What technology do data privacy pros need to know now, and what technology should they be thinking about for the future? Jared Coseglia, founder and CEO of TRU Staffing Partners, asked privacy and technology experts Aaron Weller, co-founder and president of Ethos Privacy, and Rachael Haher, CIPM, TRU’s VP of Business Development and Account Management how technology affects the job market for data privacy professionals at all stages of their careers.
Coseglia noted that both TRU and Ethos have many of the same customers. He asked the panelists about the kinds of technology requirements they are seeing from hiring managers and stakeholders who run privacy programs and the discussion evolved from there.
Aaron Weller: Employers are looking into three different areas:
AW: A lot of organizations already have project and program management offices within their IT departments. They have people who can work with existing technologies. What we’re seeing with larger organizations is when they don’t have people with necessary skill sets, they are drawing from other internal teams (like compliance, security or internal audit) who know the organization’s politics and how to get things done. These people are being sent out to select new privacy technology and get it running. Then, they hand it over to the data privacy people to use on a daily basis.
AW: I have seen both, but mostly people are getting certified on their own because of the opportunities. Privacy is another skillset they can add to their resume.
Rachael Haher: Yes, though I haven’t seen certifications that are required as of yet. Most are optional for IAPP. I would not be surprised if mandates did appear in the next six to 12 months.
JC: Are you finding that most of the candidates that come to TRU asking about training and education are also doing it on their own?
RH: So far, candidates are asking about training for self-improvement – no one I have worked with is being required to take it.
JC: This is good because these roles are in high demand and there is a limited supply of people who are knowledgeable in data privacy, particularly in the middle market. One thing we’ve seen at TRU that is pretty consistent over the last two or three years, is that most (70%) of the jobs for privacy are within corporations. Then, 20-25% of the marketplace is in consulting firms. Maybe 5% is still at outside counsel at law firms.
RH: No. From a technology or toolset standpoint, a lot of the corporations maybe have one or two pieces of a privacy program they are looking to solve with a technology. They want very specific resources. Consulting firms want candidates to be tool-agnostic. They want candidates to know everything possible about tools so that they can influence purchases, do implementation and training.
AW: It comes down to what skillsets most closely contribute to the overall effectiveness of the privacy programs. Once you’ve got established processes in place that don’t rely on innovation, they can be outsourced. But in higher levels of “stakeholder-ing,” like influencing people or making heavy decisions, those roles are not being outsourced. Relationship-based roles are typically internal roles. While some privacy roles are being commoditized, many are not. Critical roles are staying within the organization.
JC: Let’s talk about commodities, then building, growing and maintaining privacy programs. Industries have a way of shifting from values that are extremely hands-on and expensive to being more commoditized and easily outsourced.
AW: Data mapping is one of the roles where technology has greatly improved, requiring less high-level, hands-on attention. Also, implementation of privacy software has gotten easier. And anywhere you have high volume and low variability, you can build in standardization and then outsource.
RH: Candidates are looking at roles with high impact opportunities. They want to understand the maturity of a privacy program before they even interview to assess what type of impact they may bring to an organization. TRU developed these sorting buckets of privacy levels (Building, Growing, Maintaining) to help applicants sort their way to the organization where they would best fit.
JC: Yes, it is so important for employers to self-identify into one of those buckets. Candidates want to know where these potential employers reside before they apply. Hiring managers are afraid to reveal their status not wanting to scare off candidates by letting them think their privacy work is underbaked. Technology starts to really play a role when privacy teams move into the weeds. As they move from advisory to accountability – reports, processes, documentation, analysis -- tech really plays a role beyond strategy and implementation.
AW: Being able to read a global privacy law and interpret it, makes life easier. Understanding the technology impacts how you react. For example, if using cookies is outlawed, how do you get people to give you more information without having cookies to get it? You need to read the laws, understand them, and then affect the changes within your orgs. That’s a skillset not just for lawyers. You can bring the change forward if you understand the laws.
JC: Lawyers bring comfort to employers especially at the “building” level. However, the office of general counsel doesn’t want to own the privacy domain. There isn’t always headcount available for an operational leader and a legal leader.
RH: There is also a financial piece to consider. If an organization has a privacy lawyer, they wouldn’t have to use outside counsel as much.
JC: But it’s not all good news for lawyers. There is a risk. For example, eDiscovery attorneys once thought the practice of eDiscovery law would develop into its own realm from litigation. But the collapse of pricing in the area made it more affordable to go outside. It could very well go that way for privacy professionals. Demand for lawyers may not be perpetual if you don’t become more technologically savvy.
RH: There is also the issue of where the privacy team sits within an organization. And where does the privacy technology team sit? Both could reside in Legal or Security…or be their own. Technologists need to bridge the gap between technology and the operational privacy side. They cover all sorts of areas.
JC: Is it industry specific?
RH: It depends on size of the organization and the maturity of the privacy program. Larger tech companies have these teams in several areas or on their own. The issue resides with smaller companies who need someone to speak to all facets of the programs. It’s not industry specific – it has everything to do with the size of the company, the size of privacy team and the maturity of the team.
AW: There is a transition point or step from having two people managing the team to needing to influence all these other groups. Companies might need to a grow central team or imbed people in other group.
RH: No, it’s not the same. In larger orgs, these two roles are siloed and well-defined. The term “specialist” is used loosely. In some orgs, specialists analyze data or oversee a team of people in specific areas of privacy.
AW: In small programs, there may not be tech options. And therefore, you don’t need to worry much about all the implementation factors. On the converse side, one of the most complicated pieces from the technology perspective is actually deleting things. Technology is not always designed to be deleted. Also, you could specialize in determining what data is present, what is owned by an organization and what an org does with data – like data mapping or being a data lifecycle specialist. You could base a whole career on that.
AW: An engineer has a coding background. They know how the technology works inside and out. Engineers hold IT’s hand, build datasets, determine needs. Analysts or specialists determine outcome but don’t build.
RH: Teaching engineers to become privacy experts is easier as well.
JC: How does someone with tech skills learn the soft skills needed to speak the privacy language to teams?
AW: They start with a mentorship role, sitting and learning through osmosis. It is harder in smaller programs. Certification is great, but understanding how people react to situations is best seen firsthand.
JC: The number one thing we have found that motivates job seekers in the privacy industry is working from home. Mentorship is the second most common want and is a key motivator. Many lawyers realize their law skills have a finite earning and growth potential. They want to become more adept at technology to leverage their skills. This is good advice to hiring managers – illustrate your mentorships programs. It drives people in the marketplace. Are there other areas outside of privacy where you are seeing people who have the aptitude for learning privacy soft skills?
RH: Yes. Security and risk areas and project management pros (PMPs) have special interest. Our clients tell us that the soft skills are just as important (if not more important) than the hard tech skills. Because of the supply and demand and compensation discrepancies, firms can’t always afford a privacy tech with 3-5 years’ experience. So soft skills may make a person a very appealing candidate.
AW: Many security folks could succeed in privacy, but they need to have a comfort with ambiguity. Those folks see things in black and white, which won’t work in privacy. Privacy pros live in gray zones. Project managers are good influencers. Customer service folks may be good at privacy – they can learn the privacy skills. I would much rather have someone who is less skilled but be easy to work with.
AW: Yes, Europe has privacy rights built into their laws. There are fundamental differences in how the US and Europe view personal information and how it is treated. Privacy is not hard to teach but there are some nuances. However, trying to gain consensus and exerting Influence is much harder to teach. Takes people a long time to learn.
JC: Are you finding that those soft skills are needed immediately, or can they evolve in a role?
RH: These skills are needed early on. Companies want new hires to raise their hands and volunteer for things. Lower-level security folks can adapt to these skills and learn new things. However, the higher you are up the ladder in security, the less able you are to see the nuances and the gray area.
If you are looking for data privacy staff with those high-touch soft skills, or are looking for a new role in privacy sector, contact TRU Staffing Partners to get started with your search today.