Published on Nov 30, 2022
The shortage of qualified practitioners for privacy roles existed long before COVID-19 introduced significant challenges to a rapidly-changing jobs market. Despite a mixture of learning paths available for career advancement, we still need to do more to entice new entrants into the field.
Ahead of a major new initiative (more on this soon...), we look at the evolution of the privacy profession in the context of certified data protection training. The article draws parallels between the skills and talent shortages faced then and now. In closing, we offer some recommendations organisations can implement today to address these challenges and ensure the continued healthy development of the industry.
On 28 January, 2000 the Information Systems Examinations Board (ISEB), the qualifications body established by the British Computer Society (BCS), launched the pilot exam for the ISEB [BCS Practitioner] Certificate in Data Protection. The then ISEB certificate was the first industry-recognised professional qualification for individuals with data protection responsibilities. It was based on the Data Protection Act 1998, which came into force on 1 March 2000. Official training was delivered through an independent network of Accredited Training Providers (ATPs).
For reference, the ISEB Certificate was launched five years before the International Association of Privacy Professionals (IAPP) introduced its Certified Information Privacy Professional (CIPP) programme in 2004. It was some years before IAPP certified data protection training gained traction within the UK market.
The launch of the ISEB Certificate was a pivotal moment, enabling individuals required to advise upon data protection to expand their skill set, establish themselves as a professional, and demonstrate their authority as an expert in the field. Initially, the cost of attending an ISEB accredited training course was around £2,500 per person, which equates to about £4,000 today. The combination of the ISEB Certificate's exclusivity and restrictive pricing made it a prestigious qualification, limiting early adoption to legal practitioners, consultants and academics.
It wasn't until midway through the decade that Joyce Allen (who later went on to form Freevacy) drove down training costs after identifying considerable demand for training within the public sector. By delivering accredited ISEB data protection training onsite, it was possible to certify groups of NHS, police and local authority compliance and information governance teams for a fraction of the cost.
While public authorities were prepared to work together to host courses, it was still difficult to justify requests for budget approval. Recognising the challenge, Nathan Fowler approached the NHS Connecting for Health (CfH) team in Leeds, part of the Department of Health's National Programme for IT (NPfIT), to evaluate the ISEB Certificate. Although CfH would not endorse an individual training provider, they did agree to assess the suitability of ISEB professional certifications. Following an evaluation of Joyce's training, CfH produced a report recommending the ISEB Certificate in Data Protection as a 'prerequisites for IG Managers'
The CfH recommendation was the second significant moment in addressing the privacy skills gap by effectively endorsing the professional development of data protection practitioners. Over the years, the CfH recommendation contributed to thousands of data protection practitioners in the public sector attaining an ISEB [BCS] qualification.
In another milestone, Northumbria University submitted a successful tender to the Department of Constitutional Affairs in 2005 to provide the first master's qualification in information rights: LLM Information Rights Law and Practice [see Information Rights Law and Practice Postgraduate Certificate]. In doing so, Northumbria's LLM created a welcome additional learning path. The brightest and best talent entering the profession could now opt for a formal and professional qualification to advance their careers.
Over time a number of additional learning and development programmes were introduced. The IAPP launched the Certified Information Privacy Manager (CIPM) in 2013, followed by the Certified Information Privacy Technologist (CIPT) in 2014. What set the CIPM and CIPT apart is that they approached privacy training from operational and technical perspectives rather than a legal focus. Also in 2014, ISEB, now rebranded as BCS professional certifications, updated its Certificate in Data Protection to offer both Foundation and Practitioner levels. And then in 2015-6 Northumbria University introduced its Postgraduate Certificate in Data Protection and Information Governance. The programme was designed to appeal to a broader audience, particularly those professionals within the private sector to whom the freedom of information element from the LLM is not relevant.
In addition to these established academic and professional qualifications, reputable specialist data protection training providers introduced a range of approved, certificated courses, offering further options for skills development.
For many years, if you were to embark on a career in privacy, it would likely have involved you working within the public sector. When the EU adopted the General Data Protection Regulation (GDPR) in 2016, one of its principal objectives was to make every organisation accountable for its personal data processing. Unlike its predecessor, the 1995 Data Protection Directive, which was adopted when the internet was still in its infancy, the GDPR set a maximum fine for violations of €20 million or 4% of annual global turnover – whichever is greater. The introduction of the GDPR was another significant milestone. Suddenly, motivated businesses began investing in GDPR training to support staff and ensure their data processing operations were compliant.
Thanks to the GDPR, the need for skilled and experienced privacy professionals has grown exponentially. In 2019, the IAPP estimated 500,000 organisations had registered Data Protection Officers (DPOs). Compare that figure with its 2017 prediction that the GDPR would create the need for 75,000 DPOs worldwide, and it’s markedly different.
So, where did all these skilled practitioners suddenly appear from?
It's fair to assume not every organisation followed Article 37(5) of the GDPR to the letter by appointing a DPO with "expert knowledge of data protection law and practices." However, the relevant point is that 500,000 organisations deemed it necessary to appoint a DPO because they met the criteria.
Of course, it's not only the shortage of DPOs that account for the gap in skills within the privacy profession. Over the years, there has been an explosion of new roles at various levels inside and outside the organisation.
The latest IAPP-EY Annual Privacy Governance Report outlines the different types and split of privacy roles within the organisation. In 2022, the report indicates 82% of privacy roles are filled internally. These roles are made up of leadership positions (11%) served by executives such as chief privacy officers (CPOs). Then there are privacy, risk and compliance roles (11%) performed by the practitioners responsible for regulatory compliance and privacy management. These are the people who develop policies and external communications, implement processes, maintain records, conduct internal audits, monitor compliance, produce reports and deliver culture awareness training. Beneath these are operational roles (26%), such as those performed by employees tasked with responding to subject access requests (SARs). The largest segment, technology-based roles (27%), covers the engineers, developers, technicians and security professionals who build privacy protections into digital systems. Then there are the legal professionals (5%) who support their organisation in terms of the legal aspects of privacy operations and regulations. The remaining 18% of roles are filled by external resources.
Along with the increasingly wide range of skill sets being utilised to deliver objectives, the size of privacy teams is also increasing. On average, organisations employed 33.2 staff members in full and part-time privacy roles in 2022, up 12% compared to 2021. While this represents thousands of new professionals entering into the field, it also illustrates the need for even more expertise.
Governance, risk and compliance roles are the most in-demand skills and expertise, with 55% of respondents indicating a shortfall. Legal professionals (33%), privacy engineers (30%), auditors (29%), and operational roles (20%) are also in high demand. In addition to core privacy roles, 34% of organisations noted a need for decentralised privacy champions to provide skilled expertise within various business functions.
As an industry, it's clear we've come a long way in a short time. Although there has always been a skills gap, twenty years ago, the issue centred around learning and development programme adoption and maturity. In comparison, today's problems relate to a shortage of available talent.
This lack of talent means that filling vacancies with experienced people will continue to be challenging for the foreseeable future. Without action, we could easily be discussing the same workforce supply problems ten years from now. Considering the direct impacts of a talent shortage are that it lowers productivity, creates backlogs and increases workplace stress for existing teams, this is a highly undesirable outcome for companies smart enough to realise privacy is good for business.
However, there are measures that you can implement today to address the shortage of privacy professionals. These steps will require long-term human resource planning, investing in your existing workforce and adjusting your thinking about where certain privacy expertise resides within the organisation.
One of the best things you can do to address these challenges is to invest in the professional development of your existing staff. As discussed above, given the variety of clearly defined career pathways, it is more than possible to identify employees with transferable skills.
For instance, governance, risk and compliance teams, project managers and auditors can be cross-trained in data protection law and privacy management. At the same time, IT systems engineers, software developers, and information security professionals can be provided with privacy technology training. Furthermore, adopting a unified data governance strategy would allow these employees to take on additional privacy responsibilities without leaving their existing roles.
Identifying privacy champions within the business areas processing the most personal data, such as sales and marketing or customer services, means that certain operational compliance responsibilities can also be undertaken through a decentralised approach. These individuals would require additional role-based or foundation level certified GDPR training to develop the necessary skills but are better positioned to help business owners meet any data protection responsibilities within their scope of operations.
Over time, this approach will create a pool of multi-skilled professionals that, with additional data protection training, could make suitable candidates for full-time privacy roles as and when they become available. Given the expense associated with external recruitment, this approach is cost-effective and self-sustaining.
Now is the time for organisations to stop treating privacy compliance exclusively as a centralised function and integrate responsibilities into the wider business. Of course, there are costs associated with upskilling the workforce, but these can be offset by productivity gains and efficiencies stemming from streamlined processes and removing duplication.
There are many compelling arguments for entering into a career in privacy. Earning potential is high. There are excellent opportunities for career progression. Job satisfaction tends to be high because daily responsibilities are varied and interesting. And given its implications on social justice and preserving a fundamental human right, privacy is an ethical career path that many employees would jump at the chance to enter. It's up to you to give them that opportunity.
Freevacy will shortly announce an exciting scheme to help facilitate the transfer of skills into the wider business.
Freevacy has been shortlisted in the Best Educator category. The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.