When Engineers and Lawyers Talk: Right-Sizing Your Data Protection Risk Profile

Rafae Bhatti, Mode


The path to navigating data protection risks is often filled with uncertainty. Overestimating the risks stifles growth, and underestimating them can derail the business. To be able to measure data protection risks and right-size the risk-profile of a company, we need to view them from both a technical and legal lens. Engineers and lawyers need to talk.

This talk will provide practical examples of how right-sizing the risk profile helps simply compliance. It will cover scenarios of data retention, use, and sharing, as well as breach notification. We will review key architectural decisions as well as engineering trade-offs that are often involved in shaping an organization’s compliance processes. These decisions and tradeoffs often center around the purpose of use, which is a concept that engineering teams do not traditionally pay attention to. Therefore, viewing the system requirements from a data protection lens helps clarify legal obligations and simplify compliance.

Rafae Bhatti, Mode

Rafae Bhatti is an information security expert and a lawyer who works with cloud-based start-ups in Silicon Valley to help build their cybersecurity and compliance programs. He is currently the Director of Security and Compliance at Mode Analytics. He is a speaker and a published author, and an inventor on 3 granted patents. Rafae received a Ph.D. in Computer Engineering from Purdue University, and in his spare time also obtained a J.D. from Santa Clara University.
@inproceedings {257933,
author = {Rafae Bhatti},
title = {When Engineers and Lawyers Talk: Right-Sizing Your Data Protection Risk Profile},
booktitle = {2020 {USENIX} Conference on Privacy Engineering Practice and Respect ({PEPR} 20)},
year = {2020},
url = {https://www.usenix.org/conference/pepr20/presentation/bhatti},
publisher = {{USENIX} Association},
month = oct,

Presentation Video