Hello from Kittery, Maine!

It's hard to believe summer is already in the rearview mirror, but here we are in late September. I write to you while watching our American white ash trees endlessly rain down their wilted leaves. We're in a drought here in southwestern Maine, but nothing like the extremes of other parts of the country. Wishing health and safety to those of you suffering through the terrible wildfires out West. It's been stunning to see the smoke all the way out here on the other side of the continent.   

In a normal year, we'd be gearing up for our fall events, which has always been an exciting time for us at the IAPP. I can't say how much I miss traveling to our events to connect with many of you, and I look forward to the day when that resumes, but for now, we make the best of what we can and press on. 

This week, we co-hosted a three-day virtual event with the National Institute of Standards and Technology to explore the privacy risk management workforce. The idea here is to create a workforce taxonomy and guidance on developing privacy programs in line with NIST's Privacy Framework. This, in turn, could then help organizations — both public and private — better understand who to hire to help manage privacy risk. 

The bulk of the event comprised a set of working sessions with stakeholders and facilitators to share feedback and insight toward this taxonomy. These working sessions were sandwiched between two excellent opening and closing plenary sessions with folks from industry, government, academia and civil society. 

What was clear from these panels is that the privacy profession requires an incredibly wide range of skills. As Marc Groman pointed out during one panel, privacy pros sit at the intersection of tech, law, policy and business operations. He said that in the U.S. market, companies are hiring, but in the absence of a comprehensive privacy law, privacy has been viewed internally as a compliance function and legal liability issue. "The NIST framework," he pointed out, "flips that around and looks at what the privacy risks are to people and what to do about that." 

Melanie Ensign also said too much of a focus on compliance and risk can work against the privacy profession. "Very few privacy teams have effective visions for what privacy means for their company," she said. "Legal standards shouldn't define your privacy program; you need to go above the standards and determine the vision." 

Of course, embedded in all this is all the nuances required of privacy pros, who need to interface with security, marketing, HR and engineering teams, not to mention senior leadership. Uber's Ruby Zefo referred to these as "soft skills" to work with "all types of people at all levels of the organization, which requires being a good collaborator." 

She also highlighted the need for diversity, especially as companies design and roll out automated technology, facial recognition and artificial intelligence. And, of course, privacy pros need to understand and embrace technology so they can effectively work with the engineering, IT and security teams. 

In parallel, Carnegie Mellon's Lorrie Cranor said academia hasn't been paying enough attention to the privacy workforce and privacy education for tech students. Lots of courses, she noted, have cybersecurity or privacy, but both should be embedded in multiple courses across the curriculum and disciplines: in law schools, information systems and social science, to name but a few. 

This is just a nano-level slice of the conversations that took place this week, but NIST will now compile all this feedback to develop a taxonomy and guidance. We'll be sure to share that out once it's public. I look forward to the results. 

Have a good weekend, all.