Role of Privacy Engineering in Creating Digital Trust

In a rapidly evolving digital world, trust is the foundation that holds everything together. But how is that trust built, especially in complex areas like privacy and security? In this episode, we delve into the vital role of privacy engineering in creating digital trust. Privacy engineering isn’t just about following rules—it’s about embedding privacy and transparency into the very core of technology. From protecting personal data to empowering consumers with control, privacy engineering shapes how organizations earn and sustain trust.

Punit 00:00

Role of privacy engineering in creating digital trust? Yes, privacy engineering can be complex or privacy engineering can be simple. And same for digital trust, it can be simple or complex, but privacy engineering plays a role in creating digital trust. So now to understand that, we need someone who is knowing privacy engineering, who appreciates digital trust and also understand the bigger realm of privacy, security, data ethics, data analytics and so on. And I have exactly that person with us, and I'm talking about none other than Steve Ahouanmenou, who, so I'm sure I have made a mess of the last name, but still I tried, and we are going to talk to Steve, who is in MasterCard for open banking privacy engineering, and he's going to help us understand the role of privacy engineering in digital trust.

FIT4Privacy 00:59 
Hello and welcome to the fit for privacy podcast with Punit Bhatia. This is the podcast for those who care about their privacy. Here your host, Punit Bhatia, has conversations with industry leaders about their perspectives, ideas and opinions relating to privacy, data protection and related matters. Be aware that the views and opinions expressed in this podcast are not legal advice. Let us get started.   

Punit 01:27 
So here we are with Steve. Steve, welcome to fit4privacy podcast.   

Steve 01:32 
Thanks for having me.   

Punit 01:33 
It's a pleasure to have you. Now I checked your profile on LinkedIn, and you have a very interesting profile. You are in 40 under Belgium 40. So congratulations for that. You are the privacy engineering Global Head for MasterCard, which is an achievement. And you also have done masters or post graduation in business analytics or analytics, data and analytics, and now you are doing privacy engineering. So you are the perfect person to ask, What do you think about, or how would you describe digital trust?    

Steve 02:02 
Thank you. First of all, I would like to again, thank you for having me. It's my my first podcast, which is recorded in video. So I really, really appreciate the exercise. And second, I would like to mention I'm the Global privacy engineering lead for open banking, and not really the lead for privacy engineering program overall at MasterCard, indeed. And prior to that, I worked as well as CISO, Chief Information Security Officer for two hospitals, which is in the healthcare sector. And I found very interesting to have the healthcare sector as well as the financial sector together in terms of backgrounds, because we see some similarities into what we do. And the reason why I mentioned that is that trust is about boundaries is about it's not really sector specific. And by working on the healthcare sector and the same time with the financial sector being both from different maturity level in terms of security or privacy, the need of trust for the consumers of the patients is exactly the same. The way we build trust is exactly the same. The way we maintain trust exactly the same. In my job, in my day to day job, we have it saying that that's exactly what we do. We try to embed trust into our products and services to make sure that you know, the brand you know does not suffer from a lack of transparency.   

Punit 03:15 
And you mentioned trust, and you mentioned transparency. So do you see a correlation between the two,   

Steve 03:21 
Of course, I think transparency is one of the key elements of trust, also the key elements. We can also have security, we can also privacy. We can also have ethics on different elements, like trust, we also have the bar, is actually way more important technology aspect. So the automation of technology can also be a trust or a sense of trust, and the same times the sense of fear or price, that's equally possible as well. But indeed, in the trust area, we do have different key elements that can help build or diminish or reduce the amount of trust towards   

Punit 04:00 
And you also mentioned that you're responsible for open banking. So how does trust play a role in open banking? Because open banking, you can see it in two ways. One is it's in the background, just offering APIs. That's one way of looking at it. And second is open banking, as in the sense of new generation apps or third party aggregators. I don't know how you see open banking, and where does trust play a part,    

Steve 04:24 
But that's a very good question. So open banking is a fascinating area. I have to say. You have to think about two things. The first one is giving back again, trust, but it's about giving back the control of data to the consumer. You have your financial data that is held by the banks, at a certain point, you maybe feel that you don't have enough control this data. Open banking is a way to, you know, make you perform additional activities with your data as you want it, when you want it. The second aspect of open banking is about competition. It's about reinforcing or fostering competitions among different I think about the fintechs and different ways to reuse. Your information to provide you better services. So when you combine the two trust and the same time competition, then you have open banking. And more and more people are actually talking about, talking about open data, which is, you know, going beyond open banking data. But I think the same mechanism is actually exactly the same. So I believe the open banking data will apply to each and everyone sooner or later, and we try to simplify more and more and to get closer to the consumer as the demand and needs are getting more complex, and I think it's slowly getting there. And the same time, privacy and security, as well as ethics, is becoming also equally important in this sector.    

Punit 05:36 
Now that was very well said, but you mentioned privacy now, privacy everyone now starting to understand, but you are responsible for what we call privacy engineering. And I don't think everyone understand what is privacy engineering? Shall we explain that to our listeners or viewers about what is privacy engineering?    

Steve 05:56 
That's really an excellent platform to explain what it is privacy engineering. And this is something that we do every day with the business, and I'm happy to bring that to the to the public audience. So I think today it's fair to say everybody has a meaning or an understanding of what privacy is. But the moment we start, you know, blind engineering to privacy becomes a little bit blur. I think privacy engineering is a way to really get to the to the bottom of things, in terms of implementation of privacy, we have the regulations, GDP, everybody is aware of. We have different regulations in different sectors, that is, that are mimicking, or, let's say, regulating the way of implementing privacy in different sectors. And privacy engineering is actually the tech arm of privacy, the way that we actually embed privacy by design into product, the way we actually insert privacy into systems, the lifecycle of the products, the way we actually provide wireless detectives as well, and the way we really check privacy with codes. So this is where technology is making privacy and then we have privacy engineering. There's clearly a security component to that, but I think it's the key word here is about collaboration between the different teams to make sure everybody understands, you know, what they have to do to be privacy sound in their job.    

Punit 07:13 
So, that makes sense, because from technology teams, tech teams, as we see, they see privacy as abstract, and when we tell them implement privacy by design that is also abstract, if you can make it tangible. And I think that's where the, as you mentioned, the role of privacy engineering comes in with providing guidance methodologies, maybe frameworks or techniques, on how to provide acceptable level of privacy in you say, the technical solutions or the   
 
Steve 07:39 
That is correct. And one of the one of the example that I can give is, for example, anonymization. We know about the GDPR that we have a purpose limitation that will be done by, you know, attorneys or councils. The data minimization, there is clearly a regulation aspect to that. But we can also have a data minimization from a technical aspect really. How do we, you know, just reduce the data to have the right amount of information that we need. You know, how do we shrink the data set? How do we mask the data set? How do we sanitize that data set? You know, what kind of additional methodologies can we apply to make sure the data is exactly the amount of data that we need, and the same time, you know, helping to get the value out of the data. So I think we're really proud to say that privacy engineering is a very niche area, but less very important to strike the balance between privacy security and utility of the data set.   

Punit 08:30 
Now, when you say utility of the data set, I think one of the challenges for tech teams, or especially data teams, or data mining teams data analytics teams is for them, everything is data, and mostly they don't see it as personal data. While people like you and me would understand that the variety of personal data goes, or the definition of personal data goes beyond the name, age, date of birth or sex, it's much more, and that, I think, is the bridge we have to cover with tech teams. No,   

Steve 08:58 
it is much more, and that's true. But at the same time, I would like to I would like to mention here that it's not uncommon to have different teams having different perceptions on how to use the data. First we have the, let's say the geographical perception people from the US, for example, will be more focused on PII, Personal Identifiable Information, and will not really think about the combination of the data while in Europe, we just say that Personal Information PI is pretty much everything, depending on context, and then it's and also the tech teams will actually think about PI as data fields in data set. And they will say, okay, how can we mask this? If we just mask, let's imagine the iPad, then our data set is anonymous, while for older say, roles like lawyers and we say, oh, but the data field in office not really to think about the risk related to a combination of data. So, I think indeed that different perceptions are okay. The issue is actually about the lack of awareness about how we can collaborate together, how we can. To the high quality in terms of privacy by design, especially when we're dealing with sensitive data. And I think you know, the tech teams is more and more aware, as we moving towards more automation, the tech teams is really more and more aware, finding ways to embed privacy into the into the processes and systems.   

Punit 10:18 
I can agree with you. In fact, that leads me to another question. When you say tech teams are aware, but tech teams have a role to play. And when we say tech teams have a role to play in privacy or privacy engineering or extending it towards digital trust, what kind of a role do you expect from tech team?    

Steve 10:34 
Well, again here, I think, as the technology is increasingly evolving, moving towards more donations API based applications, for example, trust will be mainly about maintaining, you know, rapid executions of those technologies will be mainly about avoiding, let's say, downtime, issues in terms of applications of those technologies. And there, I think the tech team has a crucial role to play with the expertise. But here, I think the partnership, the collaboration with privacy engineers, is really key to really understand when to raise, you know, an alarm, and say, Hey, there's an issue here, and we believe that this might, this might be a privacy issue. Please. Guys come up and tell us what you think. So, I think I mentioned that already, awareness is important. Training regular trainings is definitely key. But I think as well, on the other way around, privacy engineers or lawyers have a lot to benefit from understanding the world of tech teams and really get to understand how the tech teams get things done. There's no need to get into the technical aspect of things, but actually understanding the processes and the systems from end to end and how the tech applications are built, I think can give a very good overview or very good understanding on the formulation of privacy risks as well.   

Punit 11:51 
I can agree with you very much. And you mentioned there needs to be a partnership between the privacy team and tech team, or privacy engineer team and the tech team now, partnership is two ways. So you described what we expect from the tech team, but what does role then? Does privacy team or privacy engineering team or privacy pro have to play in making the tech teams role easier?   

Steve 12:13 
That's an excellent question. I think privacy engineers the essence of privacy engineering is to be in the middle of all those roles, all those sectors. So we speak the language of the tech team, and we are friends with the lawyer. We are clearly translating the regulations into technical aspects. And we have to communicate in a simple manner to both sectors. We also have the business. By the way, we have excellent relationship. So I think privacy engineers, people that are really willing to connect with other teams, and this is really the essence, the skeleton of what we do, and to answer your questions, I think it comes to lot of education, but really be aware of things, being at the forefront of the innovation, and always being able to understand from a risk based approach what could be the issues from the privacy but also from a security perspective, because the security team comes to us as well for confirmations on we believe there is a security issue here, because you think there is more to me or not, so what we do is actually build a team of transversal skills to make sure that everyone can really collaborate together. And here, I think what we can together is always better than whether privacy engineer is just along the topic. So we first have our own assessment, and then we discuss all together to make sure that we got all the different angles, all the different perspectives of the program. And this is what privacy is. Finally, it's about protecting the individual, but it could be a security problem, be a business problem, it could be analytical problem, as soon as the individual is at risk coming to play.   

Punit 13:49 
No, I fully agree with you. I think privacy is a transversal role, and if you build bridges and create an open culture wherein others can come to you and you go to them, exchanging ideas, because everyone has a perspective. Everyone has a role. And if the privacy team, and especially the privacy engineering team, can be the bridge between the legal the business and the tech teams, then that's the role, and that is not an easy role, because you have to understand the law, you have to understand architecture, you have to understand technology, the business implication, and also the legal implication and kind of mediate in between. It's, as they call it, Jack of all trades. I won't say the second part, but you have to be the master of connecting. So Steve, it's been wonderful to have your insight on the privacy engineering and the digital trust aspect. Would there be one final message you would like to pass to fellow colleagues who are in privacy and AI or tech about privacy engineering?   

Steve 14:45 
Oh, there are many messages I think. Let's talk more. Let's speak Let's speak more together. Let's try to provide our vision, our perspectives, our angles. And we are at a very exciting times today where not just privacy engineering is one of. Important role, but also the tech teams. Everybody is reinventing safe in a very, very interesting manner, I would say. And therefore I will exhort everyone to speak to not be afraid, build a roles. And that's actually the first thing, really, collaboration is key. Now there's a subject that is very important to everyone, which is the AI subject we in terms of privacy, this brings different, you know, risks, so we are assessing those risks from an AI perspective. But I think this is also where we need to talk to different people. They are scientists, for example, data analysts and analysts, and we need to understand what they would like to do. What is the end goal of the use of the data to make sure that you know, we're not too extreme into our considerations in terms of privacy either, because the goal at the end of the day is to be able to reuse the data safely and protect an individual, of course, but the goal is to reuse the data. And I would also mention that there's a group that is more and more called upon, which is the ethics. So we talk more and more with philosophers and people into data ethics to make sure that we understand the mindset, I can give you one specific example, which is about the control shift of the data from the individual, whether the data is anonymized or not. If you talk to some ethicists, they will tell you that even if the data is anonymized, the source of the data is still from the consumer, and the consumer is still comfortable for that data, even if it's only miles or not. And I think that's that's a very interesting perception or idea that some individual may have. And I think it's important to make sure that those people you know feel still comfortable to say, I'm sharing your data, if you would like to use that data for, let's say, have a social impact, or for to do business in the healthcare sector, or to do business in automotive sector, they would like to play a role as well into what we do with the data. And I feel the next phase will be to listen more to the consumer and to take into account the ones, into how the data will be used according to the utility of the business so exciting times ahead, and I hope we can collaborate more   

Punit 17:04 
Absolutely. And I think that's definitely a topic for the next season, data and ethics. But for now, if someone wants to talk to you, Steve, what's the best way to reach to you?   

Steve 17:16 
Oh, you can reach me at MasterCard. Steve, that's MasterCard com on LinkedIn as well. Steve, happy to take any questions on privacy engineering or open banking area, but also happy to have a conversation on hearing your perspective and your ideas on things that we just talked about today. You can also reach out to me through this channel. It is an excellent person to talk to, and everyone join this podcast and sharing my videos today.   

Punit 17:44 
Thank you, Steve. So with that, thank you so much for your time. It was wonderful to have that oversight on many different topics.    

Steve 17:51 
Thank you very much. Thank you.    

FIT4Privacy 17:52
Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much. And if you did not like the show, don't bother and forget about it. Take care and stay safe. Fit for privacy helps you to create a culture of privacy and manage risks by creating, defining and implementing a privacy strategy that includes delivering scenario based training for your staff, we also help those who are looking to get certified in CIPPE, CIPM and CIPT through on demand courses that help you prepare and practice for certification exam. Want to know more, visit www.FIT4Privacy.com that's www.FITthenumber4privacy.com if you have questions or suggestions, drop an email at hello(@)fit4privacy.com Until next time. Goodbye.

Steve Ahouanmenou is part of the Global Privacy & Data Protection Department at Mastercard and leads the privacy engineering program in Open Banking.  His mission is to enable innovation and trust in the digital finance realm, by applying his analytical skills, domain expertise, and collaborative approach to privacy and security challenges.

With over 10 years of experience in information security, privacy risks and data governance, he has worked with global organizations in various sectors with a focus on healthcare and finance. He also a PhD Candidate at Ghent University, investigating information security and privacy in healthcare institutions, and an alumni of Belgium's 40under40. He holds multiple certifications, such as ISO 27001 Senior Lead Implementer, CIPP/E, CISM, CDPSE, ITIL v3, DPO, COBIT 5. 

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.

As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.

For more information, please click here.