The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
In different parts of the world, privacy laws have been in development over the last 50 years or so. But Privacy Engineering is a relatively new concept that is experiencing a rapid rise in relevance due to lots of changes all around, including but not limited to:
In business models, data availability, modes of engagement
In customer expectations and awareness
Data privacy / protection regulatory landscape
Increased regulations as a result of technological developments – IoT, AI, 5G, drones, biometric recognition, cryptocurrencies and more.
In the light of digital transformation and adoption of latest technologies like the cloud, there is a separation in the rights of ownership, management and usage of resources and this increases the risk to privacy. Hence, this climate of change begs a climate of innovation.
There was a time when security was an afterthought - a secondary feature at the periphery of the design process. But today, the aim of Privacy Engineering is to bring security at the centre of the design process. Let’s delve into the concept.
What is Privacy Engineering?
Privacy engineering is a methodological framework of integrating privacy in the life cycle of IT system design and development. It operationalizes the Privacy by Design (PbD) framework by bringing together methods, tools and metrics, so that we can have privacy protecting systems. With the pandemic, digital innovation has become the need of the hour and thus, has brought PbD even more in the limelight. The goal of privacy engineering is to make Privacy by Design the de-facto standard for IT systems.
Different bodies have different definitions of privacy engineering, but the gist is the same - To address complete lifecycle of individual privacy and not just during data storage and analysis. Privacy engineering incorporates a more holistic approach covering legalities, risk analysis and user sentiment.
US-based National Institute of Standards and Technology (NIST) defines privacy engineering as “a specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.” The below image sheds more light on the objectives of Privacy Engineering:
Privacy engineering, by making privacy an integral part of the designing and development process (SDLC), tries to reduce risks and to protect privacy at scale.
As per Gartner’s definition, “Privacy engineering is an approach to business process and technology architecture that combines various methodologies in design, deployment and governance. Properly implemented, it yields an end result with both:
Easily accessible functionality to fulfill the Organisation for Economic Co-operation and Development (OECD) eight privacy principles and,
Mitigation against the impact of a breach of personal data by reimagining defense in depth from a privacy-centric vantage.
The process involves ongoing re-calculation and re-balancing of the risk to the individual data owner while preserving optimum utility for personal data- processing use cases.”
Thus, privacy engineering is the foundation of holistic privacy. It will help to build a structured framework and bring privacy as a mainstream concept for Organizations to focus on.
Privacy Engineering - bridging the gap between IT, Risk and Compliance, Privacy, Security and Business
Privacy protection continues to be a very critical issue for individuals, businesses and governments all across the globe. People in the form of consumers, want personalized content and service deliveries, but at the same time they want privacy protections to be maintained at all costs and they expect organizations and businesses to take action to protect consumers and from governments to protect citizens’ data.
Few common things that I believe are true regarding this scenario are:
Consumers want transparency about how businesses are storing, processing and utilizing their data.
They are very concerned about how their personal information is used by advanced technologies like AI and any kind of abuse erodes their trust – completely.
Many consumers don’t trust that private businesses will follow/have regulations and compliances in place to keep their data secure. So, they look up to their government to protect their data with laws, policies and other enforcement mechanisms.
Once the trust is lost, consumers take action to protect themselves and their data. They even switch companies or providers and move to the ones whom they trust can keep their data safe. Many terminate relationships with traditional and online businesses over data privacy.
With the advent of different privacy laws like EU’s GDPR and more, framework has been formulated for Data Subject Access Requests (DSAR). Many privacy laws enable consumers to raise requests concerning their data and provide control in the hands of the consumers that they can take action if they are dissatisfied with how their data is stored, processed or utilized.
Privacy engineering that bonds innovation with PbD, ensures that every IT system must provide the highest possible privacy to personal data. This increases the consumers’ trust that their data is safe because the privacy has been ingrained in the system.
Pros and cons of Privacy Engineering
PROS OF PRIVACY ENGINEERING
CONS OF PRIVACY ENGINEERING
Reduces dependence on external security enforcements
Requires laws and policies – most are still under development phase
Privacy is the default setting as it’s embedded in design. It provides proactive protection, not remedial one.
Violations possible because of some mistakes during design or development phase, bad actors, government mandates, availability of new technologies etc.
It provides end to end security with complete protection of system lifecycle.
Some may find it expensive to implement as this requires skilled engineers.
It respects user privacy – ensures that the technology and systems remain user centric.
Some may find it restrictive to innovation.
It helps businesses to increase customer trust and avoid penalties and future liabilities.
Privacy Engineering- helping the Digital Transformation programs
Digital transformation has become mainstream now. Organizations are embarking on this journey and realizing that if they don’t do it now, they will become redundant. This has given rise to a trend of adopting digital technologies. But this has also given rise to an explosion of data.
Privacy engineers play a very important role in Digital Transformation. They ensure that privacy considerations are integrated into product design. Privacy engineering results in better products, increases customers’ trust and thus influences a company’s bottom line. Privacy by Design has gained importance more so with laws like IT Act, EU GDPR etc. Experts have predicted that privacy will be an integral part of the technology revolution and those integrating privacy in product lifecycle are doing the right thing and will succeed in the future.
Challenges associated with privacy implementation in organizations
The challenges to implementation of privacy include and are not limited to the following.
One can’t protect what one doesn’t know about. In most organizations, sensitive data is proliferated across different locations – on premises, in the cloud and with managed service providers. The challenge lies in locating the data, understanding where it originated from, and tracking it in a dynamic environment.
For traditional, legacy systems, it is a challenge to bake data privacy into core system design.
There is a tug of war between data privacy and data usability. It becomes difficult for organizations to find the right balance between usability and data privacy – protecting sensitive data without inhibiting business processes, is a matter of concern.
There are no standards or best practices on how to integrate privacy into SDLC.
Best practices in privacy implementation in organizations
Best practices in privacy implementation are as follows.
Do privacy impact assessment across the organization to understand the purpose of collecting personal data and processing activities undertaken.
Across digital channels, cookie notice should be there to provide information about what and how cookies are used.
Issue a privacy policy to the customers – this provides an easy to understand means to customers for principles of the organization.
Trust framework should be there within layers across people, processes and technology and I think that the
- People capabilities can be obtained with training, internal and customer privacy policies, data accuracy, entertaining customer request for Personally identifiable information (PII) and holistic view into customer relationships.
- Process capabilities can be obtained with design changes to have privacy thinking at the core, data classification, maintaining CIA triad – confidentiality, integrity and availability for personal data.
Moreover, customer consent plays a key role here. They can provide their data for better services, a per their needs, provided you can create trust in them that their data is safe as an asset within the organization.
I have seen that businesses manage security using a multitude of tools. These patchworks of tools make cybersecurity implementation a tiring and less-effective process. By integrating data protection and cybersecurity to protect systems, applications, and data, the risk from cyberattacks is reduced.
Businesses are more efficient when there is automation of backup and recovery process, cyberattack prevention capabilities including ransomware anti-malware, and virus scanning, patch management, vulnerability assessments, and more are taken care of from a single console.
Some recent developments in the Privacy engineering world
Privacy engineering, like privacy profession, is a constantly evolving discipline. Efforts to address privacy using technical means are still scattered and disconnected.
Privacy engineering guidelines have been created in 2019 by ISO: ISO/IEC TR 27550:2019 Information technology — Security techniques — Privacy engineering for system life cycle processes.
NIST published Version 1.0 of the Privacy Framework on January 16, 2020. As per NIST, The Privacy Framework is intended to be widely usable by organizations of all sizes, regardless of their role(s) in the data processing ecosystem. It also is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.
In India, organisations like the OECD and NITI Aayog are supporting emerging values frameworks, including bias mitigation, fairness and platform accountability.
For making everyone aware, workshops and trainings are being conducted by industry bodies like IEEE.
I had recently participated in the 16th Edition of the Annual Information Security Summit (AISS) by NASSCOM-DSCI in which I spoke on the topic of Privacy Engineering along with other eminent speakers:
✅ Ivana Bartoletti, Global Chief Privacy Officer, Wipro
✅ Nitin Dhavate, FIP, CIPP(E), CIPM, CISSP, CISM, Country Head – Data Privacy, Novartis
✅ Ratna Pawan, Transformation Director – Risk Advisory, EY
✅ Tejasvi Addagada, Data Protection Officer – Axis Bank
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
ZNet Technologies Private Limited, incorporated in 2009, is a cloud services provider offering cloud infrastructure and managed services to partners and end customers across the globe with a primary focus on India. We empower 90k+ websites.
Asset management is the process of keeping track of physical assets and information. Depending upon the business, physical assets can be IT devices, different kinds of equipment, tools or vehicles, etc.Traditionally, industries like Oil and Gas,…
A special threat advisory as part of DSCI’s Threat Intelligence & Research initiative. This edition includes:Snake Malware – a new malware & variant continues to hit businessesElvisPresley Ransomware – a malicious program, part of the Jigsaw…
In recent times, COVID-19 cases are not the only negative thing growing around the globe. Phishing is another dangerous aspect gaining exponential growth around the world. And the most common targets of the phishers are the corporate sectors.…
With the growing hacking attempts, here goes some simple but useful tips to secure your WordPress blog /sites.Tip 1: Don’t use ADMIN as the user nameUse a completely random username with the administrative rights. If you are using admin as the…