Data privacy skills are in high demand, offering opportunities for technologists and compliance professionals to gain new abilities that are critical in today's evolving regulatory environment.
Businesses are trying to comply with new regulations on collecting customer data. In addition, technology teams that handle this data must be very clear about tracking and managing it, including its categorization and storage.
Data privacy specialists also must know how to protect sensitive data, making it inaccessible to those who shouldn't see it, and ensuring it is protected from breach. As you can see from the following chart, generated via data from Burning Glass (which collects and analyzes millions of job postings from across the country), technology consultants and cybersecurity professionals are those most often tasked with data privacy—but as concerns about the sanctity of data increase, more technologists will need to have data-privacy skills:
Kevin Dunne, president at Pathlock, a provider of unified access orchestration, suggests that, for those looking for a career in data protection and privacy, the International Association of Privacy Professionals (IAPP), which offers the Certified Information Privacy Professional (CIPP) certification, is a good place to start for remote or in-person learning.
“For many just starting out in their career in data protection, a CIPP certification will be the best starting point,” he said. “From there, they can add on other certifications depending on how they want to specialize or progress their career.”
Alphabet Soup: Get to Know GDPR, CCPA, GRC, and More
Dunne said data protection regulations such as the EU’s General Data Protection Regulation (GDPR) and theCalifornia Consumer Privacy Act (CCPA) are core tenets of an overall Governance Risk Management and Compliance (GRC) program: “Typically, what data privacy specialists do will feed into overall tools that measure GRC program health, including progress towards compliance and audit progress.”
In larger companies with a wealth of customer data, there might be specialized data privacy teams or even departments specifically tasked with reporting to the overall GRC program on GDPR or CCPA compliance. In smaller companies, meanwhile, there may be a need for individuals to focus on data protection alongside other types of compliance such as ISO 27001 or Sarbanes-Oxley Act compliance.
“Depending on the structure of the organization, data privacy specialists may want to expand their breadth of technology expertise into other areas of GRC, including third party risk management, identity and access management (IAM), audit workflow management, and integrated risk management,” Dunne said.
Translating Law to Technical Specs
Data privacy engineers and leaders have to be able to translate regulatory requirements (from GDPR or CCPA, among others) to technical requirements that apply to engineers and analysts. According to Mohit Tiwari, co-founder and CEO at Symmetry Systems, a specialist in data storage and object security, doing so requires understanding the limits of what privacy technologies can and cannot do.
“This means working out which precise use-cases—if any—fit the use of more dated or limited technologies like tokenization or k-anonymity,” he said. “Internal data management is hard in large, legacy, or fast-moving environments. Companies have built tools like DataHub to do this, but the vast majority of companies rely on manual processes for this.”
As Tiwari also noted, privacy management is a fragmented space, with some solutions for data inventory and a separate set of solutions for access governance, including data store access control, cloud IAM, with many organizations relying on substantial custom tooling to manage data. Data privacy specialists must have an understanding of what GRC entails, how it transcends IT, security, privacy and risk corporate-wide, and not be siloed to only one organization within an enterprise.
“I would recommend learning identity and access management—both on the cloud and specific to SQL, NoSQL, graph, time-series, or analytics—and how to scale through DevOps-like processes for authorization and detection-response,” he said.
Finally, he recommended learning the legal requirements and translating user or societal concerns, such as the right to be forgotten or segregation of duties, into engineering-level mechanisms, such as data store deletion capabilities or access to customer data.
For David Gochenaur, senior director of cybersecurity at Ensono, essential skills in data privacy begin with an understanding of information security, risk management and the ability to translate control gaps into risk for business leaders.
“The ability to understand technical concepts and discuss them with technical leaders, such as when, where and why to apply encryption, is another foundational skill for data privacy professionals,” he said. “Overall, strong communication skills, especially an ability to communicate with senior leaders, will help when the time comes to discuss the value of technical concepts.”
When it comes to Governance Risk Management, specialists must have an understanding of threats and risk management as it relates to the data that is being protected. “Knowledge of international privacy law and how information is stored in the cloud also play a key role in data compliance,” Gochenaur said, noting how ServiceNow, Navex and SAP GRC are all important tools on that front.
Pathlock‘s Dunne said he thinks the future is bright for data protection specialists in the U.S., given the increasing regulations around data privacy (and higher stakes for non-compliance). He pointed to Virginia’s recently joining California in creating its own Consumer Data Protection Act as an example of new regulations forming data privacy and data protection expectations: “As further regulations arise, there will be a need to evolve data protection strategies, which should create a continuing, long term need for trained data protection specialists.”