Describing a Workforce for Privacy Management
Updated: Sep 14, 2020
Privacy laws in some shape or form have been in place across many jurisdictions for several years but once the European GDPR came into effect in 2018 the pace at which jurisdictions outside of Europe are developing or updating their own regulations has been increasing. Globally, protection for data subjects is being strengthened and regulators are gaining greater powers to investigate and impose sanctions on organisations that cause harm to data subjects. Consumers are also much more aware of issues surrounding data privacy and organisations are aware that they need to continuously enhance their privacy teams to meet the challenges that lie ahead.
Typically, those with legal, compliance or audit expertise develop policy and lead privacy initiatives whilst information security teams implement controls guided by industry best practice. However, as complexity increases successful privacy management programs require a wider range of stakeholders from across the organisation, and the organisation’s partners, to collaborate in scoping, planning and execution. Privacy team members need to be drawn from departments as diverse as legal, information security, product engineering, marketing and customer services. The fact that these departments speak different languages, use different tools and have different perspectives on the technical and operational scope of privacy management is a significant challenge. These differences, together with the complex and constantly changing privacy landscape make it difficult to create a playbook that can be used to manage privacy consistently across all of an organisation’s operations.
Scarcity of Expertise?
There are many frameworks that organisations can use as a basis for developing their own programs. Whilst they tend to be quite specific about the tasks that need to be carried out translating those tasks into clearly understood job descriptions, roles or responsibilities is not so straight forward. This has the dual impact of retarding external recruitment and overlooking potential internal candidates. The end result is that positions remain unfilled and many in industry believe that there is a real and severe shortage of privacy skills.
Outsourcing may provide access to resources but ultimately with all privacy related matters responsibility remains with the organisation and so knowledge and skills are still required in order to run a selection and evaluation process that identifies partners with the right experience.
Alternatively, requisite knowledge can be developed through formal training and certification. The International Association of Privacy Professionals (IAPP), considered to be the gold standard for privacy education and certification, offer programs to cover privacy regulation (CIPP), privacy project management (CIPM) and privacy technology (CIPT). Earlier this year ISACA who have long since been involved in providing training and certification in information security, risk management and governance, launched its own Privacy Engineering certification program aimed at engineers who want to demonstrate that they have the knowledge and practical skills to implement privacy by design. There are also sector specific programs. The International Information System Security Certification Consortium (ISC2) HCISPP, for example, equips healthcare professionals with the knowledge to implement privacy best practice in healthcare settings.
As far as training is concerned there is no shortage of options to choose from and these programs are well subscribed. However, whilst industry is decrying a severe shortage of qualified professionals, discussions within professional interest groups highlight the lack of opportunities. Paralegals with several years’ experience are not able to transition into even junior privacy roles. Seasoned security architects with a deep knowledge of technical and operational controls necessary to deliver privacy by design find it difficult to move into privacy roles and business analysts with a deep understanding of their sector are not regarded as suitable for analyst roles in privacy. If we take a broader view of privacy these skills are obviously relevant so the issue here must surely relate to tapping into transferable skills. This in turn points to general lack of understanding regarding the knowledge and skills that are most useful to the broader range of privacy roles and how to identify them.
Describing Privacy Knowledge and Skills
One way of alleviating this problem is to be clear about how privacy roles and the knowledge and skills required to fulfil them are described. The Workforce Framework for Cybersecurity –published by the National Institute of Standards and Technology (NIST) provides a model for how this could be achieved. It is an aide for employers and professionals to better understand the work that needs to be carried out and the skills that are required.
NIST published their own Privacy Risk Management framework at the start of year and, as part of its on-going development, are creating a privacy workforce taxonomy to help build an appropriately skilled workforce. The taxonomy will provide a common language and structure for the definition of privacy roles, responsibilities and the skills required to support those roles. The ambition is that organisations will be able to use the taxonomy to develop their workforces in a way that ensures that an appropriate mix of knowledge and skills is available.
In collaboration with the IAPP, NIST is running an on-line workshop - “Growing a Workforce for Managing Privacy Risk” to start the process of developing the workforce taxonomy. As with development of the Privacy Framework, NIST seeks inputs from a broad range of contributors who are actively involved in, or concerned with, privacy risk. Amongst other things this presents an opportunity to expand the description of privacy roles, relevant knowledge and applicable skills so that privacy teams of the future are better able to cope with the range of technologies, business and consumer engagement models that innovation is constantly delivering.
This initiative is well placed to help develop a better understanding of the range of roles, work and skills that are important to the industry but to sound a note of caution, a particular challenge arises if the taxonomy is unable to change fast enough to cope with the ways and speed with which technology and regulation impacts tasks that need to be achieved.