2021 was an eventful year for privacy with the emergence of new legislation such as the California Consumer Privacy Act, Brazilian General Data Protection Law and China Personal Information Protection Law. These changes have forced organizations to adhere to a mix of privacy compliance requirements, increasing the demand for privacy professionals.
Privacy professionals generally fall into two categories: Legal/compliance and technical. Legal / compliance privacy professionals have knowledge and experience of laws and legislation, while technical privacy professionals have expertise in privacy technologies.
Like in the early days of IT security, organizations have struggled to find qualified individuals with practical experience, leading to privacy teams of one or legal/compliance/security teams performing dual roles to keep up with the evolving privacy landscape.
In ISACA’s new Privacy in Practice 2022 survey report, sponsored by OneTrust, 25 percent of respondents had open privacy legal/compliance roles and 31 percent had open technical privacy roles. This supports the rationale of why the legal/compliance/security teams are taking on privacy responsibilities in additional to their day jobs while waiting for those roles to be filled. However, in doing so, these teams must adhere to GDPR article 38(6), ensuring there is no conflict in interest in responsibilities. Although taking on data protection responsibilities in the short term alleviates the issues of not having a designated data protection officer, these individuals need to make sure that their tasks and duties do not result in a conflict of interests with their privacy responsibilities.
Balancing the short term and the long term
To address the immediate privacy gap, having other teams supporting privacy helps organizations manage their privacy obligations. However, this approach should not be considered as a long-term solution and management should consider training internal candidates who may be interested in privacy to fill those roles in the likely event that the lack of qualified individuals in the market continues to be an issue. Demand for skilled privacy professionals greatly outstrips the need, as agreed by 72 percent of survey respondents who said that the demand for technical privacy professionals will increase in the coming year and 63 percent who said the same for legal/compliance privacy professionals. Hiring contract privacy positions can be seen as one approach of addressing the skills gap, with 36 percent of organizations doing this, but this carries its own risk with knowledge loss when the contractor leaves.
As mentioned, privacy shares many similarities with IT security, especially in the early days of IT security when there were differing views on where IT security should report into. As shown in the ISACA privacy report, only 21 percent of respondents said that the Chief Privacy Officer (CPO) is accountable for privacy, with 25 percent saying it should be the Chief Information Security Officer (CISO) and 14 percent saying the Chief Executive Officer (CEO). GDPR Article 39 describes the tasks of a data protection officer, a role that requires dual knowledge of the legal landscape and IT security controls – a role that could easily fall under the CISO, but due to its importance I would recommend accountability falling under a dedicated professional such as the CPO.
Overall privacy strategy is needed
Day-to-day privacy management requires operational privacy tasks. However, these tasks must be part of an overall privacy strategy. Most respondents believe the top three privacy areas under their responsibilities are privacy strategy (66 percent), training and awareness and privacy governance (64 percent) and reporting to management or privacy stakeholders (62 percent). As a privacy professional or someone working on a privacy team, one of the immediate tasks that should be performed is a privacy assessment to understand what the current state of privacy is within your organization. From that initial task, you can create a privacy strategy and set up a privacy governance framework. Reporting to the board should be ongoing so the board is aware of the status of the privacy program. Once the strategy and governance are addressed, privacy training and awareness should take place.
Privacy training should not be one-size-fits all, as this leads to it becoming a tick in the box exercise. Annual privacy training should be given, and it should be separate from security awareness training. Additional role-based training should also be given to teams that require more day-to-day guidance. Around two-thirds of organizations that have privacy teams made of around 12 individuals tend to have privacy and security awareness training separate, but it seems to be more common for organizations to combine privacy and security awareness training. Although there are similarities between the two, they are different, and to not highlight those differences puts an organization’s workforce at a disadvantage.
Privacy by design is a good example of where additional privacy training should be provided – 63 percent say that not building privacy by design in applications or services is a main privacy failure that enterprises experience. This could be because of lack of resources, competing responsibilities or lack of training. Organizations with larger privacy teams practice privacy by design more often, which is understandable. The bigger you are, the more resources that can be devoted to privacy programs. I also think there is another element at play: the greater your organization’s understanding of its privacy needs, the greater the senior level support, and more precise your implementation of privacy governance within your organization.
Progress still needed
Although privacy has come a long way, it still has some way to go before it is given the same considerations as IT security and legal compliance, including a corresponding budget and team to effectively manage its implementation. The shortage of qualified individuals means that organizations are going to have to be competitive and demonstrate to prospective candidates that they take privacy seriously and have the people, technology and resources to do so.
Changes on the privacy landscape are not slowing down, and 2022 promises to be an interesting year. In a landscape that is changing so quickly, preparation is key.
