Developing Privacy Engineering Requirements

Abstract

The expectations of life depend upon diligence; the mechanic that would perfect his work must first sharpen his tools.-Confucius I should live my life on bended knee; If I can't control my destiny. You've gotta have a scheme; You've gotta have a plan.In the world of today, for tomorrow's man.-David Bowie, "No Control" This chapter begins with a discussion on the topic of requirements gathering. If a business or other enterprise is required to be responsible for personally identifiable information, it'll need to develop strong policies for managing that responsibility, and the entire process begins with determining the crucial requirements for internal and external policy development. Requirements engineering use cases that leverage an industry-recognized approach will be introduced and applied to personal information (PI) and other data related to it. The data protection-driven fair processing principles will be leveraged to determine requirements, and a use-case metadata model that is unique to privacy engineering will be introduced. Third-party service providers and unique distribution channels (such as cloud computing or mobile technology) for personally identifiable information can impact the engineered privacy solution. One should anticipate tumult, digital earthquakes, and continental shifts in the data protection landscape over time and build accordingly. The value in the methodology that is proposed in this chapter is in its inherent flexibility. The tools themselves are flexible as well so that, for example, if the privacy component is developed, it could be plugged into numerous applications so that any privacy rule changes will be reflected in all applications invoking the privacy component.