Privacy Engineering for your Privacy Program by Sarah H at BSides Toronto 2023

e engineering for your privacy program and I'm apparently missing my presenter notes Here We Go um so a little bit about me I am a former privacy practitioner uh I've been four years in the Privacy engineering space I don't do that anymore these days I'm more Dev SEC Ops uh in management work however if you want to follow me on the socials the socials are right there if you want to talk about it etc etc here's my Twitter and mased on information I realized this is not quite immediately after lunch but sort of after lunch and you're all getting settled in and I can tell this is the perfect time to get really comfortable in those chairs and consider

dozing up so I will do my best to expedite that uh dozing up by talking about the wonderful boring field of privacy compliance so uh let's talk about what privacy means it's 2023 privacy can mean a bunch of different things so I want to really be clear about what I mean by privacy over the course of this presentation um so privacy can mean any one of these things like you can talk about personal privacy you can talk about privacy in ing Technologies you can talk about trust and safety um I'm not talking about any of those things I'm talking about privacy regulations AKA boring privacy AKA privacy compliance so here's a wordcloud um wait a minute there is the

word law in there I should note that I am not a lawyer nor do I have any affiliation or credentials whatsoever with legal profession so please do not take this presentation as legal advice thank you let's move on so why do we care about regulatory privacy see let's go back in time and look um so when I was doing the first draft of these slides I tried covering the history of computers and data and that alone took 25 minutes which I do not have here today so I'm going to go through this history and timeline very fast there will be a quiz at the end are you all ready so first computers we made rocks

think uh networking on the internet no one knows zero dog Mo's law here are some average sizes of hard diss over time search here's onecloud here are more clouds let's zoom in and enhance here's the socials Big Data deep learning generative AI you that was a lot all right real talk

so we have to ask ourselves in this day with so much data like all over the place so much data storage uh you've all got personal data devices in your pockets possibly looking at them right now and not paying attention to me so we really have to ask ourselves are we are we good with handling all of this data uh in 2023 let's take a

look not one but two data breaches with Marriot and this is I think the crema creme uh trying to be like hey here's some location data to give to our researchers actually it turns out you can find all the secret US Army bases through that so are we good with the data no uh all right so clearly some regulations and laws need to come into place to get this under control so let's talk about them again reminder I'm not a lawyer this is not legal advice uh so in 1995 the EU uh enacted directive 9546 otherwise known as the data protection directive to regulate the processing and movement of personal data within the EU um this uh as part of that

they came up with basically seven different principles uh notice purpose consent security disclosure access accountability so notice is okay you have to give notice that your data is being collected purpose is you got to make sure that the data is collected for a particular purpose and not any other purpose so if you're going to collect data for marketing only you can only use it for marketing you cannot use it for I don't know like seeing if it's the same person over multiple things um the data should not be disclosed or sent to other places without the data subject's consent um the data obviously should be secured you want to have security for your data um you want to make sure as

part of disclosure that the data subjects are informed as to who is collecting that data um and then uh Access Data subjects should be able to request their data and request their whatever information the company has on them at any given point and be able to make Corrections should the company have accidentally made mistakes on that data and then accountability we want to be able to find you if like you get all of previous six things wrong so I was basically holding those data collection uh collectors accountable for those principles um so that was a 1995 in the year 2000 Canada was like hey we want to work more with the EU like we're getting

into this data driven world let's introduce pipeta which stands for personal information protection and electronics documents act now that's a mouthful I like pipeta much better than whatever that long thing was um so it came into effect in 2000 uh Prime um as I mentioned to it show the EU that we have our together um of course not to be outdone by the EU Canada added three more principles for a total of 10 so uh we're in this uh so in Canada now has uh Peta for and it's still present today with these 10 different principles again very similar I don't think I need to go through this in any more detail well in since 2000 the year

2000 um we so we mostly ignored the US with regards to day regulations so Canada had its own thing the EU had its own thing the US was like whatever uh until 2013 happened happened and then we learned as part of the Snowden leaks that in fact SSL was added and removed here in between data centers uh now the problem with that is that for uh a lot of EU people they were using a lot of us companies products so they were using Google they were using Facebook they were using uh Twitter etc etc and because those companies were based in the US um you know like okay the DAT is obviously resident there um and they

figured the US has smart people right the US knows how to secure things they have lots of money clearly they are doing the right thing well clearly they were not um so that was in 2013 where we discovered that the transit links between Google data centers uh whether uh within the us or across the world were not actually encrypted at all uh and you know different nation state actors could actually go and take a look at it um we also had in 2014 Facebook and came at the Cambridge analytical Scandal where we discovered that we'd have data collected for one thing and start be uh and start being used for another thing so these kinds of uh

events uh since the year 2000 then basically created a whole kind of existential crisis for the world around data and protection of like should we should we really do something about that so in 2018 the EU introduced gdpr gdpr stands for the general data protection regulation uh you might wonder how is this any different from the thing they had before so the the main thing they provided with gdpr was more it as to those original seven principles so lawful Fair uh trans so you'll see there's a lot of similarities you want lawful Fair transparent use you want limited purpose you want to minimize collection so not just getting consent from the user of okay I'm going to

collect your data but you want to minimize the collection to begin with you want to ensure high accuracy you want to Define retention for your data uh of course the security bit is important please put safeguards on your data and of course the accountability still matters here of like we want to find you if you get things wrong and in this case they put much bigger teeth on gdpr with regards to the accountability I think one of the stats was like uh basically 4% I think of your uh I can't remember if it's net profit or net revenue has been some time since I've been in this field but it was significant enough that as soon as this

law dropped a wonderful guy named uh Max shm started suing a bunch of different us companies for getting this wrong um since then privacy regulation have in fact exploded all over the world there's at least 120 countries today that have enacted some sort of Privacy Law uh either like it's in effect or they're starting to or they're thinking about it so the the landscape at this point has completely changed and this includes in the United States where in California we have uh CCPA now CPR which it turns out is very closely modeled after their gdpr so even the US is following suit so this is a world that is not going away we come to the actual

point of the presentation which is in this world of data in this world of privacy regulations how do we set ourselves up for Success With regards to privacy compliance well do you want to build a privacy program uh so what do we need to do for a privacy program we need to Define some for so if we think about some a lot of you are security practitioners you may have heard of Security Programs you have a vulnerability Management program uh you have a uh like a PCI socks compliance program etc etc for any program to actually like work and be successful you need to find find success criteria that is the same for privacy programs as well so so let's take our

gdpr principles from before um and let's transer to some success criteria and So based on these success CR criteria we can then uh transform them into actual processes um so uh for our success CR criteria we want to say I am able to quantify data risk uh I am uh processing the data subject request on a timely basis on a and on a data comprehensive basis uh and I able to show that I have effective data protections data consent tracking and data notification mechanisms so let's transform them to processes what does this look like uh these are the common processes that are in place for um mature privacy programs today at various companies so DPI is a

data uh privacy impact assessment DSR is a data subject request so uh you want um so in a data privacy impact assessment uh basically this is a data inventory I think you've seen this before in some of your Security Programs we've just gotten a little bit more intense with them um with data subject requests uh these are these kinds of features so if you log into Twitter or I guess it's now called X and you go into one of the settings um the top one is the export or access request and the bottom one is the deletion or right to be forgotten request uh and then you want your data policy I think uh let me go back for a

data policy that's very like a data classification Pro policy you want to know what are the different levels of data that you have what sort of security or privacy protections uh you want to be in place for that kind of data so say um um aggregate data is okay maybe pii is not and then credit card data is definitely like you need really secure Pro protections for that so that's where your data policy comes useful um you want to really clearly Define a data consent life cycle what is data cons what is the consent life cycle or what is consent mean um you may have be familiar with this uh specifically this cookie Banner this is one of the consent

uh mechanisms uh data consent mechanisms that is quite common today does it work well we're not quite sure but it seems to be annoying a lot of people so we're doing maybe something right um and then privacy policy this is something you've seen before this is on every single page is right next to the terms of service it tells like just broadly across all the customers this is how the company might be using your data and how it could be uh handling it or transferring into different people um as a very simplified view there's obviously lots of nuance in more detail there um which I'm happy to talk about like after the talk but let's

move on so this is the big picture of how those uh uh different success criteria mount to the processes let's talk about the people so in an effective program you need four groups of people involved um you need your lawyers because they need to know the law because I'm not a lawyer um you need your program managers to kind of oversee the whole cycle uh you need your product managers who understand what the product is that you're building and of course you have the devs because they're the code monkeys and they write the code and they ship it um let's see how this plays into a common software development life cycle so I have an extremely simple

software development life cycle so I build sorry plan build uh test launch and then we iterate for those of you who like the agile me methodologies we go back and we do it again um let's add the Privacy processes to the mix so we've got all those little components I had before here they are and here's where they live now um so uh let's talk about this uh a little bit more so data policy and privacy policy your lawyer helps defines these data policy is used internally privacy policy is what's shown externally your product manager defines uh what helps identify in in as part of your privacy program what data may be added change removed as part of this

process and fills out the dpia um and then as part of as you go into moving into the development cycle uh your program manager ensures that we're integrating the product to various Dr DSR consent life cycles uh so that you know you've got the you're able to actually fulfill the rights needed for your customers um this is quite often a ticketing system so and then after that we have testing and lunch uh so let's go back to the other processes uh so we've solved our compliance problem right we've added the DPI we've added a ticketing system what can go wrong so let's take a look at this dpia again H hooray we have solved the

problem so when you've got like tens or hundreds of teams or hundreds or thousands of services you're now creating an exponential amount of paperwork uh for your different teams uh some of you who have been in Security Programs before especially compliance programs know that you are probably the least liked person at your company because you're showing up and you're like hey I need you to check off these things for this stock 2 type two assessment or this PCI assessment and they're like why are you interfering with our product timelines this week so now we've uh just made this a lot worse uh having all the product team screaming in frustration at this unnecessary slowdown uh and so what's going to

happen is you're gonna have people cutting Corners uh because you know they're being told to ship fast uh so they're not going to fill these out right they're not going to do due diligence on like the things that are coming through the help Des so can we do here so let's go in and dig into this dpia problem and try and see if we can solve it better um so instead of having humans to this what if we had computers autogenerate this is this possible well it turns out it is for example Google offers a DLP product that can do this for your bit query data it can take a look at the data auto tag it autoc

classify it um and then if you if you enable that so it's not perfect uh so you do have to do a little bit of like double check to make sure all the data is correct but if you do move that now you're freeing a lot of people from having to fill out those DP all the time and now you can move into like an exciting New World with that interation uh with that automation where you can explore new kinds of controls for your data so I think we're all aware that you can have controls that are on the table base or database base um but instead what if we thought about um colner based

access control which is what is shown here that's a feature that Google offers today where you can restrict access to instead of just to the table to specific Columns of data which might be really useful for your data analyst for dealing with a really big like big query table uh and they only need to see like three Fields right um so now you've got like your lawyer happy your product manager happy and your program manager is happy because like the day is probably a lot better than what it was with people cutting Corners you can put better access controls this is a neat New World we're in so let's move on and look at this like ticketing problem with

dsrs uh so I think we all know help desks are terrible let's watch let's take a look at what an an actual flow might look like for the DSR process so customer writes in hello I would like my data please uh so it goes into the portal which goes and ties into your ticketing system the ticketing system sends you an email being like thank you for filing ticket one two 34 we will get to it right immediately uh that ticket one two 34 is then assigned to some Dev who's like I guess I will do this as part of my call uh they kick off an export job on their service the job then completes and sends the data to the devb

while the dev gets access to this dat who knows uh the dev then takes that data and puts it on the ticket which then gets sent back to the customer there's a lot of inefficiency here what's this whole thing doing here we've got we've added a couple humans in the loop so if things go wrong this is what that happens when things go wrong when uh because you added too many people in process on the loop

so so let's what can we do to remove humans from the loop we out automation we connect the requests coming in from the outside Street to the services why do we have a help desk why do we have devs why do we have all this ticket creation monitoring and assignment so let's get rid of it it's much simpler this is your process uh and of course to make this happen you need people to write code for it you need devri code for it so overall this is what I haven't talked about consent consent is a whole other thing I couldn't fit into the stock um but overall this is roughly what the whole process might look like for your privacy

program when you're adding a lot more Automation in into it and in fact this is what I did as part of the Privacy engineering team we started off with forms and ticketing basically to just get our nent privacy program off the ground and then we engineered services and components over time to automate parts of that away as much as possible uh so that you know faster Loops less humans less options for mistakes probably higher quality data so um we need a specialized group of people for it need an engineering team so how do you hire well it turns out it's no different from your typical soft security software Dev uh now not this is a lot more

infrastructure you want to optimize for infrastructure back in integration development type skills uh you also probably want some sort of privacy and security knowledge for sanity checks um so it's really no different from any other kind of Security based Dev job or security infrastructure based job although maybe integrating with a lot more people than usual um as such like the missions and vision statements for privacy engineering teams are going to be sort of similar in the same way it's like you're building infrastructure to help the dev's lives to help them move faster to help the product teams move faster while ensuring compliance etc etc all right quiz time I told you there was going to be quiz at the

end no I'm kidding um so let's recap um so privacy compliance is a necess necessity in 2023 I talked a little bit about uh some of the Privacy major privacy regulations out there today uh the data protection directives Peta gdpr yeah very briefly about CCPA I talked about what you need to do to put together a privacy program the success criteria the players and the processes as part of this uh I talked about how the program plus the sdlc really the answer is to automate automate automate developers developers developers and we come to the main point of my presentation which is you need a privacy engineering team uh so that you can do effective privacy engineering for

your privacy program thanks everyone for listening

again socials are at the bottom happy now to take questions from the

audience

yes uh so the question was about uh incidents and uh considering I mentioned about breaches and incidents at the start and whether there were any uh efficiencies that gone by introducing these processes um the main efficiency you introduce is you have a better understanding of like okay what data was involved as part of the breach uh you don't have to spend so much time trying to be like okay what was what was the service that was impact well I guess you still have to figure out what services were impacted but it's like what data was in the service who put it there why was the data there where did it come from who is it impacting is it like a

wide amount of people or small amount of people is it a critical product is it not a critical product so so like you answer those kinds of questions much faster with things like a dpia um and ideally you have better like notification mechanisms in place as the results as well so that you can notify all the affected customers very quickly and very uh fast gdpr I think requires a 72-hour breach notification which is very fast and if you're a very big company with a lot of paperwork uh then that's going to take that's quite a lot of uh that's quite a short time to try and get all that information together to give good timely information to your

customers

yes

yes exist

okay so the question is uh the examples I had on dpia were more on existing systems as opposed to new systems um I think it it's sort of really dependent on how your your engineering culture is structured um so um for br for net new um You probably with your product manager you have a product requirement stock it's that has that initial like this is probably the types of data we can gather um and you might actually do like a a prelim dpia at the start and then do a more comprehensive DPA right before launch because in between when you're designing and then in uh from to when you launch the requirements you as the as the devs figure out what's

possible and what's not possible possible and what data they can bring in and what data they cannot like those requirements are going to change so you might move the dpia to like later in the process um but either way the DPI is put where it is with in the planning stage because you want to make sure you're continually like double-checking as the product and the services change over time that you've got the correct information uh always on

file

correct correct

yes describe yourself really great

from um the so the question was uh this is a very indicative of a very mature um privacy program where you have resources in the right place and uh very often uh privacy programs that many companies is one overwork legal person I am sorry if you are that legal person at your company um the uh the main thing is uh so there's a there's a I think we all know that uh security is often characterized as a pure cost center privacy is equally the same so it's sometimes very very hard to Advocate appropriately for those resarch and I totally understand that uh the things you can try and pull in your back pocket is you can try and show the

threat of like this is going to this is going to impact like fine wise we're the same size as these other companies we really need more people you can try and quantify the amount of work and the amount of hours that legal person's doing especially showing what they're paying attention to and also what they're not paying attention to as a result um similarly you uh so when I started on a privacy engineering team I was one of two Engineers because they did not believe uh that you needed more more than two Engineers for a very mature uh large uh uh finance fintech company that um that was required uh and we showed over time with as we set up

the ticketing things and we set it up set up uh notifying people that two people was simply not enough like we were overworked we were chasing people uh we needed to move to automation we needed more people to move us to automation we weren't able to start on any of the other privacy engineering projects we wanted to do especially around cookie compliance and consent um and so that made it easier and easier to Advocate over time but you have to show like we're not getting all of these other requirements done because like we don't have the Staffing and it's a lot of work and here's how many hours we're doing here's what we're focused on

here's what we're not focused on if you end up trying to do everything at once you're going to do it poorly and you're going to convince them that one overwork legal person is in fact all you need uh so you need to be you know strategizing on what things you need to drop on the floor in order to say we need we need help from from elsewhere yeah one more question and we have a hand up oh that's you in the greay shirt

y

okay uh so the the question comment question mark is uh about uh um you know how is are devs part of this how do we bring devs as part of the the Privacy culture there was nothing in the testing bit uh I do agree with that I will note that if you think having good security culture is hard to push through your organization let me tell tell you about privacy culture um and this is why again moving to automation there's again I simplified a bunch of things here um as part of the automation process we actually made it selfs sered so devs could integrate it themselves they would understand we wrote documentation so they figured how

to uh how to get into those integration points uh we actually provided automated tests for them so just basically like we we we treated ourselves as a you know if you have like security tooling as a service for youran this is privacy tooling for as a service for your company um and basically rely on the Automation and and automated test and whatever to catch things and flag it because not all the de you could push the culture but it's going to be wly inconsistent and you want them to be able to uh raise the right flags at the right time uh depending on the the situation great well wonderful thank you so much Sarah thank you and uh one of

the best history of priv on the internet presentations I've ever seen so thank you very much