Data Privacy
eBook - ePub

Data Privacy

A runbook for engineers

  1. 384 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Data Privacy

A runbook for engineers

About this book

Engineer privacy into your systems with these hands-on techniques for data governance, legal compliance, and surviving security audits. In Data Privacy you will learn how to: Classify data based on privacy risk
Build technical tools to catalog and discover data in your systems
Share data with technical privacy controls to measure reidentification risk
Implement technical privacy architectures to delete data
Set up technical capabilities for data export to meet legal requirements like Data Subject Asset Requests (DSAR)
Establish a technical privacy review process to help accelerate the legal Privacy Impact Assessment (PIA)
Design a Consent Management Platform (CMP) to capture user consent
Implement security tooling to help optimize privacy
Build a holistic program that will get support and funding from the C-Level and board Data Privacy teaches you to design, develop, and measure the effectiveness of privacy programs. You'll learn from author Nishant Bhajaria, an industry-renowned expert who has overseen privacy at Google, Netflix, and Uber. The terminology and legal requirements of privacy are all explained in clear, jargon-free language. The book's constant awareness of business requirements will help you balance trade-offs, and ensure your user's privacy can be improved without spiraling time and resource costs. About the technology
Data privacy is essential for any business. Data breaches, vague policies, and poor communication all erode a user's trust in your applications. You may also face substantial legal consequences for failing to protect user data. Fortunately, there are clear practices and guidelines to keep your data secure and your users happy. About the book
Data Privacy: A runbook for engineers teaches you how to navigate the trade-offs between strict data security and real world business needs. In this practical book, you'll learn how to design and implement privacy programs that are easy to scale and automate. There's no bureaucratic process—just workable solutions and smart repurposing of existing security tools to help set and achieve your privacy goals. What's inside Classify data based on privacy risk
Set up capabilities for data export that meet legal requirements
Establish a review process to accelerate privacy impact assessment
Design a consent management platform to capture user consent About the reader
For engineers and business leaders looking to deliver better privacy. About the author
Nishant Bhajaria leads the Technical Privacy and Strategy teams for Uber. His previous roles include head of privacy engineering at Netflix, and data security and privacy at Google. Table of Contents
PART 1 PRIVACY, DATA, AND YOUR BUSINESS
1 Privacy engineering: Why it's needed, how to scale it
2 Understanding data and privacy
PART 2 A PROACTIVE PRIVACY PROGRAM: DATA GOVERNANCE
3 Data classification
4 Data inventory
5 Data sharing
PART 3 BUILDING TOOLS AND PROCESSES
6 The technical privacy review
7 Data deletion
8 Exporting user data: Data Subject Access Requests
PART 4 SECURITY, SCALING, AND STAFFING
9 Building a consent management platform
10 Closing security vulnerabilities
11 Scaling, hiring, and considering regulations

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Data Privacy by Nishant Bhajaria in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Manning
Year
2022
eBook ISBN
9781638357186
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Part 1. Privacy, data, and your business

The target audience for this book is engineers, and this book will also be helpful to leaders in management, media and government as well. However, it is critical that all readers are able to place privacy and data protection in context. They need to understand how software engineering has changed in practice, and the corresponding change in business risk. This will help them avoid mistakes that prove to be hard to undo.
Chapter 1 will serve as an advisor on data flow so that technical leaders can understand how their architecture and data work in conjunction. We will also look at the regulatory risks and dive deep into emerging privacy tech players. This context will help the reader approach their privacy challenges with a clear-eyed and informed lens.
Chapter 2 will explore how various business stakeholders have varying interests in data processing. We will also examine high-profile privacy incidents, thereby giving the reader a sense of the vulnerabilities they need to watch for. Finally, there is context on how to monitor investments and build a program that can scale in line with the business.
  

1 Privacy engineering: Why it’s needed, how to scale it

This chapter covers
  • What privacy means
  • How privacy is impacted by the flow of data through your tech stack and storage
  • Why privacy matters and how it affects your business
  • Clarity on privacy tooling, especially the “build vs. buy” debate
  • What this book does not do
  • How the role of engineers has changed in recent years
Over the last few years, privacy seems to have been front and center in the news. There is talk of new laws aimed at protecting customers from harm and reports of data breaches and fines being levied upon companies.
People at all levels of business are finding this unsettling, and understandably so. Many company founders are engineers or technologists; they are finding it hard to assess risks related to products that depend on data collection. There are other mid-level engineers in companies who write code and build other automation. They make many smaller decisions, and their technical outcomes, when multiplied by scale, can create shareholder and investor risk. Such tech leaders are right to wonder, “what decisions am I making that may have a privacy impact down the line, just as my strategy is about to bear fruit?”
Anyone in a position that will directly or indirectly impact user privacy will benefit from being conversant around privacy as a concept and as a threat vector. Such people need clear hands-on skills for implementing privacy controls. These skills will help them embed privacy engineering and tooling into a company’s technical offerings, as well as create privacy controls that break through the silos that typically define tech companies.
Too often, businesses fall into the trap of pitting innovation against privacy, where they build digital products on a foundation of user data, only to play catch up on privacy several cycles later. By this time, there has often been privacy and reputational harm. Privacy harm is an all-purpose term that captures the impact of data leakage, exfiltration, or improper access through which a user’s privacy is compromised. The loss of privacy protection implies that the user has been harmed; hence the use of this common term. These business leaders then have to find resources and bandwidth to staff a privacy program, prioritize its implementation, and alter the rhythm of business to adapt to privacy scrutiny.
This book will help you avoid this false choice and allow readers—ranging from technical department leaders to hands-on technologists—to think and speak of privacy from a place of knowledge and vision, with an understanding of the big picture as well as brass tacks. After the tools, techniques, and lessons of this book sink in, leaders will be able to adapt to a privacy-centric world. Beyond that, they will also find synergies in their operations to make their privacy posture a competitive differentiator.
In this chapter, we’ll begin with the fundamentals: what “privacy” actually means, the privacy implications of data flow within a company, and why privacy matters. The latter part of the chapter will take a brief look at privacy tooling, discuss what this book does not do, and consider how the role of engineers has evolved in recent years—an evolution bringing with it implications for privacy. Let’s start simple; what is privacy?

1.1 What is privacy?

In order to understand privacy, it helps to first refer to security. Most companies and leaders have some sort of security apparatus and at least a superficial understanding of the concept.
For readers of this book, many of whom may need to do double-duty as privacy and security specialists, this is an important insight. If you end up with a security issue, it probably includes something along one of these lines:
  • An employee or equivalent insider accesses sensitive business or customer data when they should not have.
  • A business partner obtains business or customer data at a time or in a volume that affects the privacy of the customers or the competitive advantage of the business.
  • Data that was collected for a benign, defensible purpose gets used for something more than that. For example, data collected for fraud detection by verifying that the user is real rather than a bot then gets used for marketing, because the access control systems were compromised.
Each of these examples started with a security compromise that led to the user’s privacy being compromised, besides any other damage done to the business and its competitive advantage. Any time you have a security issue, there is a strong possibility that there will be a privacy harm as well. This is critical for leaders to understand, lest they take a siloed approach and think of these concepts as disconnected and unrelated. In subsequent chapters, the privacy techniques you’ll learn will aim at improving both privacy and security, thereby helping companies protect their competitive intellectual property, as well as their user data.
IT security involves implementing a set of cybersecurity strategies aimed at preventing unauthorized access to organizational assets. These assets include computers, networks, and data. The integrity and confidentiality of sensitive information is maintained by validating the identity of users wishing to access the data and blocking those who do not have access rights. You can read more about this from security sources such as Cisco Systems. Cisco defines IT Security as “a set of cybersecurity strategies that prevents unauthorized access to organizational assets such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers.”1
Note that the definition covers access to computers (or more broadly, anywhere data can live), networks (where data moves in transit from computer to computer), and the data itself. The goal here is to avoid the data being leaked, modified, or exfiltrated by external bad actors, popularly known as hackers. This definition also introduces the concept of sensitive information, which means different things when it comes to data that belongs to a human being versus data that belongs to a corporation.
As a leader in the privacy space, I have always built privacy programs by adapting and repurposing security tools. This means that I would place an external bad actor (such as a hacker) on the same mental plane as an insider who may knowingly or unknowingly use data inappropriately. As a result, the goal is protecting the data by managing the collection, access, storage, and use of this data. In that sense, rather than recreating tools and processes for privacy, you can start by adapting the structures aimed at data security, and adjusting them to provide privacy capabilities.
As an example, if you detect unauthorized access from an outsider, you might shut down that account temporarily to investigate whether the account holder is posing a risk or whether the account has been breached. You may also suspend other accounts associated with the same email address, IP address, etc. With an internal user, you may be able to suspend access for just that account and that database, in the event that you find this was not a malevolent act but an incorrect use of access rights. What you have done is deployed security tools with an explicit goal of enhancing privacy and tracking the privacy impact of data access. This creates a sense of continuity and allows for the efficient use of existing tools and relationships rather than creating unneeded tools and processes that could be disruptive.
Let’s consider the first of my favored definitions of privacy. According to The Privacy Engineer’s Manifesto, “Data privacy may be defined as the authorized, fair, and legitimate processing of personal information.”2 Privacy is closely related to security. Without security, there is no privacy, since any access that breaches security protections will be, by definition, unauthorized, unfair, and illegitimate. Where privacy goes a step beyond security is that security primarily guards against external bad actors, while privacy requires processes and systems to protect data from such misuse internally as well. In that sense, privacy starts once optimum security is in place. As a candidate who I recently interviewed told me, security is a necessary but insufficient condition for privacy.
Implementing s...

Table of contents

  1. inside front cover
  2. Data Privacy
  3. Copyright
  4. brief contents
  5. contents
  6. front matter
  7. Part 1. Privacy, data, and your business
  8. 1 Privacy engineering: Why it’s needed, how to scale it
  9. 2 Understanding data and privacy
  10. Part 2. A proactive privacy program: Data governance
  11. 3 Data classification
  12. 4 Data inventory
  13. 5 Data sharing
  14. Part 3. Building tools and processes
  15. 6 The technical privacy review
  16. 7 Data deletion
  17. 8 Exporting user data: Data Subject Access Requests
  18. Part 4. Security, scaling, and staffing
  19. 9 Building a consent management platform
  20. 10 Closing security vulnerabilities
  21. 11 Scaling, hiring, and considering regulations
  22. index
  23. inside back cover