Cache-22: Doing Privacy Engineering with Privacy Standards

Data privacy stands as a pressing and critical concern for numerous organizations. The burgeoning field of privacy engineering has emerged to address this demand. Although there exists no universally agreed-upon definition of the roles or educational requirements for privacy engineers (PE), many organizations enlist professionals to fulfill this pivotal function. In our quest to understand the daily practices and challenges faced by PE, we conducted interviews with 14 individuals currently in this role.

Initial findings underscore the immense diversity encompassed by the responsibilities, tasks, and competencies inherent in privacy engineering. Our research spotlights two key thematic areas: first, the varied ways in which PE employ privacy and security standards and controls; and second, the intricate and multifaceted relationships PE cultivate within their organizations. Notably, our investigations reveal that a considerable number of PE primarily concentrate on ensuring compliance with legal frameworks, such as GDPR and COPPA, rather than actively developing or implementing ambitious privacy policies. Furthermore, results indicate that privacy engineering, while still lacking a precise occupational definition, is undeniably a growing career path deserving of increased standardization. We believe that our findings provide insights into the myriad ways privacy engineering can be expanded and refined.