For all of the departments involved, the role of the privacy engineer is to understand and participate in both the policy and technical life cycle of privacy management and implementation. Privacy engineering, a relatively new discipline, requires a different capability set than what is typically found in a single corporate department. We suggest the following attributes for individuals performing privacy engineering:

• They are engineers, preferably ones with a security background. Lawyers and nontechnical privacy professionals can and should be available for reference and consulting, but privacy engineering itself is an engineering discipline.
• They ideally have privacy-related qualifications, such as an International Association of Privacy Professionals (IAPP) certification (https://iapp.org/certify).

They have a strong knowledge of the following:

• Privacy policy
• System development processes and life cycles
• Functional and nonfunctional requirements, including security functional and security assurance requirements
• Source code and software-engineering practices in the language(s) the systems are being developed in
• Interface design (APIs)
• Data storage design and operations
• Application of security controls to networks, software, and hardware, as appropriate
• Cryptography and proper use of cryptographic primitives and protocols, given their importance in protecting PII throughout device and information life cycles

These are suggestions only; the needs of your organization may impose a number of other minimum requirements. In general, we have found that security engineers who have a development background and have obtained privacy professional training tend to be individuals optimally suited for privacy engineering.