Security Governance, Risk & Privacy Topics
Governance, compliance frameworks, regulatory requirements, compliance implementation, and compliance-driven risk management. Covers compliance frameworks (SOX, GDPR, HIPAA, FCPA, etc.), regulatory interpretation, compliance control design, audit and control effectiveness evaluation, and compliance process management. For operational security implementation and technical threat mitigation, see Security Engineering & Operations.
Data Subject Rights and Request Handling
Operationalizing individual rights: access, rectification, erasure, portability, restriction, and objection requests. Covers identity verification, response timelines, locating data across systems to fulfill a request, and handling edge cases and exemptions. Includes designing systems that can execute deletion and export reliably at scale.
Privacy by Design and Default
Embedding privacy into architecture and the development lifecycle: the privacy-by-design principles, privacy-protective defaults, and on-device or edge processing to minimize data exposure. Covers integrating privacy controls into product and program design and into engineering workflows rather than bolting them on. Includes designing privacy-first solutions and reference architectures.
Communicating Security and Privacy Risk to Stakeholders and Leadership
Translating technical security, compliance, and privacy risk into language that executives, boards, and non-technical stakeholders can act on. Covers framing risk in business terms, influencing leadership on investment and strategy, tailoring the message to the audience, and driving decisions through communication. The persuasion-and-translation skill, distinct from the metrics themselves.
Consent, Lawful Basis, and Transparency Notices
Establishing the legal grounds for processing and communicating them to users: choosing and documenting a lawful basis, obtaining and recording valid consent, and implementing opt-in, opt-out, and preference flows. Covers consent granularity, withdrawal and re-consent, propagation of consent state through downstream systems, and the disclosure layer of privacy policies and notices, layered and just-in-time transparency, cookie and tracking-technology consent, and honoring signals like Global Privacy Control. Includes writing notice content that is both compliant and comprehensible.
Privacy in Emerging Technologies
Privacy challenges raised by newer technologies and business models: AI and machine learning, biometrics, IoT, and other data-intensive innovations, plus how regulators are responding. Covers anticipating future privacy risks and adapting practices ahead of formal rules. Includes reasoning about privacy in novel data uses where guidance is still forming.
Platform Trust, Safety, and Regulatory Compliance
Regulatory and policy compliance for online platforms and consumer-facing products. Covers trust and safety program requirements, content and platform regulation, and translating platform-liability and consumer-protection obligations into product policy and controls. Product-and-policy view of compliance for platform businesses, distinct from infrastructure security.
Research Ethics and Consent
Handling personal data in research responsibly: informed consent for studies, research ethics review, participant protection, and secondary-use limits. Covers designing user research and data-collection studies that respect participants and comply with privacy obligations. Includes balancing research value against participant privacy.
Global Privacy Regulations and Data Protection Frameworks
The landscape of privacy and data protection law and how core frameworks fit together: controllers vs processors, personal vs sensitive data, lawful processing, and cross-framework concepts. Covers foundational privacy terminology and how to reason about which regimes apply to a given data flow. Serves as the orientation layer beneath the regulation-specific topics.
GDPR Principles and Compliance
The General Data Protection Regulation in depth: the six lawful bases, data subject rights, accountability and records obligations, DPO requirements, and enforcement and fines. Covers how GDPR principles translate into concrete engineering and product controls. Includes controller and processor obligations and demonstrating compliance.