By KimAnh Tran, Associate Legal Counsel, CIPP/US, Contributor
High profile breaches seem to arise almost weekly across all industries and verticals, making privacy and security top-of-mind for organizations large and small. Fear has proven to be a strong motivator for many organizations, as an expensive remediation process, a regulatory audit and a public relations disaster looms with any breach. Predictably, companies are reacting by trying to clean up their own privacy practices company-wide. This objective, though admirable, is not easily accomplished, and typically requires the skills of experienced privacy professionals.
Privacy management as an industry is still relatively young and consequently, privacy veterans are few and far between. However, more and more job descriptions express a need for seasoned privacy professionals with experience in tracking and understanding privacy regulations and best practices, and applying such knowledge in a variety of different roles and functions.
Though official titles may vary, there are several roles and functions that seem to be in-demand in the privacy space. The qualifications for each may differ depending on company size, the company’s industry and need for privacy support. However, a CIPP certification through the International Association of Privacy Professional may indicate a certain level of credibility and dedication to privacy in the eyes of a hiring manager.
Privacy Program Manager
External privacy policies are written to meet obligations to provide notice and obtain consent from end users, while internal privacy policies are drafted to educate employees on practices related to data collection, use, disclosure and retention. As part of the development of these policies and procedures, a Privacy Program Manager is often relied upon to assess the “state of affairs” with respect to company practices, or sometimes with respect to specific products or processes (such as vendor management process, for example). From that assessment, policies and controls would be developed and implemented to help companies manage their privacy obligations and thus minimize their risk.
This role may also include administration of training and raising awareness around privacy and security practices, development of an incident response program, and design of policies around breach notification — all of which can help drastically improve a company’s culture and tolerance towards privacy and consumer protection.
Product Privacy Advisor
An increasing number of organizations are starting to see value in implementing the concept of Privacy by Design into their product development lifecycle. Although Privacy by Design is not a legislative or regulatory requirement, this concept of promoting consumer privacy throughout an organization and at every stage of the development of products and services can be extremely valuable. Companies can ensure minimized costs in having to fix a product or service to make it less risky, or having to withhold it from the market because the privacy risk is determined to be great.
Professionals who assist a business identify and manage risks during the product development lifecycle serve an incredibly valuable function. This role is often charged with assisting a business in evaluating what is required at the outset from a consumer privacy perspective to commercialize a product and ready it for market consumption. In many cases this requires an assessment of the product’s data collection capability and subsequent handling, and identifying what notices or consents must be displayed or obtained in order to be compliant with applicable laws and to abide by best practices. Oftentimes, the person in this role will be expected to work side by side with the product, engineering, security and legal teams.
Regulations such as HIPAA and the EU Data Protection Directive require specialized contracts (Business Associate Agreements and Data Protection Agreements, respectively) in particular circumstances. Additionally, general contracts governing the business relationship between two parties (for example, a customer and a service provider) will often touch on privacy issues. Such contracts can be incredibly complex depending on a particular product or service, the type of data being passed and how that data is handled.
As such, businesses are beginning to recognize a need for experienced negotiators with expertise in privacy regulations and relevant best practices to identify potential gaps and negotiate risk allocation between the parties. As the privacy landscape continues to morph and change, companies are relying more heavily on contractual protections to help delineate responsibilities, maintain compliance and mitigate legal and financial risks.
The need for experienced privacy professionals is growing rapidly as the industry continues to evolve. The continuous onslaught of breaches has left more than just a dearth of consumer trust in its wake. As companies start to realize the very cognizable impact that poor privacy management can have on its revenue, this need for privacy professionals with unique skill sets will continue to grow.
[DISCLAIMER: This post in no manner constitutes legal advice and in no way creates an attorney-client relationship. This post and the thoughts contained herein are my own and do not represent the positions, strategies or opinions of my employer.]