News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | For Privacy Pros: A Look At Your Job Tomorrow Related reading: Norway's DPA issues requirements for code of conduct monitors

rss_feed

""

It is pretty obvious that the privacy profession is changing fast.

Once the realm of an elite of nerdy specialists, the profession is opening up to include a whole range of professionals with a variety of talents, training and skill sets. And whilst the complexity of the challenges faced by those with responsibility for managing information, protecting data and safeguarding individual privacy remains as high as in the early days, the implications of addressing those challenges correctly are becoming exponentially greater. If we succeed, we will not only have contributed to the prosperity of future generations, but we will have also done our bit to preserve everyone's freedom.

Going forward, our success as guardians and developers of the information society will depend on our ability to understand and effectively deal with the never-ending evolution of technology, the strategic and commercial value of personal data and the global nature of all data-reliant activities. With that in mind, here are some of the issues that we are going to have to master in order to fulfil our duties as privacy pros:

  • Transparency 2.0 - Traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices, in particular, are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. Our responsibility in this regard will be to understand and communicate sophisticated uses of personal information in a way that is also understood by others no matter the interface or situation in which the information is collected.
  • Anonymisation - Yet to be exploited fully, the idea of performing some magic to personal information so that such information is no longer personal data may not be the perfect solution, but it is an extremely valuable way of safeguarding our privacy whilst still making the most of the data. Don't panic! Privacy professionals need not become algorithmic maestros, but we must at least have some faith in the ability of anonymisation techniques to help us make the use of personal information less intrusive.
  • Privacy (thinking) by design - Let's face it, having a legal obligation that limits the amount of personal information to be collected, used or retained to the absolute minimum is never going to work because it is at odds with today's and tomorrow's information economy. However, being prepared to consider the possible harmful effects that any data activities may cause at the outset and doing something to avoid them should be at the top of the list of all privacy professionals.
  •  Security by default - Data security does not mean data choking, but applying the appropriate security measures to protect data should be non-negotiable. Furthermore, whatever the correct security measures are, they should always be deployed from within the technological applications and as those applications are developed—not as an afterthought. More than ever, privacy pros and security pros must join forces to deliver protection at the earliest possible stages of every process.
  • Relying on safe global vendors - Can a customer of any data processing service realistically have full and exclusive control over the data being processed? If the answer is no, and it will be invariably no, how can this be reconciled with the duties placed by the law on that customer? Responsible vendors have no choice but taking it upon themselves to adopt the right practices. So privacy professionals should be looking out for those vendors that are prepared to guarantee that wherever in the world the processing takes place—even in the cloud—the data will be protected under universally applied and internationally recognised standards.
  • Giving something back - As individuals' control over their own data declines and is replaced by the principle of benefiting from the value of that data, it will be the privacy professionals' responsibility to assess and identify what may qualify as appropriate benefits compared to the value derived from the exploitation of such data. From access to our own data to transparent profiling, the future role of the privacy professional is likely to involve turning the output into valuable benefits for those individuals who generate the information in the first place.
  • Privacy impact assessments - From a privacy professional's perspective, one of the greatest advantages of PIAs is that they are the most effective tool to safeguard people's privacy without closing the doors to innovation and progress. We must master the art of doing PIAs—from the very simple to the hugely elaborate—in ways that are seen as delivering benefits for both individuals and organisations.
  • Team privacy - Ultimately, getting privacy right within an organisation is a team effort. Many of those with responsibility for protecting data and safeguarding people's privacy will not even have the word “privacy” in their titles, but working as a team of professionals who are united in their quest for pragmatism and effectiveness, and who can keep an eye on how things are done within their respective sphere of influence, will be the only way of realising our goal.

Much work remains to be done, but with a bit of creativity, some effort and, above all, confidence in our ability to succeed, our jobs will be as fulfilling as the future can promise.

Author
Headshot Eduardo Ustaran, CIPP/E IAPP Member Contributor
Tags
Privacy Community
Privacy Operations Management
5 Comments

If you want to comment on this post, you need to login.

  • comment Jim • Mar 13, 2014 
    An elite of nerdy specialists? It sounds like you are describing statistical inference or operations research. The IAPP was founded by lawyers, none of whom appear to have the least bit of technical know-how. It was compliance driven, and the underlying legal principles are very intuitive and simple compared to areas like tort law. 

I see nothing 'nerdy' about the major figures in the development of data protection law. Arthur Miller, Alan Westin, David Flaherty and the like all had a background in the humanities, not technology or science. Most privacy professionals couldn't program "hello world", let alone understand anonymization algorithms. How on earth can you 'have faith' in anonymization and choose appropriate techniques if you can't read any of the papers that describe those techniques? You can't.

The privacy profession is very good with buzzwords like "privacy by design", but practitioners completely lack the background needed to translate those into practical guidance for actual developers of products. I see no engineering methodologies, apart from high level guidance. Michelle Dennedy's latest book is a case in point. It is a good book, but it does not deserve to have 'privacy engineering' in its title. 

This sort of article is preaching to the choir. You people assume that you are smart and savvy, but in reality you have a little cloister of likeminded lawyers who come from a compliance background. The lack of diversity and hard skills at the IAPP is one of its greatest problems.

I think the profession is going to change. I can already see a role for people with a background in communications, IT, security, corporate education, applied ethics and the like. Future legal counsel in the privacy space should really have a multidisciplinary background, instead of relying on a very limited skill set and a compliance mindset. 

Also, it really helps to stop tossing around buzzwords and actually put some content into them. There are researchers out there who are interested in creating proper methodologies for privacy by design, for instance. Why not network with them and get them involved, instead of merely reiterating the same vague statements every year. (Cavoukian, I am talking about you).
  • comment Trevor • Mar 13, 2014 
    Hi Jim

I think you are dead-on right in your comments.  Privacy cannot be the exclusive realm of law and compliance in the future.  We will need professionals who can speak fluently across the domains of law, technology, and management.  

Last year, the board of the IAPP engaged in some strategic planning that identified exactly this need.  However, our expectation is that we cannot expect professionals to emerge with all of these skills -- it is simply to much education to expect of any one person.  Rather, we are predicting that legal/compliance/ethics pros will need to know "enough" of the IT realm to effectively converse with their IT counterparts.  Conversely, IT pros (and InfoSec pros, and audit pros, and HR pros) will need decent issue spotting capabilities in the fields of privacy law and privacy risk (because not all privacy risks are legal in nature).

The IAPP is working to build bridges across these divides.  Our IT certification will re-launch this fall as a completely renovated designation.  We were out in force at the RSA show two weeks ago, sharing knowledge of the privacy field with our InfoSec colleagues.  And we are actively partnering with the Cloud Security Alliance to produce the IAPP Academy in San Jose this fall.  Strategically, we are very much focused on connecting legacy privacy pros (law and compliance folk) with vanguard of privacy management (just about everyone in the digital economy).

We also need better frameworks for managing privacy and assessing risk.  But those frameworks need to build from common understandings of the issues involved.  Given the inchoate nature of privacy -- with risks shifting based on context, culture, and personal preference -- that is a very tough job.  Not impossible, but tough.

I am encouraged by PbD, and efforts to move towards accountability models and risk-based responses.  We need more meat on the bone, to be sure.  But the work is promising and, more importantly, progressing.

Great post.  Great thinking.  Feel free to call the IAPP office...   would love to chat even more about it.

And BTW -- I was an early privacy pro in the late 1990s.  And even though it was not completely tech-driven, it felt very nerdy.
  • comment Eduardo • Mar 13, 2014 
    By 'nerdy specialists" I meant people who irrespective of their background felt at ease talking about data controllers, data processors and data subjects; people who were frown upon because they throught the protection of data was a top priority and a fascinating discipline; people who would have trouble getting understood at dinner parties when explaining what they did for a living; and above all, people who followed their instinct and pursued a career in a profession which they loved and saw as intellectually challenging as humanly rewarding even when most other people could not understand that.  We used to be a minority.  

I was one of them.  Still am.  :)
  • comment Aurelie Pols • Mar 14, 2014 
    Funny how you guys post using first names, not used to that ;-)

I'm not much for labels but having a statistical & digital background, now increasingly caring about data protection (I don't like the word Privacy, it's too vague and people get stuck into trying to define it), I'd like to claim the nerdiest of nerds title. For what ever it’s worth!

And I would also like to say that I disagree with Eduardo about data minimization: we don't live in mainframes world anymore where you had to collect everything "just in case" because it was too complicated to get your hands on the data afterwards. Big Data will only kill the Privacy framework if you’ll let it!
My world is one of lean analytics: pick up the data you need for your specific purpose, reach out to the Privacy officers to start a discussion and find ways of collaborating, securely.

I’m happy to read the IAPP reached out to RSA but I’m still waiting for you guys to reach out to the analysts. Now maybe Trevor I’ve missed something, and my sincere apologies for that, but a dialogue with the people actually collecting the data should now be at the forefront, not only the security guys. Maybe see you at eMetrics in San Francisco?

In the last 2 years, I’ve been exchanging digital analytics best practices with my lawyer colleagues. Every time I explained something to them, they rolled their eyes “really? You’ve been doing that?” and that was just talking about tags and cookies! My industry has moved onto digital fingerprinting for almost 2 years now and I won’t even start talking about cookies re-spawning, swapping, etc. 

It’s high time to move indeed beyond legal & compliance as Trevor mentions because simply the misunderstanding of technology makes most of the questions asked during audits or PIAs turn those exercises into a farce. And honestly, it’s way too easy for us “technology people” to fool the legal guys about what we’re up to ;-)

Eduardo mentions teams and I agree, that’s what I’m also seeing within Data Governance Councils: legal and compliance with technology and analytics, working together, challenging one another. 

I also see an opportunity within the IAPP that was best resumed by Michelle Denedy in her introduction “I care because the "Privacy engineering" framework, methods, and processes the authors have put together are critical enablers to unlock value from data. However strange that may sound (after all, isn't privacy all about preventing companies from gaining access to customer data?), it makes sense when you consider the complexity of dealing in practice with the absurd amounts of data individuals, companies, and governments are producing at an accelerating pace. The keyword here is complexity.”
And I truly believe that: it’s complex and a bloody mess to be honest. Hopefully, and I’m maybe being naïve here, great associations like the IAPP, working together with other actors, can bring some order to the data frenzy Wild West. The book in itself can indeed be criticized as Jim mentioned. 

Now we really, really need to move on and this can only be done through dialogue between the parties involved.
I’m preparing a workshop in June in Berlin, gathering analytics people with compliance and privacy professionals to exchange thoughts and best practices. Hopefully some of you reading this blog will find the time to join, share and build a brave new data driven world: http://digitalanalyticshub.com/berlin2014/discussion-leaders/#2110

Aurélie
  • comment Mirena • Mar 18, 2014 
    I totally agree with this!
Related Stories
Navigating Thailand's Digital Platform Services Law
In today's digital age, digital platforms have gained immense popularity and are expected to continue their growth across various industries. End users appreciate the convenience these platforms offer for searching, purchasing and comparing products, and accessing user reviews, as well as the flexib...
Read More queue Save This
Corrected text of EU AI Act released
The corrigendum of the EU Artificial Intelligence Act has been released. The document corrects and clarifies language in the act and is required before it can fully come into effect. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. Full story...
Read More queue Save This
IAF looks to the privacy industry's future
In a blog post, Information Accountability Foundation Chief Strategy Officer Elizabeth Denham talks about the future of the privacy industry as it faces new challenges. She encouraged readers to broaden their assessments, study new artificial intelligence law requirements and think creatively about ...
Read More queue Save This
Related Stories
Tags
Privacy Community
Privacy Operations Management
Recent Comments