Security Governance, Risk & Privacy Topics
Governance, compliance frameworks, regulatory requirements, compliance implementation, and compliance-driven risk management. Covers compliance frameworks (SOX, GDPR, HIPAA, FCPA, etc.), regulatory interpretation, compliance control design, audit and control effectiveness evaluation, and compliance process management. For operational security implementation and technical threat mitigation, see Security Engineering & Operations.
Data Classification and Sensitivity Handling
Classifying data by sensitivity and applying controls proportionate to that classification: identifying personal, sensitive, and special-category data and tagging it through its lifecycle. Covers classification schemes, labeling, and how classification drives access, encryption, and retention decisions. Includes assessing the impact of a given data type on privacy and security risk.
Privacy-Preserving Analytics and Experimentation
Doing measurement and data science without over-collecting or exposing individuals: privacy-preserving experiment design, aggregate and on-device measurement, and privacy-respecting attribution. Covers techniques for analytics and A/B testing that limit personal-data use and honor consent. Includes reconciling measurement quality with privacy constraints.
Communicating Security and Privacy Risk to Stakeholders and Leadership
Translating technical security, compliance, and privacy risk into language that executives, boards, and non-technical stakeholders can act on. Covers framing risk in business terms, influencing leadership on investment and strategy, tailoring the message to the audience, and driving decisions through communication. The persuasion-and-translation skill, distinct from the metrics themselves.
Consent, Lawful Basis, and Transparency Notices
Establishing the legal grounds for processing and communicating them to users: choosing and documenting a lawful basis, obtaining and recording valid consent, and implementing opt-in, opt-out, and preference flows. Covers consent granularity, withdrawal and re-consent, propagation of consent state through downstream systems, and the disclosure layer of privacy policies and notices, layered and just-in-time transparency, cookie and tracking-technology consent, and honoring signals like Global Privacy Control. Includes writing notice content that is both compliant and comprehensible.
Data Minimization and Retention
Collecting and keeping only what is necessary: data minimization at collection, purpose limitation, and retention scheduling with automated deletion. Covers defining retention periods, enforcing them technically, and defensibly disposing of data. Includes balancing operational or analytics needs against minimization obligations.
Privacy-Enhancing Technologies and Anonymization
Technical safeguards that reduce identifiability: anonymization, pseudonymization, tokenization, differential privacy, and related privacy-enhancing technologies. Covers the difference between anonymized and pseudonymized data, re-identification risk, and when each technique is appropriate. Includes evaluating the privacy-utility tradeoff of a given technical control.
Privacy in Emerging Technologies
Privacy challenges raised by newer technologies and business models: AI and machine learning, biometrics, IoT, and other data-intensive innovations, plus how regulators are responding. Covers anticipating future privacy risks and adapting practices ahead of formal rules. Includes reasoning about privacy in novel data uses where guidance is still forming.
Research Ethics and Consent
Handling personal data in research responsibly: informed consent for studies, research ethics review, participant protection, and secondary-use limits. Covers designing user research and data-collection studies that respect participants and comply with privacy obligations. Includes balancing research value against participant privacy.
Global Privacy Regulations and Data Protection Frameworks
The landscape of privacy and data protection law and how core frameworks fit together: controllers vs processors, personal vs sensitive data, lawful processing, and cross-framework concepts. Covers foundational privacy terminology and how to reason about which regimes apply to a given data flow. Serves as the orientation layer beneath the regulation-specific topics.