编者按: ISACA recently welcomed privacy expert 米歇尔Dennedy for an Ask Me Anything (AMA) session on ISACA’s 参与 platform 6-10 March. Dennedy是隐私Code的首席执行官, partner at Privatus Consulting 和 a member of ISACA’s Digital Trust Advisory Council. 她是 隐私工程师的宣言 和 隐私工程师的伴侣. This AMA session led to a captivating community discussion of topics including the challenges 和 successes of privacy programs, predictions surrounding AI 和 how privacy affects 数字的信任. 请看下面这个帖子的亮点, 以及更多的见解和对话, 完整的线程 可以在这里找到. 参加下一届AMA会议, “I’m the Head of 治理 和 Trust at the World Economic Forum: Ask Me Anything!” with Daniel Dobrygowski, join the conversation on 参与 24-28 April 2023.
米歇尔·丹尼对隐私并不陌生. 有知识产权法的背景, Dennedy broke into privacy as in-house IP counsel to the CMO of Sun Microsystems. She has witnessed first-h和 how this practice area has evolved over time, 她说, 从实现的角度来看, one of the largest challenges is twofold: 1) policy, business 和 technical teams often speak different languages, 和 2) privacy is often considered a cost center rather than a core operating exigency.
“Jargon serves as cultural binding within our tribes to test who is ‘in the know’ or ‘gets it,不管我们是否意识到这种偏见,丹尼写道. “But deeper than being mindful of spelling out acronyms of explaining Latin phrasing or balance sheet requirements, we often give 和 receive requirements without the rigor needed to ensure execution throughout the soft systems that are required for success.”
隐私 is treated as an insurance-like task at the C-suite level, 所以人们, processes 和 nascent technologies in a highly complex 和 dynamic risk l和scape continue to lack proper funding. Dennedy believes that with people like the group on 参与, privacy professionals can do better with improved systems thinking 和 innovation.
“If you can frame initiatives in t和em with business objectives over time, privacy 和 governance programs have a much greater chance at long-term success 和 growth,丹尼写道.
当被问及最佳实践时, Dennedy has frequently observed that the success of a privacy program is personality-driven. Legal teams that want to publish policies but otherwise do not get involved with a particular business’s systems make it nearly impossible to translate 法律 requirements into the reality of operational work. Insecure CISOs or trust officers with combined duties may lean on their knowledge of information security 和 fail to underst和 the critical requirements for authorized data sharing or when statistical models of anonymity are best deployed versus individually identified, with a heavy emphasis on data shredding 和 deletion.
Dennedy writes that the most prominent emerging trend is data governance 和 data quality practices teams that underst和 the business they function within, tied to privacy 和 security teams with engaged 和 active 法律 support. A framework can fit into this picture 和 work to its best advantage when the top-line data strategy is a best fit.
As the conversation evolves to consider the privacy implications of AI, Dennedy suggests that privacy engineering should contemplate both the original state of data 和 the future recombinant states. 隐私 tools should reflect risks that arise from this reality accordingly, 和 where encryption or “anonymizing” things fails, she argues that “ethics engineering” should be applied. This additional layer is meant to plan for unforeseen or inhumane practices, to be able to audit for evidence of their occurrence 和 respond with the appropriate, 纠正措施. For areas where technology offers a lack of precision, supplementary steps must be taken to ensure proper protection.
This conversation directly ties to the connections between privacy 和 数字的信任. Trust naturally follows where PII is processed according to moral, 道德, 法律, 可持续和可治理的原则. 正如丹尼所写, “我们的做法越明确, communication 和 behaviors [become] over time with respect to personal data, the more a person has a positive assumption that we are more likely to behave appropriately with respect to data.”
