Privacy is the Glbal Ba2lefield - D we have the Tls and Standards t Fight and What is Privacy Engineering? Jhn Sab, Chair OASIS IDTrust Member Sectin and Chair, PMRM Technical Cmmittee Jhn.sab711@yah.cm
Technical Cmpliance with The GDPR Is yur rganizatin ready t cmply with the GDPR s requirements and put in place cmprehensive cntrls ver hw it uses and manages persnal data? Des yur rganizatin understand hw t implement functinality that will nt nly demnstrate that yu are cmpliant, but actually deliver the privacy yu have prmised? Des yur technical team including third party data partners have the tls t understand their implementatin requirements? Can yu efficiently and cnfidently manage changing data prtectin requirements as yur business envirnment changes? Hw d yu apply abstract privacy engineering and data prtectin cncepts t the pressing mandates n yur rganizatins t achieve cmpliance? -Jhn Sab 2
Privacy the Glbal Ba2lefield The GDPR s mandates are glbal - will cver 510 millin peple (including Britain) and have Internatinal impact T effectively meet its mandates, we must make use f tls that leverage existing technical and plicy standards fster the develpment and adptin f new standards that are needed take the next steps twards building a Privacy Engineering capability Privacy Engineering as a discipline can analyze, dcument, visualize and prvide technical slutins t data prtectin requirements Addressing the delivery f data prtectin/privacy principles, regulatins, and business plicies Set in the cntext f a rigrus privacy management analysis specific t a use case/implementatin Translated int Privacy Cntrls and Specific Requirements Defined in required privacy services and functinality Implemented in technical and prcedural mechanisms and Reprted using tls that allw a privacy engineer t demnstrate cmpliance 3
The GDPR as Catalyst The GDPR can be a strng catalyst fr assessing and imprving hw t actually deliver assured data prtectin/privacy in tday s cmplex, clud-based systems. Can this be dne reliably, cst effectively, and with demnstrable cmpliance withut standards and a privacy engineering discipline? This is n easy task. But it is essential t meet the spirit (and letter?) f the GDPR 4
Why Privacy Engineering? An Analgy Civil engineering is a prfessinal engineering discipline that deals with the design, cnstructin, and maintenance f the physical and naturally built envirnment, including wrks like rads, bridges, canals, dams, and buildings. Civil engineering is traditinally brken int a number f sub-disciplines: Materials science and engineering Castal engineering Cnstructin engineering Earthquake engineering Envirnmental engineering Getechnical engineering Water resurces engineering Structural engineering Surveying Transprtatin engineering Frensic engineering Municipal r urban engineering Cntrl engineering Surce: Wikipedia 5
Building One Wrld Trade Center 6
Building Privacy int Cmplex Applicatins 7
Given that Analgy - What is Privacy Engineering? NIST NISTIR 8062 A specialty discipline f systems engineering fcused n achieving freedm frm cnditins that can create prblems fr individuals with unacceptable cnsequences that arise frm the system as it prcesses PII. An Intrductin t Privacy Engineering and Risk Management in Federal Systems http://nvlpubs.nist.gv/nistpubs/ir/2017/nist.ir.8062.pdf PRIPARE Privacy Engineering: A systematic, risk-driven prcess that peratinalizes the Privacy-by-Design philsphical framewrk within IT systems. Privacy cncerns are subsequently integrated int systems as part f the systems engineering prcess. http://pripareprject.eu/wp-cntent/uplads/ 2013/11/PRIPARE_Deliverable_D1.3_v1.0.pdf 8
Given that Analgy - What is Privacy Engineering? MITRE Privacy Engineering is a systemic, risk-driven prcess that peratinalizes the privacy by design (PbD) framewrk within IT systems. The privacy engineer r a designated individual is the individual that perfrms privacy engineering. https://www.mitre.rg/publicatins/systems-engineering-guide/ enterprise-engineering/engineering-infrmatinintensive-enterprises/ privacy-systems-engineering ISO 27550 Privacy Engineering Wrking definitins "Privacy engineering deals with the integratin f privacy cncerns in the engineering f infrmatin and cmmunicatin technlgy (ICT) systems. In the engineering f infrmatin and cmmunicatin technlgy (ICT) systems, privacy engineering deals with the addressing f privacy prblems created by infrmatin system peratins that prcess persnally identifiable infrmatin (PII)" 9
Where are we tday? Tls and Standards are Slwly Emerging Privacy Engineering Mdels/Methdlgies Privacy Engineering Publicatin Risk Management Privacy Engineering Methdlgies Privacy Engineering Autmated Tls Official Standards Privacy Cntrls Design Strategies, Patterns Libraries Privacy Engineering Educatin Privacy Engineering Cnferences and Wrkshps Surce: Privacy Engineering Its Time t Take the Next Steps twards Standards and Autmated Tls, Gail Magnusn, LLC https://www.asispen.rg/cmmittees/dwnlad.php/60650/ Privacy%20Engineering%20Research%20Paper%20May%204th%202017%20Fin al%20.pdf 10
This OASIS Wrkshp will explre these issues GDPR Cmpliance Privacy Engineering Standards and tls t supprt the technical delivery f data prtectin/privacy in tday s applicatins and systems 11
Thank Yu jhn.sab711@yah.cm www.asis-pen.rg 12