6 PRIVACY NEW KIDS ON THE BLOCK. The New Privacy Sub-Professions for a post May 2018 GDPR world.
Listen to the podcast version of this post on iTunes and Podomatic
My last post discussed the market demand created by GDPR and the new entrants into the world of Privacy. Some who genuinely want to embrace and immerse themselves in a rewarding profession and other so called “GDPR Experts” who see the next 7 months to compliance as a great opportunity to capitalise on the fear, uncertainty and doubt surrounding GDPR.
Whether you’re a seasoned Privacy professional or a new entrant to the market, there is one undeniable fact – the Privacy market and landscape is changing and its going to look very different post May 2018.
For the majority of the past 20 years, Privacy (or Data Protection as its known to many) has been led and pretty much owned by Lawyers and other legal professionals. Partly because Privacy / Data Protection was enshrined in a directive or Law and so the interpretation, guidance and application was left to those who had the background, qualifications and experience in dealing with law.
More recently, Compliance, Risk and even Information Security professionals have been accountable for Privacy / Data Protection in their respective organisations leveraging their experience in documenting, overseeing and challenging the organisations risk and control environment.
Privacy risk like all other risks can be managed or mitigated through embedding organisational and technical controls.
Those who branched out into Privacy would be challenged by their in-house legal teams or external law firms on whether they had the right background, qualifications and experience to advise on a matter of Law.
However there was hope – organisations like the International Association of Privacy Professionals (IAPP) and BCS/ISSEB started offering qualifications/certifications on Privacy and Data Protection and so those who wanted to prove they had the right knowledge to support their organisation could place reliance on a Privacy badge of honour.
But till now most Privacy professionals have been generalists – advising on and implementing the broad spectrum of Privacy / data protection legal requirements. In the new world, there will continue to be Privacy generalists but the Privacy profession is going to give rise to multiple million to billion dollar specialist Privacy industries, spurred on by GDPR but also the ever changing technology landscape.
Information Security aka Cyber Security is a great example of another industry that due to its continuing moment in the spotlight (really great infographic) has created a number of offshoots which are industries in the own right, supported by specialist skills which are very much in demand. These industries include:
- Identity and Access Management
- Threat Intelligence
- Ethical Hacking
- Incident Response
For a comprehensive view of Security domains – see the following blog post:
6 Privacy Sub-Professions
1 – TRUST Marketing Specialists
The old way of communicating with customers regarding how an organisation uses their data through long form, tiny font, legal terms and conditions will no longer be palatable. Many organisations are focussing on developing a TRUST relationship with their customers through open and transparent dialogue about how they use personal data. Therefore communicating through engaging content can increase and solidify this trust.
GDPR mandates a change in how to inform data subjects of the processing activity and when to seek consent, but established technology firms and tech start-ups are already on the front foot in raising the minimum expectations of users (whether these expectations can be lived up to is up for debate). Every time you glance at your phone, Google, Facebook, Linkedin and other platforms are subliminally informing you that your Privacy is important and that they care! So regardless of GDPR – every industry is going to have to find a better way to engage with their customers /users if they want to leverage where possible monetise the personal data they process. With this in mind, a new breed of Privacy specialist is required who;
- understands user/customer engagement strategies
- can uncover the best way to sell the value proposition so that an individual will proactively share their data
- know how to maximise opt-in consent.
The skills these professionals bring to bear will ultimately impact revenue and so will be heavily sought after. Therefore I envisage existing marketing professionals branching out to meet the demand head on by immersing themselves in Privacy.
For good vs bad examples of Privacy Notices, check out the ICO Guidance here
2 – Data Subject Rights Specialists
As a reminder GDPR provides for the following individuals rights:
- The right to be informed
- The right of access (e.g Data Subject Access Request)
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Till now, it was very possible that every time a data subject complained or wanted access to their information, all queries would be directed to the Data Privacy Officer, in-house or external legal counsel, for them to opine on the request and provide guidance or even respond directly to the request. In the main, this process has worked because of the volume of requests and time window for response but as we move closer to May 2018 and beyond, there is a significant likelihood that once informed about their new rights – data subjects (i.e you and I) are more likely to want to execute on those rights. Therefore, there will be a need for Privacy specialists who know how to triage requests, apply appropriate derogations and be considered in the interactions with data subjects to achieve the best outcome for both parties.
Post May 2018, some organisations may not have the time or resources to forever escalate to the DPO / Legal counsel and so there will be a demand for Privacy professionals who understand the individuals rights in-depth and can manage them without the need for further escalation or oversight.
3 – Privacy By Design (PbD) Specialists
The GDPR encourages organisations to ensure that Privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle (and so does the UK ICO). For example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have Privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes
PbD specialists are likely to become organisational “Privacy Architects” who have deep technical knowledge of Privacy but also,
- Software development lifecycle
- Change Management
- System Architecture & Design
I expect that these individuals will not only be an advocate of Privacy best practice in the organisation but also one of the DPO’s greatest allies in highlighting and escalating risk to personal data in any organisational change (they may also own the Privacy Impact Assessment Process) and embedding Privacy into all critical operational processes.
4 – Third Party Privacy Oversight Specialists
Third Party (e.g suppliers, contractors, joint ventures etc) risk is well known and many organisations have bolstered their due diligence and ongoing monitoring of critical third party suppliers over the years, especially as third parties have known to be a weak link for security. The use of third parties has increased significantly over the years due to outsourcing and technological advancements and so in many cases third parties are a vital part of a company’s ecosystem.
The challenge is that in order for organisations to discharge their responsibilities as Data Controllers under GDPR, they are going to have to get a lot closer to understanding the personal data processing activities of their third parties, and even fourth and fifth parties.
To support the likely demand, there will be a need for contract specialists who understand the third party relationships in-depth and are adept at baking in specific requirements over processing activity on data processors in contracts. Boiler plate templates which describe responsibilities in general terms will no longer be fit for purpose for high risk third party relationships.
There will also likely be demand for professionals who can review and assess the Privacy framework and controls in third parties in order to validate whether the third party can actually deliver on the promises made in the contract. Though existing third party / vendor due diligence teams can be up-skilled, in the same way security vendor risk assessors are a sub specialism, Privacy vendor risk assessors are likely to become a sub specialism too. Why? Because the assessors will need to understand Privacy in-depth in order to assess the third parties with confidence.
CLICK HERE for a great article on third party risk under GDPR
CLICK HERE for the ICOs guidance on consultation paper on contract liabilities between data controllers and data processors
5 – Privacy Awareness / Training Specialists
There has been a significant shift in thinking regarding who actually owns personal data. In the past many organisations may have felt that as the provider of the platform and tools to create and share the data, the data belonged to them – but more recently organisations have started to realise that the data is not theirs, it belongs to the person that provided it and many of the individuals rights under GDPR emphasise this fact. Organisations are just the (safe) custodians of the personal data they process. This statement is only partly correct, in fact every person working in the organisation is also the safe custodian of any personal data they come into contact with. But employees don’t always consider this and so
no matter how many web based learning modules are mandated, employees continue to be a weak link
This is best pictorially described in the infographic below. (Source Imperva)
There will be a need for Privacy training / awareness specialists who have the talent to create and deliver compelling content and courses to raise the internal awareness in organisations regarding how personal data should be used, managed, protected and respected.
6 – Privacy Technologists
To put it mildly, GDPR has given rise to an industry of new technology players and existing technology firms who have pivoted to include tools and widgets to support organisations on their compliance journey. Great examples include the Microsofts GDPR solution and also the plethora of solutions for every Privacy challenge imaginable as outlined by the IAPP Privacy Tech Vendor report.
Technology solutions exist for (to name but a few):
- Data Discovery
- Data Mapping
- De-identification/ Pseudonymity
- Incident Response
- Consent Management
- Governance and Activity Monitoring
- Website Scanning
- Enterprise Communication
In order to know what solution to apply to a given Privacy scenario, the industry will need to support the creation of Privacy Technologists who understand the Privacy requirements (including Privacy by design) at a deep level and have the ability to translate that into requirements for appropriate technology solutions to meet the demand.
In Information Security roles, a Head of Information Security Risk typically exists to perform oversight and governance of the security risk and control environment – with the implementation and operation of security technology solutions sitting squarely with Chief Information Security Officer (CISO). The same concept may also apply with Privacy roles – the Data Privacy Officer performing the oversight and a new role created for a Chief Information Privacy Officer (CIPO) who is accountable for the underpinning Privacy technology environment.
It is possible that existing roles such as the CISO may consume or evolve into the CIPO role, but with the pace of change in both the security and Privacy technology environment – there may be market demand for true Privacy technology specialists. If you are interested in specialising in Privacy Tech – you can up-skill through certifications such as the Certified Information Privacy Technologist.
The Privacy world is going to look very different most May 2018.
If you are an existing Privacy professional you may be wondering how your role will change in this new future and what your place will be in your organisations Privacy operating model. The above are just 6 possible niche occupations in our already very niche profession and there are likely to be more to come. Depending on your own interests, level of experience and passion for the topic, I’m confident that you will find a role in this new wave of opportunity.
If you are new to Privacy or interested in a Privacy career, now is the time to immerse yourself in the aspect of Privacy that captures your imagination the most. Learn, contribute and share your knowledge and the opportunities will present themselves for you to demonstrate your expertise in the Privacy profession.
“A rising tide raises all ships” and so GDPR is a Privacy tide that raises all the ships in its path. Creating a wealth of opportunities across many industries and professions!
If you like what you’ve read, please use the below links to share this post!
See you on my next post and podcast – Stay safe and remember – “Information is a risky business”
Other Posts you may like:
TOP 10 Questions To Ask a “GDPR Expert”
Are Cyber Security Recruitment Agencies A Security Risk?
Cyber Security: From FUD To The 4Rs
About the author:
Jeremy Kajendran has over 13 years of experience Information Security, Privacy and Risk Management. Jeremy leads Ernst & Young’s (EY’s) UK Financial Services Privacy Practice and is a Fellow of Information Privacy (awarded by the International Association of Privacy Professionals).
Views and opinions presented on inforisky.com, talks and podcasts by Jeremy are personal opinions only and in no way represent the views, positions or opinions – expressed or implied – of Jeremy’s previous, current, future employers, consulting customers or anyone else.