practice, why it makes sense to invest in privacy-by-design when building and maintaining products and systems, and how to get one’s team up to speed. Read More

Standardization landscape for privacy: Part 1 — The NIST Privacy Framework

Standards and frameworks provide real benefits for privacy management. Standards are established norms to be applied consistently across organizations, while frameworks are a set of basic guidelines to be adapted to an organization's needs. Both can help to fulfill compliance obligations, build trust, benchmark against industry best practices, support strategic planning and evaluation, enable global interoperability, and strengthen an organization's market position. Just as in information secur... Read More

Standardization landscape for privacy: Part 2 — ISO/IEC

What if there was a formula describing the best methods, techniques and guidelines for privacy? In the face of rapid evolution of information technology and regulations for privacy and data protection, working along the lines of clearly defined controls, concepts and principles is a necessity to tackle the complexity of this constant change. A pathway to best privacy practices In the domain of information and communication technology, the International Organization for Standardization provides... Read More

Exceptions in new US state privacy laws leave data without security coverage

In Connecticut and Virginia, the new consumer privacy laws that comprehensively adopt the fair information practice principles, including data security, have left large swaths of data exempt from any cybersecurity requirements. States using the same consumer privacy template as Connecticut and Virginia should consider the exceptions language very carefully lest, while advancing consumer rights, they actually fall behind other states in protecting cybersecurity. Section 6(3) of the Connecticut l... Read More

Talking Strategic Privacy by Design with R. Jason Cronk

The concept of privacy and data protection by design is not new in the privacy world. We know privacy should be integrated in the foundational design of a product or service; that is should be baked in, not bolted on. But what that means in practice is often elusive. In 2018, Enterprivacy Consulting Group founder R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, wrote the book "Strategic Privacy by Design," which was published by the IAPP. In it, Cronk offered insights for building processes, products a... Read More

Privacy Management Principles

This chart, published by Security Controls Framework, identifies the leading privacy frameworks to create a simplified, comprehensive and easy-to-understand set of privacy management principles. Click To View ... Read More

Successful adoption of mobile ID hinges largely on protection of citizen privacy

Many U.S. states have launched mobile driver’s license pilots and conducted legislative studies, with some states nearing full-scale mDL production. An enormous benefit of providing the option of an mDL is that the mDL application can give citizens greater control over their personal data than physical cards. We’ve grown used to the privacy holes that our physical ID documents leave, but the potential of the electronic versions raises legitimate concerns about whether mDLs are in the best intere... Read More

Perkins Coie – 2022 Emerging Technology Trends

This report, published by Perkins Coie, identifies 10 major technology areas expected to see significant innovation, as well as new legal and regulatory demands, with topics that included artificial intelligence, machine learning and quantum computing, cloud computing and distributed infrastructure, digital media and entertainment, and green technology. Read More

How To Build An Effective Privacy Engineering Team

Original Broadcast Date: February 2022 In this LinkedIn Live event, you will learn what inspired and helped others to move into this growing field, what the role of privacy engineering entails, and how to build and support the well-balanced privacy teams needed to put privacy policies into practical state-of-the-art data protection and privacy by default and by design in real-world systems. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile ... Read More

Age verification and data protection: Far more difficult than it looks

The French government published Decree No. 2021-1306 Oct. 7, 2021, concerning the implementation of measures to protect minors from accessing sites broadcasting adult content. This allows us to take a closer look at the implementation of technical processes to check the age of users online. At the European Union level, the Audiovisual Media Services Directive requires the adoption of appropriate measures to protect children from harmful content, including age verification. In addition, Article ... Read More

Privacy as code: A new taxonomy for privacy

“Privacy by design” implies putting privacy into practice in system architectures and software development from the very beginning and throughout the system lifecycle. It is required by the EU General Data Protection Regulation in Article 25. In the U.S., the Federal Trade Commission included an entire section on privacy by design in its 2012 report on recommendations for businesses and policymakers. Privacy by design is also covered by India’s PDP Bill and by Australia’s Privacy Management Fram... Read More

The Privacy and Equity Implications of Using Self-Harm Monitoring Technologies: Recommendations for Schools

The Future of Privacy Forum’s Policy Counsels Sara Collins and Yasamin Sharifi, Policy Fellow Anisha Reddy, former Policy Fellow Jasmine Park and Director of Youth and Education Privacy Amelia Vance published a report on the privacy implications of self-harm monitoring technologies in schools. The report explores how the technology is used, questions raised around students’ right to privacy, what student information is obtained and who has access to it, recommendations to reduce risks, and more.... Read More

More than Face Value: Facial Recognition Technology & Privacy

Original broadcast date: 15 June 2021  With the increasing adoption and deployment of biometric technology by private sector and government, the privacy implications of facial recognition technology have come squarely into the public eye. A number of sobering media reports and high-profile cases have resulted in pledges by tech companies, announcements of new legislation in various jurisdictions and increased scrutiny by regulators. A panel of Canadian privacy regulators discuss recent investigations into privacy sector uses of FRT (including Clearview AI and Cadillac Fairview), engagements involving law enforcement, guidance for private and public sector uses of FRT, and legislative considerations impacting FRT. This session is of practical value to organizations developing, using or contemplating the use of FRT in the commercial or law enforcement spheres. Read More

Understanding Machine Learning Technology and Developing A Risk-Based Approach

Original broadcast date: June 2, 2021  The rapid expansion of Machine Learning (ML) technology has raised questions regarding ethics, trust, and privacy risks. But what developments should we expect in the future? How should you review privacy notices and conduct assessments regarding your legal basis to process personal data in connection with ML products? What if you receive data subject rights requests involving ML? This session covers the basics of ML technology, how to best review day-to-day ML products for GDPR compliance and how to develop a toolkit for ethical and accountable ML within your organization. Learn how you can leverage the GDPR’s accountability principle to assess the privacy risks of ML solutions and conduct DPIAs. You will hear the perspectives of regulators and engineers in the industry, and gain clarity on relevant legal requirements. Read More

Privacy Tech's Third Generation: A Review of the Emerging Privacy Tech Sector

The Future of Privacy Forum and Privacy Tech Alliance released a new report titled “Privacy Tech’s Third Generation: A Review of the Emerging Privacy Tech Sector.” The report looks at the evolving privacy technology market, analyzes trends and predictions, and identifies five market trends and their implications for the future. Key themes include the COVID-19 pandemic’s role in accelerating global marketplace adoption of privacy tech and the role of regulatory compliance in driving initial priva... Read More

Marketing Technology 101 for Privacy Officers

Original broadcast date: February 9, 2021  Join us for this privacy education web conference where you’ll hear privacy and legal experts discuss the subtle balance between satisfying marketing needs and business imperatives, while complying with privacy law. They’ll share with you how your organization can satisfy both goals, and create a positive working environment between the two teams. Read More

How to get started in privacy engineering

Published: August 2020Click To View (PDF) Privacy engineering is a rapidly growing field in our increasingly data driven world. This infographic offers advice on how to jump start a career in this dynamic profession. It offers tips for pursuing a cross-disciplinary education, searching for career opportunities beyond Big Tech, writing about privacy issues, networking with other professionals, becoming an expert in your own privacy, earning privacy credentials, staying informed about privacy i... Read More

Enhancing Privacy Education with a Technical Emphasis in IT Curriculum

This paper from Kennesaw State University describes the development of four learning modules that focus on technical details of how a person’s privacy might be compromised in real-world scenarios. The paper shows how students benefited from the addition of hands-on learning experiences of privacy and data protection to the existing information technology courses.  Click To View (PDF) ... Read More

The Skill Set Needed to Implement a Global Privacy Standard: ISO/IEC 27701 alignment with IAPP CIPM and CIPP/E certifications

In August 2019, the International Standards Organization released its first global privacy standard, ISO/IEC 22701. To offer insight into the professional skill set necessary to implement this new global privacy standard, the International Association of Privacy Professionals’ Westin Research Center mapped ISO/IEC 27701 to the bodies of knowledge for a Certified Information Privacy Professional/Europe and a Certified Information Privacy Manager. Read More

How Privacy Tech Is Bought and Deployed

For the second year running, the IAPP together with TrustArc surveyed 345 privacy professionals around the globe to gain an understanding of how privacy technology products are purchased and deployed within an organization. Results this year shine a light on which products are in use and under whose budget privacy tech purchases are made, as well as other budgetary and purchase-decision-making insights. Read More

The Ransomware Epidemic – Article Series

Last Updated: September 2016 Put yourself in this picture: Your organization has a pretty good handle on data security. You have a secure firewall and good anti-malware software running on your systems. You monitor network traffic for suspicious activity. You’ve trained your staff in good cyber hygiene, and reviewed your business partner contracts to make sure they’re doing their part to protect sensitive data. It’s “patch Tuesday,” your automated scripts are installing the latest security up... Read More