Track: Ethics, Regulation, Risk, and Compliance

10:35am - 11:25am

Mind the Software Gap: How We Can Operationalize Privacy & Compliance

With legislation like GDPR and CCPA, it has become newly urgent for organizations to understand internal and external data flows. In the push towards compliance, software organizations have been discovering just how difficult it is to maintain an up-to-date picture of data inventory and data flows. A major challenge is that modern software teams are developing and deploying software quickly and in decentralized ways. When each code change can cause data flow changes, building a clear, up-to-date map of data flows becomes more and more elusive. The state of the art (using human processes; catching data as it flows to untrusted locations) leaves gaps.

Understanding software behavior makes up a big part of the compliance gap--and automated techniques can help. In this talk, I discuss just what it could look like to get visibility into data flows and hint at what kinds of solutions could get us there.

11:50am - 12:40pm

Ethics Landscape

For humankind, ethics is old and computers are new.  Computing fast and fervent ascent to ubiquity didn't allow the field of ethics to maintain pace and society is reaping the foul fruits.  In this talk, I'll give a fly-by survey of the vast and mature field of ethics and attempt to convince you to adopt ethical considerations into the software development lifecycle. Expect time split equally between ethics, ethics in computing, and computing in society.

1:40pm - 2:30pm

Managing Privacy & Data Governance for Next Generation Architecture

The number of privacy-related regulations are on the rise and more vendors than ever before are vying for the attention and validation of privacy programs. In order to advocate for resources and technological solutions, the privacy office must be accountable for vendor governance and procurement decision-making, and oversight.  How do you organize business use cases, requirements, and stakeholders to evaluate privacy and data governance vendor solutions? Who should be involved in decision-making for vendor solutions that have implications for compliance, but also require investments across the company?  

This talk will explore a governance framework for roadmapping, resourcing, and driving decision-making for next generation of architecture with privacy by design. We will walk through the key players, requirements mapping, templates, and vendor engagement models for informed decision-making.

2:55pm - 3:45pm

Quantifying Risk

The FAIR methodology is an emerging standard for measuring information risks. But, it can be intimidating to get started with a risk quantification program, as people may be reluctant to to go beyond Low/Medium/High categories to real numbers. At Netflix, we have introduced risk quantification in our highest impact areas, and are gradually expanding it across the enterprise. I'll share my experience and approach to defining appropriate loss scenarios, and getting real numbers from colleagues.

4:10pm - 5:00pm

Panel: Ethics in Software Engineering

We will explore emerging ethical issues related to software engineering, as well as how they can potentially be addressed. The panelists represent diverse set of perspectives - from professional society to industry to academics.

5:25pm - 6:15pm

Privacy Architecture for Data-Driven Innovation

Data-driven businesses can no longer treat privacy as strictly a legal compliance-focused discipline. In a post-GDPR world, privacy needs an engineering focus to ensure it is actionable, enforceable and scalable. 

This talk will discuss how you can set up a privacy architecture to build in “privacy by data”.

The first part of the talk will tackle privacy challenges posed by incoming data into your company. This data can be extremely sensitive in that it describes who you are, where you are and other information that can uniquely identify you.

How does an organization assess and classify the risk around the data? I will discuss how your privacy architecture team can work with privacy legal to create a multi-tiered data classification, and then with security, data science and data platform teams to set up a backend that tags your data to reflect said classification. With this investment, your employees will be able to make informed decisions around data since they will know its privacy risk.   

The second part of the talk will tackle privacy as it related to sharing data with third parties, be it vendors, partners or even governments and regulators. How do you protect data from security risk or even re-identification risk in those cases? What techniques are available and what are the trade-offs involved? Uber is at the forefront of those conversations and I will discuss what our research and case-studies have yielded.