Privacy is the Global Ba2lefield - Do we have the Tools and Standards to Fight – and What is

“Privacy Engineering?”

John Sabo, Chair OASIS IDTrust Member

Section and Chair, PMRM Technical Committee

John.sabo711@yahoo.com

Technical Compliance with The GDPR

•  Is your organization ready to comply with the GDPR’s requirements and put in place comprehensive controls over how it uses and manages personal data?

•  Does your organization understand how to implement functionality that will not only demonstrate that you are compliant, but actually deliver the privacy you have promised?

•  Does your technical team – including third party data partners – have the tools to understand their implementation requirements?

•  Can you efficiently and confidently manage changing data protection requirements as your business environment changes?

•  How do you apply abstract privacy engineering and data protection concepts to the pressing mandates on your organizations to achieve compliance?

OASIS IDTrust GDPR-Privacy Engineering Workshop-John Sabo 2

Privacy the Global Ba2lefield

•  The GDPR’s mandates are global - will cover 510 million people (including Britain) and have International impact

•  To effectively meet its mandates, we must o  make use of tools that leverage existing technical and policy standards o  foster the development and adoption of new standards that are needed o  take the next steps towards building a Privacy Engineering capability

•  Privacy Engineering as a discipline can analyze, document, visualize and provide technical solutions to data protection requirements o  Addressing the delivery of data protection/privacy principles, regulations, and

business policies o  Set in the context of a rigorous privacy management analysis specific to a use

case/implementation o  Translated into Privacy Controls and Specific Requirements o  Defined in required privacy services and functionality o  Implemented in technical and procedural mechanisms and o  Reported using tools that allow a privacy engineer to demonstrate compliance

OASIS IDTrust GDPR-Privacy Engineering Workshop 3

The GDPR as Catalyst

•  The GDPR can be a strong catalyst for assessing and improving how to actually deliver assured data protection/privacy in today’s complex, cloud-based systems.

•  Can this be done reliably, cost effectively, and with demonstrable compliance without standards and a privacy engineering discipline?

•  This is no easy task. But it is essential to meet the spirit (and letter?) of the GDPR

OASIS IDTrust GDPR-Privacy Engineering Workshop 4

Why Privacy Engineering? – An Analogy •  Civil engineering is a professional engineering discipline that deals with the design,

construction, and maintenance of the physical and naturally built environment, including works like roads, bridges, canals, dams, and buildings.

  •  Civil engineering is traditionally broken into a number of sub-disciplines:  

o  Materials science and engineering o  Coastal engineering o  Construction engineering o  Earthquake engineering o  Environmental engineering o  Geotechnical engineering o  Water resources engineering o  Structural engineering o  Surveying o  Transportation engineering o  Forensic engineering o  Municipal or urban engineering o  Control engineering

Source: Wikipedia

OASIS IDTrust GDPR-Privacy Engineering Workshop 5

Building One World Trade Center

OASIS IDTrust GDPR-Privacy Engineering Workshop 6

Building Privacy into Complex Applications

OASIS IDTrust GDPR-Privacy Engineering Workshop 7

Given that Analogy - What is Privacy Engineering?

NIST NISTIR 8062 •  “A specialty discipline of systems engineering focused on

achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.”An Introduction to Privacy Engineering and Risk Management in Federal Systems“ http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf

PRIPARE •  “Privacy Engineering: A systematic, risk-driven process that

operationalizes the Privacy-by-Design philosophical framework within IT systems. Privacy concerns are subsequently integrated into systems as part of the systems engineering process.” http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE_Deliverable_D1.3_v1.0.pdf

• 

OASIS IDTrust GDPR-Privacy Engineering Workshop 8

Given that Analogy - What is Privacy Engineering?

MITRE •  “Privacy Engineering is a systemic, risk-driven process that

operationalizes the privacy by design (PbD) framework within IT systems.”  The privacy engineer or a designated individual is the individual that performs privacy engineering.” https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/engineering-informationintensive-enterprises/privacy-systems-engineering

ISO 27550 Privacy Engineering Working definitions •  "Privacy engineering deals with the integration of privacy concerns in

the engineering of information and communication technology (ICT) systems.

•  “In the engineering of information and communication technology

(ICT) systems, privacy engineering deals with the addressing of privacy problems created by information system operations that process personally identifiable information (PII)" 

OASIS IDTrust GDPR-Privacy Engineering Workshop 9

Where are we today? Tools and Standards are Slowly Emerging

•  Privacy Engineering Models/Methodologies •  Privacy Engineering Publication •  Risk Management Privacy Engineering Methodologies •  Privacy Engineering Automated Tools •  Official Standards •  Privacy Controls Design Strategies, Patterns Libraries •  Privacy Engineering Education •  Privacy Engineering Conferences and Workshops

Source: “Privacy Engineering…Its Time to Take the Next Steps towards Standards and Automated Tools,” Gail Magnuson, LLC https://www.oasis-open.org/committees/download.php/60650/Privacy%20Engineering%20Research%20Paper%20May%204th%202017%20Final%20.pdf

OASIS IDTrust GDPR-Privacy Engineering Workshop 10

This OASIS Workshop will explore these issues – GDPR Compliance

Privacy Engineering Standards

and…tools to support the technical delivery of data

protection/privacy in today’s applications and systems

OASIS IDTrust GDPR-Privacy Engineering Workshop 11

Thank You

john.sabo711@yahoo.com

www.oasis-open.org

OASIS IDTrust GDPR-Privacy Engineering Workshop 12