Outside of corporate legal teams
Outside of corporate legal teams, one is unlikely to encounter a team as passionate about privacy as engineering. From the whistleblowing by Edward Snowden to the aftermath of Cambridge Analytica, data privacy has always been a profoundly philosophical technology topic among engineers, and these conversations have only increased with the wave of attention on data privacy. Case in point: As an engineer and CEO of a data privacy company, I am frequently treated to vivid descriptions of the frustrations that technical teams encountered while attempting to get their company ready for EU General Data Protection Regulations. One person I chatted with even had “GDPR” T-shirts made for his entire engineering team, reflecting the pain they had collectively been through.
Whether in Fortune 100 companies
Whether in Fortune 100 companies or mid-market organizations, data privacy today is a technology problem as much as a legal one. The problems include the complexity of finding and tracking user data, as well as setting up data privacy-centric consumer features. Yet, the term “engineer” in privacy settings alludes to a one-size-fits-all approach that is not accurate. There are several technical disciplines involved in data privacy today, ranging from user experience designers to technical program managers to back-end developers and more. All these technical profiles touch a piece of what the data privacy of today and the future looks like. The people who make up the technical side of the house may not always have privacy directly in their title, the way a chief privacy officer or a privacy council does, but their impact on privacy projects is no less critical.
Understanding how each engineering role impacts data privacy doesn’t just lead to smoother internal conversations; it leads to more productive and expertise-led decisions that move everyone closer to stronger privacy-by-design outcomes for end users. Greater collaboration and ownership also hopefully lead to less frustration all around.
Let’s take a look at a sample privacy project
Let’s take a look at a sample privacy project like data subject access and erasure to assess the types of teams assembled. Unfortunately, for small or scrappy business-to-consumer startups, the reality is that engineers often don’t do much on data privacy today. Even in the hotbed of innovation in Silicon Valley, California, for example, a startup may not even be required to comply with data privacy laws if they’re sufficiently small. Additionally, even for those startups that may be required to comply, given the high-salary costs of engineers and their desire to work on what they perceive as “business critical,” startups often make a no-win strategic decision to keep engineers focused on the revenue-driver of the business at the risk of privacy noncompliance.
In mid-market companies, let’s say between 500 to 1,000 employees for a rough ballpark estimate, you might find six to seven engineers working over the course of a year to put together all the feature work required for data privacy compliance. The project will depend on whether they are a data controller or data processor, but it may include front-end engineers staffed to build consumer-facing tools to manage privacy settings or having back-end engineers set up the workflows needed to siphon user data appropriately.
At a large company, upward of 1,000 to 10,000 employees
At a large company, upward of 1,000 to 10,000 employees, data privacy can be staffed by up to 100 engineers working on indefinite timelines to wrangle an ever-ballooning amount of user data and a mix of homegrown (e.g., built in-house) and vendor-supplied (e.g., Salesforce) data systems. In these scenarios (which may also show up in healthy mid-market companies), front-end and back-end engineers are frequently partnered with technical program managers, a specialized role that helps keep complex technical projects on track. In addition, at large companies, privacy projects are often staffed with engineer managers and product managers to help shepherd, shape and manage the people and the products through various hurdles.
When cyber criminals target big data sets, the reward is often well worth the effort needed to penetrate security layers, which is why big data presents such a great opportunity not only for businesses but for cyber criminals. They have a lot more to gain when they go after such a large data set. Consequently, companies have a lot more to lose should they face a cyber attack without the proper security measures in place.
very top of the world’s largest company lists
And, of course, at the very top of the world’s largest company lists, such as Facebook or Google, it’s hard for any engineer to not be affected by or working on some aspect of data privacy. Engineering and product vice presidents oversee large-scale teams working on data privacy. These teams are responsible for shipping their own features and updates, and they are also on the hook for asserting influence over far-flung company products that may have an impact on data privacy, even if it’s not directly scoped as a privacy-related project. In addition, UX researchers will set out to gather and disseminate information about user feedback to privacy products, and data scientists will encounter both data privacy-related restrictions and requests for building out supporting metrics and models. Last but not least, artificial intelligence and machine learning teams will have to adjust their approaches to meet corporate-wide data privacy requirements.
The configurations of technical disciplines inside any one company can look vastly different depending on the amount of public pressure or regulatory scrutiny the company is receiving on data privacy, complexity of the data storage challenge, and size and scope of the engineering teams (unfortunately, even at larger companies, engineers can be in such dire demand that the trade-offs on staffing against data privacy are very real considerations for technical management).
Unpacking the various roles
With a top-line sense of the structures and groupings of engineering roles that make up different company configurations, let’s dive further into the variations of technical professions that may work together in pod-like structures to execute on a data privacy technical request. For each discipline, there’s a common touchpoint with data privacy and an understanding of how their role is changing over time.
CTO and CISO
When it comes to today’s conversation about data privacy, these titles are the obvious ones. Chief technology officers and chief information security officers are often the first technology entry-points for privacy officers and general councils. Even when data privacy is a strategic topic at a CEO’s cross-functional leadership meetings, it is buried deep below conversations on revenue projections, new product launches and other courses of business. Of course, flashpoints like EU General Data Protection Regulation readiness accelerated many executive-level conversations between CTOs, CISOs and their peers (chief marketing officers, chief financial officers and chief legal officers). Additionally, in business-to-business or data processor company environments, data privacy can often land on the CTO’s or CISO’s plate as an output of a customer's requests. For example, a B2B company CTO may suddenly hear from sales or marketing that an influx of prospective customers is asking about data compliance. With increasing frequency, in response, a head of technology will need to scope out and authorize the builds of the technical requirements needed to help ensure deals close.
Working on the behind-the-scenes infrastructure that makes up a company’s technology stack, back-end engineers work on the systems that build the groundwork for data privacy products and ensure they’re working as intended. For example, a back-end engineer might build the pipelines that pull data from one system into another and ensure that if a user opts out of a feature, that setting is saved and rolled through other parts of the business. Looking forward, back-end engineering will continue to help retrofit data privacy into company systems. This need is particularly resonant at hyper-growth companies that often have a mix of patchwork engineering systems that were built quickly to expand with the business. Back-end engineers often have one of the following titles: software engineer, infrastructure engineer or site reliability engineer.
Engineers in this role work on the public-facing pieces of data privacy technology. You’ll find them most commonly at B2C companies that are rolling out new features for consumers to navigate their data choices. Opting out of location data collection or turning off audio and visual recording authorization are just two examples of front-facing features a consumer may encounter. As calls for data privacy become more user-centric, front-end engineers will do more work to ensure that products are intuitive and friendly to their users. Similar to back-end engineers, front-end engineers can have different titles, including software engineer, web or mobile developer, or privacy engineer.
The management glue of most technology products, product managers keep the trains running and are responsible for blending the business needs with the technical details. Product managers often work to sketch out the size and impact of a privacy project to guide the back-end engineering scope and help decide on the ideal functionality of the experience before it is built by front-end engineers. Increasingly, product managers that work on data privacy are also seeing their scope increase to include advising. Specifically, product managers may be responsible for giving other teams data privacy guardrails around products. In this case, a product manager may be asked to ship a set of data privacy projects and also review dozens of company-wide features to provide notes in the product requirements document on the technical guardrails on data privacy and data collection.
Technical program managers
In larger companies, technical program managers run the programs of interfacing with vendors and asking what data subject request processes look like. They receive guidance from their product and engineering managers and handle systems integration and things like data anonymization for integration partners. Additionally, TPMs may also be staffed against running internal assessments across engineering teams, asking what individual teams are doing with user data and reporting back findings to management. TPMs are invaluable at working as the additional glue of a large-scale engineering project, such as ensuring that a roll-out of a location-based feature is aligned to all the technical vendors that feed into the system.
All other engineers
Even engineers who are staffed to work on what is considered “core” engineering (e.g., product development of revenue-driving areas of the business) will keep bumping into privacy in their day-to-day. While these engineers aren’t held to objectives and key results on privacy features or compliance, they may find that data privacy is a factor in the feature they are aiming to ship, such as a new payment collection system in an app that triggers more personally identifiable information collection and therefore needs a data privacy review. Worldwide, there are millions of engineers that fall into this category. More and more, these engineers are learning new policies for the limits of what they can do with user data, and they are operating in a more restricted environment.
Looking further out in the technical organization, you’ll find data scientists who are responsible for reviewing product success and ingesting product-based data into the business in a way that is clear and actionable. Data privacy impacts data scientists in two common ways. First, there are increasing restrictions on the type of data that data scientists have access to for their analysis based on data privacy laws and company compliance. Second, it is not uncommon for data scientists to be tasked with the database query writing for data subject access requests in business intelligence tools.
AI and ML teams
Composed mainly of specialized engineers, this section of the technology organizational chart is also increasingly becoming impacted by data privacy. Artificial intelligence and machine learning specialists have to think more and more about how to build increasingly private models that may have sparser data inputs. Their roles are also changing in the sense that they have to think more about how they collect and act on data that is increasingly anonymized.
Technical researchers by trade, UX is at the forefront of identifying consumer trends and ensuring that product teams have the information they need to build products that meet user specifications. Everything from notification interfaces, new settings panels and data consent are all big topics in the world of UX. Increasingly, it’s not enough for a company to check the product box on offering a data privacy feature. Instead, UX researchers are responsible for letting the business know if the end consumer finds the product experience to be easy to find, intuitive to navigate and holistic enough to meet their needs.
Different engineering roles in data privacy coming together From the seemingly straightforward scope of “data privacy engineering” emerges a large and interconnected set of distinct technological roles that all converge on the topic of data privacy. Ranging from back-end engineers to UX researchers, data privacy projects often require three to four (and sometimes upward of nine) different types of technical roles to hit completion.
At companies large and small, dozens of disciplines are involved in building the future of data privacy projects from data access and erasure to compliance and more. While teams may often wear multiple hats and be responsible for far more than data privacy, you’ll be hard-pressed to find a more passionate group of professionals on the topic of data privacy. Just please don’t ask them to retrofit the company’s entire technology infrastructure overnight to meet the GDPR.