If you are one of the IAPP’s more than 6,000 Certified Information Privacy Managers, you may have participated in a Job Task Analysis survey for the CIPM program last spring. While these important surveys fulfill an essential obligation as part of the IAPP’s ANSI-ISO accreditation, they also ensure we adequately keep a pulse on the evolving field of privacy as it relates to our certification programs. As the field evolves, so, too, should our exams. Below, you’ll find some highlights from the results of this survey. But first, a brief background.
The true value in the JTA survey comes from the information it elicits from our certified professionals. If you’ve taken one of our exams, you’re familiar with the Body of Knowledge that details the content our exam questions are drawn from. The JTA survey results help determine the content that is included in this essential scheme document by gathering data on two crucial pieces of information: (1) how important the understanding of specific content or the performance of a particular task (e.g., manage, communicate, develop, implement) is to the privacy practitioner role; and (2) how frequently the privacy practitioner is asked to apply their understanding of the content or demonstrate their capability of performing the task. In short, if the content is no longer important or the task is not performed regularly, we shouldn’t be testing on it. These regular appraisals allow us to keep the certification programs flexible, relevant and current.
The impact a JTA survey can have on a certification program is clearly demonstrated by our recently relaunched Certified Information Privacy Technologist program. While we recognized it was time to advance the program to better reflect the evolution of the privacy technology field, the input we gathered from the “boots on the ground” practitioners through the survey provided the critical information we needed to build the exam. A quick glance at the comments from those celebrating their CIPT certification on LinkedIn has shown we are, indeed, on the right track.
And now, the pièce de résistance!
We received feedback from more than 1,000 certified CIPMs serving in a wide range of privacy management roles: chief privacy/data protection officers, managers, attorneys, analysts, consultants and more. Seventy percent of respondents have been working as a privacy professional for six years or less, and more than half (64%) are between the ages of 25 and 54. The industries with the greatest representation were technology (16%), consulting (14%) and financial services (12%).
Most of our respondents came from the United States (44%), followed by the Netherlands and United Kingdom (both at 12%). Within the U.S., California had the greatest representation (17%), followed distantly by Texas (9%) and Georgia (7%).
From their responses, we pulled the “top 5” topics addressed as most critical to the CIPM role and “top 5” topics (or “tasks”) identified as the most frequently performed by the CIPM. I’ll give you a fair warning that you’ll see some repeated themes.
Because the CIPM program is designed for professionals who manage the day-to-day operations of a privacy program, the BoK topics included in the survey reflect the processes underlying operationalization: development of the privacy program and framework and support by means of the operational life cycle.
The topic ranked as “most critical” to the role of a CIPM was responding to a privacy incident (Table 1). Coming in a close second was establishing the privacy program, which interestingly ranked solidly higher than developing the privacy program framework. I suspect that there may be some ambiguity vis-a-vis the need to establish a formal privacy program framework versus that of a defined privacy program.
The percentages are close, to be sure, and it can probably be argued that at any given time one of these tasks is taking precedence over another. I think a key takeaway is that encapsulated in these results are the necessary skills of an effective CIPM: someone adept at establishing a privacy program (and framework), as well as promoting awareness, and who understands the critical functions of the privacy program operational life cycle, including assessing potential risks and dealing with incident response.
Topic | Percentage of Respondents who Ranked the Topic as Critical* to the role of a CIPM |
Privacy Operational Life Cycle: Respond - Privacy incident response | 61% |
Developing a Privacy Program - Establish a privacy program | 57% |
Developing a Privacy Program - Communicate | 51% |
Privacy Operational Life Cycle: Assess - Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) | 48% |
Privacy Program Framework - Develop the Privacy Program Framework | 46% |
*Question criteria: Critical, Very important, Important, Somewhat important, Not important.
The frequency rankings (Table 2) are a bit more complicated, as something could be integral to the role of the CIPM but only done once. So, it’s not necessarily a one-to-one ratio (i.e., rate of frequency = level of importance). The rankings are a bit lower here, too, probably because there is so much variation in the day-to-day activities of the CIPM. You can also see just how close in number the percentage rankings are (covering a narrow range from 33% to 41%) and that the tasks of integrating privacy requirements and representation into functional areas across the organization, communicating awareness of the privacy program, and assessing risks using privacy impact assessments and data protection impact assessments are all evenly ranked.
Topic | Percentage of Respondents who Ranked the Frequency as “Daily” |
Privacy Operational Life Cycle: Protect - Information security practices | 41% |
Privacy Operational Life Cycle: Respond - Data-subject information requests and privacy rights- Direct contact client/data subjects as a data controller | 35% |
Privacy Operational Life Cycle: Protect - Integrate privacy requirements and representation into functional areas across the organization | 33% |
Developing a Privacy Program – Communicate | 33% |
Privacy Operational Life Cycle: Assess - Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs) | 33% |
*Question criteria: Daily, Monthly, Quarterly, Rarely, Never.
You might have noticed a couple of interesting crossovers between the two charts. For one, communication and assessment ranked in the top-five for skills/tasks that were “most critical” and “most frequently performed.” Notably, the most frequently performed task of data protection corresponds with the most critical task of incident response.
Typically, we administer JTA surveys every three years. In 2019, CIPMs were heavily focused on responding to privacy incidents and utilizing information security practices to protect data throughout the lifecycle. With the rapid speed at which the privacy field continues to evolve, it will be interesting to see what floats to the top in 2022.