Promoting privacy to your IT group: The CIPP/IT pilot project

“I found that by preparing for the CIPP/IT certification I was able to develop an appreciation and a level of awareness for privacy I didn’t have before. I believe this awareness will allow me to think broader and consider impacts beyond the immediate solutions.“ — Employee, Walmart Stores, Inc.

“The training heighted my awareness when considering data and its sensitivity.“ — Employee, California Office of Privacy Protection

“It made clear the increasing overlap and interdependence between privacy and IT security.“ — Employee, Hewlett-Packard Corporation

And so has been the response to the CIPP/IT, the IAPP’s newest privacy certification, which was recently introduced to the IT departments of various IAPP member organizations through a pilot project organized by the IAPP and profiled at a recent networking session by IAPP Assistant Director Peter Kosmala, CIPP.

Just as the CIPP/G is aimed at U.S. government employees and the CIPP/C is tailored for the Canadian privacy professional, the new CIPP/IT designation has been created to suit a specific audience: IT professionals. The CIPP/IT establishes educational and testing standards in IT privacy while objectively assessing the understanding of data protection principles and practices in the design and development of IT products and services, Kosmala explained.

The CIPP/IT credential has been designed with an eye toward those professionals who are responsible for the creation, testing, implementation or auditing of IT products and services—including enterprise system architects, information security professionals, software developers and risk compliance managers, to name a few—for private- and public-sector organizations. It also benefits privacy, risk management and compliance professionals who desire more knowledge about the intersection of privacy and IT.

In developing the new credential, the IAPP coordinated its CIPP/IT Case Study Project to explore the process and results of bringing the program to varied IT groups. The project involved a state/government agency, the California Office of Privacy Protection, as well as global retail corporation Walmart Stores, Inc., and international technology company Hewlett-Packard Corporation. Participants went through CIPP/IT training and tested to receive their certification. The case study included an extensive interview process as well as analyses on the privacy concerns and understanding of the participants both prior to and after the CIPP/IT training and testing.

The six-part CIPP/IT program focuses on the information lifecycle from the IT perspective, end-user privacy expectations, privacy protection mechanisms, providing notice and choice, auditing and enforcing IT privacy compliance, and implementing technologies with privacy impacts.

Kosmala was joined by Walmart Privacy Director Sol Bermann, CIPP; Minnesota Privacy Consultants President Jay Cline, CIPP, and Susan Smith, CIPP, privacy officer for Hewlett-Packard Company’s Americas Region, in sharing the outcomes of the pilot project with IAPP members at the recent Global Privacy Summit in Washington, DC, in April.

The session was aimed at organizations considering pursuing IT privacy certification as well as those seeking more information on the topic of IT privacy. The panelists shared reactions from IT developers and engineers, information security, physical security and IT compliance professionals on ways the CIPP/IT informed the day-to-day work they do as well as helped them meet the privacy and security challenges they face.

Essentially, Kosmala said, the CIPP/IT is for those responsible for any phase of the IT process as privacy professionals who want to be better versed in information technology.

Smith, too, pointed out that the credential is not just for IT professionals, noting how important it is for marketers and privacy professionals to understand the IT part of the equation and how it relates to privacy implications.

When it comes to balancing privacy and technology, Kosmala explained, the CIPP/IT education and assessment provides a way to facilitate dialogue between the IT, information security, privacy and compliance groups within an organization.

The feedback from the pilot participants and the outcome of the training and assessments has indicated that the CIPP/IT increases IT professionals’ comprehension of what constitutes personal data and privacy incidents and can help boost their engagement on privacy issues.

Moreover, Kosmala explained, the case study results demonstrated how the CIPP/IT measurably improves the ability of candidates to spot privacy issues across a variety of common IT functions and processes and then escalate or delegate these as necessary.

In summing up the CIPP/IT for the audience at the recent Global Privacy Summit, Bermann noted, “It’s been a great bridge-builder,“ providing a much higher level of understanding between privacy and IT.

And in response to audience members’ questions on how the CIPP/IT will affect personal opportunities, Cline said, “Having this certification can only help you.”