How Today’s IT Professionals Reconcile Innovation and Complex Privacy Requirements
A gap separates the worlds of privacy regulation and IT systems design. Security and privacy are awkward bedfellows. They are distinct, yet many confuse secrecy for privacy, and in turn, IT designers can limit their own privacy thinking if they misconceive privacy as being about hiding away. Many myths and mixed messages about privacy have permeated IT. Engineers and software developers have probably heard that “privacy is not a technology issue”, that technology has “outpaced” privacy law, or that privacy threatens innovation by preventing the free flow of information. These ideas tend to disenfranchise or even dispirit architects and developers.
In recent years, several important movements have sought to bridge this gap. “Privacy by Design” (or PbD), for example, is a manifesto that strives to build privacy into IT developments from an early stage. It’s a worthy effort, yet Constellation finds that PbD has yet to engage many IT practitioners, for its principles still need to be reduced to real world engineering tools and habits. The broader idea of “Privacy Engineering” may come to supplant PbD if it is firmly framed in the ways that architects, software developers, and informaticians go about their work.
Privacy and IT, in fact, share a number of traits. If they understand the common ground, IT practitioners – from the CIO and CTO through to designers and programmers – can see more clearly the role they have in privacy and collaborate more effectively with their legal and regulatory colleagues in privacy. This report explores some privacy misconceptions held by many engineers. It then analyzes the similarities between security and privacy practices to help align mindsets which historically have been quite separate. The paper closes with a set of practical tools and design methodologies to help IT architects and designers play a stronger positive role in privacy.
This report seeks to clarify data privacy principles in the context of information technology practices, with the aim of helping IT practitioners better understand the role they can play in protecting privacy. The term “Privacy Engineering” is gaining ground in efforts to bring the fields of IT and privacy closer together. For privacy engineering to be meaningful, fresh tools are needed to reveal the interplay between privacy requirements and other system design objectives and to help resolve competing interests.