This repository contains 27 interview transcripts collected and analyzed for the 2025 Privacy Enhancing Technologies Symposium (PETS 25) paper titled Defining Privacy Engineering as a Profession.
Rapid technological advancements, evolving legal frameworks, and increasingly heightened public concern over personal data have catalyzed the emergence of privacy engineering as a critical discipline. However, the "privacy engineer" role remains loosely defined, with significant variability in responsibilities, required competencies, and organizational positioning. This paper presents a qualitative investigation into the practices, challenges, and professional profiles of privacy engineers through 27 semi-structured interviews with US-based practitioners from diverse organizational contexts. Our thematic analysis reveals four primary themes: (1) the conceptual ambiguity surrounding privacy engineering roles, (2) a blend of ethical motivation, intellectual curiosity, and the desire for career growth driving professionals into the field, (3) organizational and regulatory challenges, such as misaligned incentives and the difficulty of translating abstract legal requirements into actionable technical solutions, and (4) the critical competencies required, including robust technical skills, effective cross-functional communication, and risk management expertise. Our findings contribute to a deeper scholarly understanding of privacy engineering as a multidisciplinary practice and offer practical guidance for organizations aiming to integrate privacy more effectively into their product development cycles.
Please cite this work as follows:
@inproceedings{samarin2025defining,
title = {Defining Privacy Engineering as a Profession},
author = {Samarin, Nikita and Narla, Nandita Rao and Webster, Liam and Smullen, Daniel},
booktitle = {Proceedings on Privacy Enhancing Technologies (PoPETs)},
volume = {2025},
issue = {4},
year = {2025}
}Despite the growing importance of embedding privacy into software products by design, addressing legal requirements and user privacy concerns has proven challenging in practice. This challenge has led researchers and practitioners to develop various methods, techniques, tools, and other solutions that consider privacy throughout the software engineering process. Many of these approaches eventually formed the basis for an emerging and rapidly expanding field of privacy engineering, receiving significant attention from industry, government, and academic stakeholders.
Rapid growth and recognition have contributed to an increase in scholarship on privacy engineering goals (the “what”) and methods of achieving them (the “how”). However, a critical gap remains in understanding who is, or should be, responsible for putting these methods into practice and achieving these goals within organizations.
To define the role of a privacy engineer, we considered the following research questions:
- RQ1: How do privacy engineers conceptualize their roles?
- RQ2: What motivates individuals to pursue privacy engineering?
- RQ3: What are the core competencies associated with privacy engineering?
- RQ4: What do privacy engineers find challenging in their roles, and what strategies do they find effective in overcoming these challenges?
We chose semi-structured interviews because of the open-ended nature of our research questions. Furthermore, semi-structured interviews allowed us to investigate participants’ responses further and skip questions as needed while maintaining the structure of our interview guide.
We developed our interview guide to highlight the unique characteristics of a privacy engineering role and to enable comparison with other similar but distinct privacy roles. To achieve this goal, we divided the interview into six distinct sections that cover: (1) participants’ understanding of privacy engineering, (2) their motivation to pursue privacy engineering as a profession, (3) responsibilities and skills, (4) reporting and deliverables, (5) challenges and strategies, (6) evaluating success. All authors reviewed and provided suggestions for the interview protocol, including two authors with extensive experience as privacy engineering practitioners within their respective organizations.
The dataset consists of 27 participants' de-identified responses to the following questions:
Topic 1 - Introduction
- Can you tell me briefly about what you do in your job?
- Could you also define the term “privacy” as you normally use it in your work context?
- How would you describe the roles in the industry related to privacy engineering?
- How would you define a “privacy engineer”?
Topic 2 - Motivation
- How did you become interested in privacy engineering as a career (or a function of your career)?
- Could you share your career journey and how you arrived at your current position?
- What motivates you to continue pursuing privacy engineering as part of your profession?
- What are some personal goals you have for this work?
- What value do you get from it?
- What do you enjoy about it?
- Now I am going to ask you a question about the future. A year from now, do you see yourself in the same position? More specifically, doing what it is that you currently do in your position.
- Can you tell me more about why you answered this way?
Topic 3 - Responsibilities and Skills
- Could you give me an idea of what a typical day at work looks like for you?
- What responsibilities does your employer expect you to take on at work?
- Why do you think there is such a [difference/similarity] between the expectation and the reality?
- Are there any additional responsibilities you feel you are expected to take on in your role, such as to society, others in the organization, or even yourself?
- For instance, serving your broader community or other privacy professionals, mentoring others, volunteering your time, and so on.
- What skills were demanded of you when you started your current role?
- What are the skills you currently use in your job?
- Is there a difference or not between the skills you were expected to demonstrate during the interviewing process and those required of you in your role?
Topic 4 - Reporting and Deliverables
- Who do you report to?
- Does anyone report to you?
- What are the typical reporting structures that you see in your profession?
- What are the teams and their composition of reporting?
- What methods do you use to report to others (e.g., meetings, emails, project management platforms)?
- What is the actual organizational structure (e.g., flat vs hierarchical)?
- What deliverables are required from you in your role? For example, do you write code, research reports, Privacy-by-Design (PbD) advice, etc?
- Can you tell me more about why these deliverables are important in your role?
- Do you think these deliverables are typical or not typical for someone in your profession?
- How are those deliverables evaluated by your manager?
Topic 5 - Challenges and Strategies
- Are there any tools, techniques, or standards that create challenges for you?
- What are the most common challenges that you encounter?
- Do you think these challenges are typical or not typical for your profession?
- Are there any challenges related to your organizational or reporting structures that you face?
- What are the most common challenges that you encounter?
- Do you think these challenges are typical or not typical for your profession?
- Can you tell me more about the strategies that you use to overcome the challenges you mentioned?
- Which ones do you find the most effective? Why? How do you know it’s effective?
- Which ones do you find the least effective? Why? How do you know it’s ineffective?
Topic 6 - Success Metrics
- How would you define ‘success’ in the work that you do?
- What do you think the overarching goal is?
- How do you think others evaluate the impact of your work?
- Do you think there are any metrics associated with these evaluation criteria?