A Four-step Guide to Engineering Privacy into Any System.

Author:Maniar, Nehal

Engineers solve problems. Indeed, the solutions to some of the world's greatest challenges--manned flight, the provision of clean water, the sustainability of human life on Earth--are, above all, engineering challenges. And engineers know this, which is why the National Academy of Engineering has produced a list of 14 challenges for them to solve in order to--well, if not to save the world, then at least to make life on Earth much better.

Notably, these challenges can be grouped into categories: sustainability, health, security and quality of life. While they will be solved using cutting edge technologies such as Al, machine learning, the IoT and VR, they are fundamentally about human experience. They are about people.

And therein lies a further, overarching, challenge that is common to all systems and all technologies that rely on personal data. For data is at heart an account, a stored record, of human experience. As such, we must treat it with respect. That's why we have GDPR, it's why data protection and privacy is enshrined in the EU Charter of Fundamental Rights and it explains the public outrage at Cambridge Analytica and similar scandals.

Unfortunately, this creates a problem for engineers. Modern technologies like Al are fed on a diet of consumer data. Without accurate and comprehensive data, they don't work properly. Without data, the 14 challenges set by the Academy cannot be solved. But these technologies, with their huge potential for system optimisation and leaps forward for mankind, have arisen just as the regulation of data processing has become more robust.

That has left many engineers clutching their heads in frustration, as they try to meet the competing demands of system optimisation and data protection. It's not easy. But the good news is that it can be done, if a thoughtful fourstep process is followed.

Step I: Make privacy a key system requirement

To ensure privacy, engineers must design-in data privacy from the outset. That means including data privacy as a nonfunctional requirement (NFR) when the system is initially scoped.

This makes data privacy non-negotiable as the system evolves, and so use cases must be built for associated functional elements/features such as the individual's right to be forgotten and the recording/archiving of relevant data processing permissions.

The beauty of this approach is that it requires the system to take account of regulatory requirements from the outset and avoids the pain of...

To continue reading

Request your trial