For Privacy Pros: A Look At Your Job Tomorrow

It is pretty obvious that the privacy profession is changing fast.

Once the realm of an elite of nerdy specialists, the profession is opening up to include a whole range of professionals with a variety of talents, training and skill sets. And whilst the complexity of the challenges faced by those with responsibility for managing information, protecting data and safeguarding individual privacy remains as high as in the early days, the implications of addressing those challenges correctly are becoming exponentially greater. If we succeed, we will not only have contributed to the prosperity of future generations, but we will have also done our bit to preserve everyone's freedom.

Going forward, our success as guardians and developers of the information society will depend on our ability to understand and effectively deal with the never-ending evolution of technology, the strategic and commercial value of personal data and the global nature of all data-reliant activities. With that in mind, here are some of the issues that we are going to have to master in order to fulfil our duties as privacy pros:

  • Transparency 2.0 - Traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices, in particular, are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. Our responsibility in this regard will be to understand and communicate sophisticated uses of personal information in a way that is also understood by others no matter the interface or situation in which the information is collected.
  • Anonymisation - Yet to be exploited fully, the idea of performing some magic to personal information so that such information is no longer personal data may not be the perfect solution, but it is an extremely valuable way of safeguarding our privacy whilst still making the most of the data. Don't panic! Privacy professionals need not become algorithmic maestros, but we must at least have some faith in the ability of anonymisation techniques to help us make the use of personal information less intrusive.
  • Privacy (thinking) by design - Let's face it, having a legal obligation that limits the amount of personal information to be collected, used or retained to the absolute minimum is never going to work because it is at odds with today's and tomorrow's information economy. However, being prepared to consider the possible harmful effects that any data activities may cause at the outset and doing something to avoid them should be at the top of the list of all privacy professionals.
  •  Security by default - Data security does not mean data choking, but applying the appropriate security measures to protect data should be non-negotiable. Furthermore, whatever the correct security measures are, they should always be deployed from within the technological applications and as those applications are developed—not as an afterthought. More than ever, privacy pros and security pros must join forces to deliver protection at the earliest possible stages of every process.
  • Relying on safe global vendors - Can a customer of any data processing service realistically have full and exclusive control over the data being processed? If the answer is no, and it will be invariably no, how can this be reconciled with the duties placed by the law on that customer? Responsible vendors have no choice but taking it upon themselves to adopt the right practices. So privacy professionals should be looking out for those vendors that are prepared to guarantee that wherever in the world the processing takes place—even in the cloud—the data will be protected under universally applied and internationally recognised standards.
  • Giving something back - As individuals' control over their own data declines and is replaced by the principle of benefiting from the value of that data, it will be the privacy professionals' responsibility to assess and identify what may qualify as appropriate benefits compared to the value derived from the exploitation of such data. From access to our own data to transparent profiling, the future role of the privacy professional is likely to involve turning the output into valuable benefits for those individuals who generate the information in the first place.
  • Privacy impact assessments - From a privacy professional's perspective, one of the greatest advantages of PIAs is that they are the most effective tool to safeguard people's privacy without closing the doors to innovation and progress. We must master the art of doing PIAs—from the very simple to the hugely elaborate—in ways that are seen as delivering benefits for both individuals and organisations.
  • Team privacy - Ultimately, getting privacy right within an organisation is a team effort. Many of those with responsibility for protecting data and safeguarding people's privacy will not even have the word “privacy” in their titles, but working as a team of professionals who are united in their quest for pragmatism and effectiveness, and who can keep an eye on how things are done within their respective sphere of influence, will be the only way of realising our goal.

Much work remains to be done, but with a bit of creativity, some effort and, above all, confidence in our ability to succeed, our jobs will be as fulfilling as the future can promise.

Written By

Eduardo Ustaran, CIPP/E


If you want to comment on this post, you need to login.
  • Jim Mar 13, 2014

    An elite of nerdy specialists? It sounds like you are describing statistical inference or operations research. The IAPP was founded by lawyers, none of whom appear to have the least bit of technical know-how. It was compliance driven, and the underlying legal principles are very intuitive and simple compared to areas like tort law. I see nothing 'nerdy' about the major figures in the development of data protection law. Arthur Miller, Alan Westin, David Flaherty and the like all had a background in the humanities, not technology or science. Most privacy professionals couldn't program "hello world", let alone understand anonymization algorithms. How on earth can you 'have faith' in anonymization and choose appropriate techniques if you can't read any of the papers that describe those techniques? You can't. The privacy profession is very good with buzzwords like "privacy by design", but practitioners completely lack the background needed to translate those into practical guidance for actual developers of products. I see no engineering methodologies, apart from high level guidance. Michelle Dennedy's latest book is a case in point. It is a good book, but it does not deserve to have 'privacy engineering' in its title. This sort of article is preaching to the choir. You people assume that you are smart and savvy, but in reality you have a little cloister of likeminded lawyers who come from a compliance background. The lack of diversity and hard skills at the IAPP is one of its greatest problems. I think the profession is going to change. I can already see a role for people with a background in communications, IT, security, corporate education, applied ethics and the like. Future legal counsel in the privacy space should really have a multidisciplinary background, instead of relying on a very limited skill set and a compliance mindset. Also, it really helps to stop tossing around buzzwords and actually put some content into them. There are researchers out there who are interested in creating proper methodologies for privacy by design, for instance. Why not network with them and get them involved, instead of merely reiterating the same vague statements every year. (Cavoukian, I am talking about you).

  • Trevor Mar 13, 2014

    Hi Jim I think you are dead-on right in your comments. Privacy cannot be the exclusive realm of law and compliance in the future. We will need professionals who can speak fluently across the domains of law, technology, and management. Last year, the board of the IAPP engaged in some strategic planning that identified exactly this need. However, our expectation is that we cannot expect professionals to emerge with all of these skills -- it is simply to much education to expect of any one person. Rather, we are predicting that legal/compliance/ethics pros will need to know "enough" of the IT realm to effectively converse with their IT counterparts. Conversely, IT pros (and InfoSec pros, and audit pros, and HR pros) will need decent issue spotting capabilities in the fields of privacy law and privacy risk (because not all privacy risks are legal in nature). The IAPP is working to build bridges across these divides. Our IT certification will re-launch this fall as a completely renovated designation. We were out in force at the RSA show two weeks ago, sharing knowledge of the privacy field with our InfoSec colleagues. And we are actively partnering with the Cloud Security Alliance to produce the IAPP Academy in San Jose this fall. Strategically, we are very much focused on connecting legacy privacy pros (law and compliance folk) with vanguard of privacy management (just about everyone in the digital economy). We also need better frameworks for managing privacy and assessing risk. But those frameworks need to build from common understandings of the issues involved. Given the inchoate nature of privacy -- with risks shifting based on context, culture, and personal preference -- that is a very tough job. Not impossible, but tough. I am encouraged by PbD, and efforts to move towards accountability models and risk-based responses. We need more meat on the bone, to be sure. But the work is promising and, more importantly, progressing. Great post. Great thinking. Feel free to call the IAPP office... would love to chat even more about it. And BTW -- I was an early privacy pro in the late 1990s. And even though it was not completely tech-driven, it felt very nerdy.

  • Eduardo Mar 13, 2014

    By 'nerdy specialists" I meant people who irrespective of their background felt at ease talking about data controllers, data processors and data subjects; people who were frown upon because they throught the protection of data was a top priority and a fascinating discipline; people who would have trouble getting understood at dinner parties when explaining what they did for a living; and above all, people who followed their instinct and pursued a career in a profession which they loved and saw as intellectually challenging as humanly rewarding even when most other people could not understand that. We used to be a minority. I was one of them. Still am. :)

  • Aurelie Pols Mar 14, 2014

    Funny how you guys post using first names, not used to that ;-) I'm not much for labels but having a statistical & digital background, now increasingly caring about data protection (I don't like the word Privacy, it's too vague and people get stuck into trying to define it), I'd like to claim the nerdiest of nerds title. For what ever it’s worth! And I would also like to say that I disagree with Eduardo about data minimization: we don't live in mainframes world anymore where you had to collect everything "just in case" because it was too complicated to get your hands on the data afterwards. Big Data will only kill the Privacy framework if you’ll let it! My world is one of lean analytics: pick up the data you need for your specific purpose, reach out to the Privacy officers to start a discussion and find ways of collaborating, securely. I’m happy to read the IAPP reached out to RSA but I’m still waiting for you guys to reach out to the analysts. Now maybe Trevor I’ve missed something, and my sincere apologies for that, but a dialogue with the people actually collecting the data should now be at the forefront, not only the security guys. Maybe see you at eMetrics in San Francisco? In the last 2 years, I’ve been exchanging digital analytics best practices with my lawyer colleagues. Every time I explained something to them, they rolled their eyes “really? You’ve been doing that?” and that was just talking about tags and cookies! My industry has moved onto digital fingerprinting for almost 2 years now and I won’t even start talking about cookies re-spawning, swapping, etc. It’s high time to move indeed beyond legal & compliance as Trevor mentions because simply the misunderstanding of technology makes most of the questions asked during audits or PIAs turn those exercises into a farce. And honestly, it’s way too easy for us “technology people” to fool the legal guys about what we’re up to ;-) Eduardo mentions teams and I agree, that’s what I’m also seeing within Data Governance Councils: legal and compliance with technology and analytics, working together, challenging one another. I also see an opportunity within the IAPP that was best resumed by Michelle Denedy in her introduction “I care because the "Privacy engineering" framework, methods, and processes the authors have put together are critical enablers to unlock value from data. However strange that may sound (after all, isn't privacy all about preventing companies from gaining access to customer data?), it makes sense when you consider the complexity of dealing in practice with the absurd amounts of data individuals, companies, and governments are producing at an accelerating pace. The keyword here is complexity.” And I truly believe that: it’s complex and a bloody mess to be honest. Hopefully, and I’m maybe being naïve here, great associations like the IAPP, working together with other actors, can bring some order to the data frenzy Wild West. The book in itself can indeed be criticized as Jim mentioned. Now we really, really need to move on and this can only be done through dialogue between the parties involved. I’m preparing a workshop in June in Berlin, gathering analytics people with compliance and privacy professionals to exchange thoughts and best practices. Hopefully some of you reading this blog will find the time to join, share and build a brave new data driven world: Aurélie

  • Mirena Mar 18, 2014

    I totally agree with this!


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»