By Chetan Anand, Associate Vice President – Information Security and CISO, Profinch Solutions, and ISACA Global Mentor
With the ever-changing technology landscape, evolving newer privacy regulations—including a proposed Data Protection Bill in India—and demanding customer contractual privacy obligations, privacy skills are the need of the hour. Newer privacy laws and regulations require organisations to implement privacy by design and by default into the business, IT systems, networks and applications.
These factors create plenty of opportunities for many professions such as privacy, information and cybersecurity, risk, legal and regulatory compliance and IT. Implementing a privacy program requires privacy professionals to work with business teams including support functions, software developers, system and network engineers, application and database administrators, and project managers to build data privacy and protection measures into new and existing business and technology environments.
Privacy professionals are often classified into groups including:
- Legal / compliance: those who have a knowledge of the laws and regulations around privacy with which an enterprise must comply
- Technical: people with an expertise in the technology that can achieve privacy objectives
- Techno-legal: those who are competent in both technical and legal aspects with respect to privacy
Currently, the industry is understaffed in technical privacy roles, and the demand for privacy professionals is only expected to increase over the next year. According to ISACA’s recent Privacy in Practice 2022 survey report, 63 per cent of global respondents anticipate increased demand for legal/compliance roles and 72 per cent expect more demand for technical privacy roles.
The survey also found that global respondents cite the top skills gaps in candidates as experience with different technologies and/or applications (65 per cent), understanding the laws and regulations to which an enterprise is subject (50 per cent), experience with frameworks and/or controls (50 per cent) and lack of technical experience (46 per cent).
Along these lines, it is important for those pursuing a technical privacy career to develop skills in implementing privacy by design and privacy by default, as well as in privacy induction, training and awareness; doing privacy impact assessments and privacy risk assessments; conducting privacy internal and supplier audits; and addressing privacy breaches and managing incidents. Privacy professionals should also be able to correctly interpret privacy rules, laws, and regulations into technical requirements. Additionally, skills in information and cybersecurity, as well as soft skills such as communication and leadership are important.
Privacy professionals should also have relevant experience in privacy governance, privacy architecture and data lifecycle. Per the Privacy in Practice 2022 survey findings, they should also be able to demonstrate knowledge in local and global laws relevant to privacy such as the EU’s General Data Protection Regulation (GDPR), US’ California Consumer Privacy Act (CCPA), and India’s upcoming Data Protection Bill.
They also need to be well versed in privacy standards such as: ISO/IEC 27701: 2019 Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, ISO/IEC 29100:2011 Information technology – Security techniques – Privacy framework, and BS 10012:2017+A1: 2018 Data protection – Specification for a personal information management system.
Additionally, it is important for professionals to be familiar with privacy frameworks such as the NIST Privacy Framework, Association of International Certified Professional Accountants (AICPA) Privacy Management Framework, The Organisation for Economic Co-Operation and Development, ISACA’s COBIT (Control Objectives for Information and Related Technologies) Framework, OneTrust Privacy Governance Framework and TrustArc-Nymity Privacy and Data Governance Accountability Framework. Professionals should also know their organization’s own privacy frameworks, including its privacy policy, processes and procedures, privacy notices, as well as privacy code for customers, suppliers and business partners, and its customer contractual privacy obligations.
Training and certification form an important component of competence as well. It can take time for privacy teams to fill both technical and legal privacy positions; the Privacy in Practice 2022 survey found that it took 22 percent of global respondents three to six months to fill technical privacy positions, and 24 percent the same amount of time to fill legal privacy roles. One reason the time to fill positions is so long may be the lack of qualified applicants. When hiring new privacy staff, managers often look at a candidate’s training and certifications to validate their expertise. There are many technical privacy training and certifications available in the market that privacy professionals can consider taking up in 2022, including ISACA’s Certified Data Privacy Solutions Engineer (CDPSE), OneTrust Professional Certification and Certified Fellow of Privacy Technology, and IAPP’s Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Technologist (CIPT).
Further, understanding how to drive privacy education and awareness and to build a strong privacy culture at one’s organisation is part of a professional’s overall competence as well. For those pursuing technical privacy roles, cultivating knowledge and experience in privacy governance, frameworks, regulations, privacy by design, communication and leadership will be just as important as ensuring they develop key technical privacy skills.
people with an expertise in the technology that can achieve privacy objectives. it’s very important for every industry or people also.