Today’s global data privacy landscape is comparable to that of the United States accounting scandal era of the early 2000s: a lack of accountability, transparency, oversight, and comprehensive regulation has led to complexity, confusion, exploitation, and distrust. Utilizing the successful groundwork laid by the Sarbanes-Oxley Act (SOx) and subsequent regulations, companies can regain consumer trust in the investment of their data, just as investor trust was restored post-SOx. This paper demonstrates how privacy policies, which are intended to be public-facing documents through which notice and informed consent decisions are based, should be treated like financial statements and Form 10-Ks: they should be prepared using standardized formats, include privacy risk disclosures, be attested to by executive leadership, and be subject to independent third-party audits. We also outline the benefits of not only establishing privacy internal controls, similar to their financial counterparts, but also testing these controls and having management attest to their effectiveness. Taking inspiration from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), we put forward our own Privacy Cube designed to help companies understand how to navigate the establishment of a bespoke privacy control structure, beginning with the identification of privacy risk areas. Using the “SOx Effect” model positioned in this paper, we envision global privacy regulation and processes that focus privacy obligations on the restoration and preservation of consumer trust.

You've heard Jared Maslin's case for investing in data privacy and his call to businesses not to wait for regulation. In this PEPR '23 talk, he introduces a persona-based approach developed to enable organizations to assess their own unique risk appetite, defining a fit-for-purpose, prioritized risk assessment that can be implemented in a sustainable manner and can successfully adapt to constant changes in global privacy regulation.

Eric Khumalo continues his journey to understand the nuances and complexities of privacy engineering. Here he describes what he calls the Three Cs of Privacy Engineering: classify, contextualize, and communicate.

Jennifer Chen shares how we created a completely new visual tool for visualizing the flow of personal information through an enterprise.

Eric Khumalo continues his journey to understand the nuances and complexities of privacy engineering. Here he describes learning about trackers.

Convincing business leaders to “pay for privacy” centers around building a stable foundation for continued privacy compliance in a way that doesn’t break the bank and actually has a hope of sustained success.

In early 2019, Eric Khumalo started Emzini weCode to teach computer science to kids in Zimbabwe and beyond. “Emzini” means house in Zulu. Eric hopes anyone can come in to learn to code and learn more about technology. Here, he describes applying his privacy engineering skills to the organization, specifically when working with student data.

Data Curious is an online resource supported by Good Research in collaboration with the Center for Digital Civil Society at University of San Diego. At the 2022 Solano Stroll, Good Research sponsored a Data Curious booth to meet our neighbors in Albany, CA and help people get curious about their data.

Good Research Data Scientist & Privacy Engineer, Eric Khumalo, cites a recent conference as a use-case for the importance of privacy engineering.

"Write your principles in pen and your business model in pencil." Josh Kopelman, Entrepreneur and Venture Capitalist

Privacy has risen to the top of many organizations' priorities. Regulators are rolling out new regulations, customers are asking organizations to address privacy and describe their approaches. Where does privacy live at your company? Where should it live? How do you decide?

"We came into the world like brother and brother; And now let's go hand in hand, not one before another." William Shakespeare

As privacy transitions from a compliance issue to a board issue, we can learn from experienced information security professionals who have navigated many of the obstacles privacy professionals are experiencing today.

Although defining privacy remains elusive, we can all agree that organizations need to do more than write a privacy policy. There’s what you are required to do with user data, most often informed by laws and regulations. And there’s what you should do with user data. In this post, we outline how Good Research approaches privacy.

In a world in which decision-makers increasingly want numbers to base or back their decisions, how can user researchers take a larger role in partnership with data-science? In this talk, Jenny and Will discuss aspects of data-science workflow, identify commonalities between the two disciplines and present a taxonomy of the constraints standing in the middle of fruitful collaboration. We hope to gear attendees with concrete strategies on how to tackle these situations and maximize the overall value of research.

Happy Data Privacy Day!

De-identification and Differential Privacy.

This tutorial's goal is to empower ethnographers to develop more holistic, interdisciplinary programs of inquiry for their projects, teams and organizations. This tutorial focuses pn the core principles underlying research and inquiry of all kinds, establishing frameworks that unite rather than divide the current research “camps.”

Two years ago, the New York Times lifted the lid on the dangers of location tracking, but the tech industry shrugged. Now authorities are fighting back.

This webinar focuses on the core concepts and concerns shared by all researchers and how this common ground establishes a basis for closer collaboration among researchers of all stripes. We’ll discuss the constraints we experience as qualitative and mixed methods researchers, a vocabulary for communicating the value of ethnographic work to quantitative colleagues, and strategies for more fully and effectively integrating ethnographic work into research and business cycles.

This webinar reflects our experiences with motivated intruder tests. Building on recently published work with clinical trial data it will describe the drivers for these types of tests from a business perspective, how to conduct them, and an overview of lessons learned across multiple studies over the last couple of years on different types of data.

Regulatory agencies, such as the European Medicines Agency and Health Canada, are requiring the public sharing of clinical trial reports that are used to make drug approval decisions. Both agencies have provided guidance for the quantitative anonymization of these clinical reports before they are shared. There is limited empirical information on the effectiveness of this approach in protecting patient privacy for clinical trial data. In this paper we empirically test the hypothesis that when these guidelines are implemented in practice, they provide adequate privacy protection to patients. An anonymized clinical study report for a trial on a non-steroidal anti-inflammatory drug that is sold as a prescription eye drop was subjected to re-identification. The target was 500 patients in the USA. Only suspected matches to real identities were reported.

This panel held at Geotab Connect 2020, focused on privacy engineering and technology trends related to IoT, paying special attention to connected vehicles.

This EPIC2018 panel addresses questions of fairness and justice in data-centric systems. While the many social problems caused by data-centric systems are well known, what options are available to us to make things better?