Log in / Register
Home arrow Computer Science arrow The Privacy Engineer’s Manifesto
< Prev   CONTENTS   Next >

Privacy Policy Development

Balanced with the enterprise requirements (where the data value of the solution should always exceed its risks when used in context), individual or “user” goals must be considered as part of the final articulation of the “enterprise” goals. The mission, goals, and objectives of the enterprise must be recognized, understood, and analyzed to determine a privacy-engineered solution's requirements. From these, the privacy policies that will govern the privacy engineering solution can be determined. The privacy policy development should be done at two levels: a general level, relevant to all parts of the enterprise, and at an enterprise-specific level, which will often be more specific and detailed than an “enterprise-wide” policy.

Although drafting privacy policies can be the subject of entire legal or organizational tomes, this chapter will go into enough depth so that the principles that comprise privacy policies are sufficiently understandable as the foundational layer of privacy engineering and use-case requirements. These policies enable the management of the principles as a framework, which in turn can also lead to:

• The development and deployment of privacy engineered systems

• The exciting missing beast—the framework to build and innovate the privacy engineered data-centric networks, tools, and solutions of the future

What Is a Good Policy?

A policy is considered good based on the manner in which it functions as well as its contextual fit (i.e., how well it balances the needs and objectives of the enterprise with the objectives of the users or customers or employees whose data ultimately flows through that organization). A good policy:

• Arises from well-articulated enterprise goals, which are based on a clear statement of belief or purpose

• Describes what is wanted or intended by the various parties of interest impacted by the enterprise

• Explains why these things are wanted

• Provides positive direction for enterprise employees and contractors

• Provides transparency to the users of systems or individuals interacting with the enterprise

• Is flexible enough so there can be adjustments to changing conditions without changing the basic policy itself

• Is evaluated regularly

• Can be readily understood by all

Policy statements should be written in clear, concise language. A privacy policy should contain everyday words and short sentences and avoid the use of acronyms.

If actions are compulsory, “must” should be used. If actions are recommended, “should” should be used. The policy must be practical and easy to implement.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science