TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | For Privacy Pros: A Look At Your Job Tomorrow Related reading: Catching up on IAPP GPS 2024 keynote speeches



It is pretty obvious that the privacy profession is changing fast.

Once the realm of an elite of nerdy specialists, the profession is opening up to include a whole range of professionals with a variety of talents, training and skill sets. And whilst the complexity of the challenges faced by those with responsibility for managing information, protecting data and safeguarding individual privacy remains as high as in the early days, the implications of addressing those challenges correctly are becoming exponentially greater. If we succeed, we will not only have contributed to the prosperity of future generations, but we will have also done our bit to preserve everyone's freedom.

Going forward, our success as guardians and developers of the information society will depend on our ability to understand and effectively deal with the never-ending evolution of technology, the strategic and commercial value of personal data and the global nature of all data-reliant activities. With that in mind, here are some of the issues that we are going to have to master in order to fulfil our duties as privacy pros:

  • Transparency 2.0 - Traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices, in particular, are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. Our responsibility in this regard will be to understand and communicate sophisticated uses of personal information in a way that is also understood by others no matter the interface or situation in which the information is collected.
  • Anonymisation - Yet to be exploited fully, the idea of performing some magic to personal information so that such information is no longer personal data may not be the perfect solution, but it is an extremely valuable way of safeguarding our privacy whilst still making the most of the data. Don't panic! Privacy professionals need not become algorithmic maestros, but we must at least have some faith in the ability of anonymisation techniques to help us make the use of personal information less intrusive.
  • Privacy (thinking) by design - Let's face it, having a legal obligation that limits the amount of personal information to be collected, used or retained to the absolute minimum is never going to work because it is at odds with today's and tomorrow's information economy. However, being prepared to consider the possible harmful effects that any data activities may cause at the outset and doing something to avoid them should be at the top of the list of all privacy professionals.
  •  Security by default - Data security does not mean data choking, but applying the appropriate security measures to protect data should be non-negotiable. Furthermore, whatever the correct security measures are, they should always be deployed from within the technological applications and as those applications are developed—not as an afterthought. More than ever, privacy pros and security pros must join forces to deliver protection at the earliest possible stages of every process.
  • Relying on safe global vendors - Can a customer of any data processing service realistically have full and exclusive control over the data being processed? If the answer is no, and it will be invariably no, how can this be reconciled with the duties placed by the law on that customer? Responsible vendors have no choice but taking it upon themselves to adopt the right practices. So privacy professionals should be looking out for those vendors that are prepared to guarantee that wherever in the world the processing takes place—even in the cloud—the data will be protected under universally applied and internationally recognised standards.
  • Giving something back - As individuals' control over their own data declines and is replaced by the principle of benefiting from the value of that data, it will be the privacy professionals' responsibility to assess and identify what may qualify as appropriate benefits compared to the value derived from the exploitation of such data. From access to our own data to transparent profiling, the future role of the privacy professional is likely to involve turning the output into valuable benefits for those individuals who generate the information in the first place.
  • Privacy impact assessments - From a privacy professional's perspective, one of the greatest advantages of PIAs is that they are the most effective tool to safeguard people's privacy without closing the doors to innovation and progress. We must master the art of doing PIAs—from the very simple to the hugely elaborate—in ways that are seen as delivering benefits for both individuals and organisations.
  • Team privacy - Ultimately, getting privacy right within an organisation is a team effort. Many of those with responsibility for protecting data and safeguarding people's privacy will not even have the word “privacy” in their titles, but working as a team of professionals who are united in their quest for pragmatism and effectiveness, and who can keep an eye on how things are done within their respective sphere of influence, will be the only way of realising our goal.

Much work remains to be done, but with a bit of creativity, some effort and, above all, confidence in our ability to succeed, our jobs will be as fulfilling as the future can promise.


If you want to comment on this post, you need to login.

  • comment Jim • Mar 13, 2014
    An elite of nerdy specialists? It sounds like you are describing statistical inference or operations research. The IAPP was founded by lawyers, none of whom appear to have the least bit of technical know-how. It was compliance driven, and the underlying legal principles are very intuitive and simple compared to areas like tort law. 
    I see nothing 'nerdy' about the major figures in the development of data protection law. Arthur Miller, Alan Westin, David Flaherty and the like all had a background in the humanities, not technology or science. Most privacy professionals couldn't program "hello world", let alone understand anonymization algorithms. How on earth can you 'have faith' in anonymization and choose appropriate techniques if you can't read any of the papers that describe those techniques? You can't.
    The privacy profession is very good with buzzwords like "privacy by design", but practitioners completely lack the background needed to translate those into practical guidance for actual developers of products. I see no engineering methodologies, apart from high level guidance. Michelle Dennedy's latest book is a case in point. It is a good book, but it does not deserve to have 'privacy engineering' in its title. 
    This sort of article is preaching to the choir. You people assume that you are smart and savvy, but in reality you have a little cloister of likeminded lawyers who come from a compliance background. The lack of diversity and hard skills at the IAPP is one of its greatest problems.
    I think the profession is going to change. I can already see a role for people with a background in communications, IT, security, corporate education, applied ethics and the like. Future legal counsel in the privacy space should really have a multidisciplinary background, instead of relying on a very limited skill set and a compliance mindset. 
    Also, it really helps to stop tossing around buzzwords and actually put some content into them. There are researchers out there who are interested in creating proper methodologies for privacy by design, for instance. Why not network with them and get them involved, instead of merely reiterating the same vague statements every year. (Cavoukian, I am talking about you).
  • comment Trevor • Mar 13, 2014
    Hi Jim
    I think you are dead-on right in your comments.  Privacy cannot be the exclusive realm of law and compliance in the future.  We will need professionals who can speak fluently across the domains of law, technology, and management.  
    Last year, the board of the IAPP engaged in some strategic planning that identified exactly this need.  However, our expectation is that we cannot expect professionals to emerge with all of these skills -- it is simply to much education to expect of any one person.  Rather, we are predicting that legal/compliance/ethics pros will need to know "enough" of the IT realm to effectively converse with their IT counterparts.  Conversely, IT pros (and InfoSec pros, and audit pros, and HR pros) will need decent issue spotting capabilities in the fields of privacy law and privacy risk (because not all privacy risks are legal in nature).
    The IAPP is working to build bridges across these divides.  Our IT certification will re-launch this fall as a completely renovated designation.  We were out in force at the RSA show two weeks ago, sharing knowledge of the privacy field with our InfoSec colleagues.  And we are actively partnering with the Cloud Security Alliance to produce the IAPP Academy in San Jose this fall.  Strategically, we are very much focused on connecting legacy privacy pros (law and compliance folk) with vanguard of privacy management (just about everyone in the digital economy).
    We also need better frameworks for managing privacy and assessing risk.  But those frameworks need to build from common understandings of the issues involved.  Given the inchoate nature of privacy -- with risks shifting based on context, culture, and personal preference -- that is a very tough job.  Not impossible, but tough.
    I am encouraged by PbD, and efforts to move towards accountability models and risk-based responses.  We need more meat on the bone, to be sure.  But the work is promising and, more importantly, progressing.
    Great post.  Great thinking.  Feel free to call the IAPP office...   would love to chat even more about it.
    And BTW -- I was an early privacy pro in the late 1990s.  And even though it was not completely tech-driven, it felt very nerdy.  
  • comment Eduardo • Mar 13, 2014
    By 'nerdy specialists" I meant people who irrespective of their background felt at ease talking about data controllers, data processors and data subjects; people who were frown upon because they throught the protection of data was a top priority and a fascinating discipline; people who would have trouble getting understood at dinner parties when explaining what they did for a living; and above all, people who followed their instinct and pursued a career in a profession which they loved and saw as intellectually challenging as humanly rewarding even when most other people could not understand that.  We used to be a minority.  
    I was one of them.  Still am.  :)
  • comment Aurelie Pols • Mar 14, 2014
    Funny how you guys post using first names, not used to that ;-)
    I'm not much for labels but having a statistical & digital background, now increasingly caring about data protection (I don't like the word Privacy, it's too vague and people get stuck into trying to define it), I'd like to claim the nerdiest of nerds title. For what ever it’s worth!
    And I would also like to say that I disagree with Eduardo about data minimization: we don't live in mainframes world anymore where you had to collect everything "just in case" because it was too complicated to get your hands on the data afterwards. Big Data will only kill the Privacy framework if you’ll let it!
    My world is one of lean analytics: pick up the data you need for your specific purpose, reach out to the Privacy officers to start a discussion and find ways of collaborating, securely.
    I’m happy to read the IAPP reached out to RSA but I’m still waiting for you guys to reach out to the analysts. Now maybe Trevor I’ve missed something, and my sincere apologies for that, but a dialogue with the people actually collecting the data should now be at the forefront, not only the security guys. Maybe see you at eMetrics in San Francisco?
    In the last 2 years, I’ve been exchanging digital analytics best practices with my lawyer colleagues. Every time I explained something to them, they rolled their eyes “really? You’ve been doing that?” and that was just talking about tags and cookies! My industry has moved onto digital fingerprinting for almost 2 years now and I won’t even start talking about cookies re-spawning, swapping, etc. 
    It’s high time to move indeed beyond legal & compliance as Trevor mentions because simply the misunderstanding of technology makes most of the questions asked during audits or PIAs turn those exercises into a farce. And honestly, it’s way too easy for us “technology people” to fool the legal guys about what we’re up to ;-)
    Eduardo mentions teams and I agree, that’s what I’m also seeing within Data Governance Councils: legal and compliance with technology and analytics, working together, challenging one another. 
    I also see an opportunity within the IAPP that was best resumed by Michelle Denedy in her introduction “I care because the "Privacy engineering" framework, methods, and processes the authors have put together are critical enablers to unlock value from data. However strange that may sound (after all, isn't privacy all about preventing companies from gaining access to customer data?), it makes sense when you consider the complexity of dealing in practice with the absurd amounts of data individuals, companies, and governments are producing at an accelerating pace. The keyword here is complexity.”
    And I truly believe that: it’s complex and a bloody mess to be honest. Hopefully, and I’m maybe being naïve here, great associations like the IAPP, working together with other actors, can bring some order to the data frenzy Wild West. The book in itself can indeed be criticized as Jim mentioned. 
    Now we really, really need to move on and this can only be done through dialogue between the parties involved.
    I’m preparing a workshop in June in Berlin, gathering analytics people with compliance and privacy professionals to exchange thoughts and best practices. Hopefully some of you reading this blog will find the time to join, share and build a brave new data driven world:
  • comment Mirena • Mar 18, 2014
    I totally agree with this!