Deep Dive: Technology's Impact on Job Requirements for Data Privacy

What technology do data privacy pros need to know now, and what technology should they be thinking about for the future? Jared Coseglia, founder and CEO of TRU Staffing Partners, asked privacy and technology experts Aaron Weller, co-founder and president of Ethos Privacy, and Rachael Haher, CIPM, TRU’s VP of Business Development and Account Management how technology affects the job market for data privacy professionals at all stages of their careers.

Coseglia noted that both TRU and Ethos have many of the same customers. He asked the panelists about the kinds of technology requirements they are seeing from hiring managers and stakeholders who run privacy programs and the discussion evolved from there.

JC:  What are the new technology skills employers are looking for? How is technology driving that demand?

Aaron Weller: Employers are looking into three different areas:

1. There has been an explosion in the amount of technology now available for privacy teams. Organizations are looking for people who can help them select the best technology and implement it in a way that meets their needs. Nothing works right out of the box. These solutions require configuration and application knowledge.
2. When you have new technology, you need someone to run it day to day. Workers are needed to do privacy risk assessments and to run the tools to get the results privacy teams need to manage their data.
3. Lastly, teams need to build privacy controls into their existing technology. They need high-level experts who really understand the organization, how it works, who to go to for information. They need workers who can build products and services with privacy standards included.

JC: If you are an organization and are not going to a third-party agency like TRU Staffing, where do you get resources and people with the right skill sets?

AW: A lot of organizations already have project and program management offices within their IT departments. They have people who can work with existing technologies. What we’re seeing with larger organizations is when they don’t have people with necessary skill sets, they are drawing from other internal teams (like compliance, security or internal audit) who know the organization’s politics and how to get things done. These people are being sent out to select new privacy technology and get it running. Then, they hand it over to the data privacy people to use on a daily basis. 

JC: Do you think that job seekers are joining privacy certification programs because of mandates from corporate stakeholders, or do they want to move into the privacy vertical to gain more opportunities?

AW: I have seen both, but mostly people are getting certified on their own because of the opportunities. Privacy is another skillset they can add to their resume. 

JC: Rachael, you handle the TRU relationship with IAPP to get talent certified. Are you seeing the same thing?

Rachael Haher: Yes, though I haven’t seen certifications that are required as of yet. Most are optional for IAPP. I would not be surprised if mandates did appear in the next six to 12 months.

JC: Are you finding that most of the candidates that come to TRU asking about training and education are also doing it on their own?

RH: So far, candidates are asking about training for self-improvement – no one I have worked with is being required to take it.

JC: This is good because these roles are in high demand and there is a limited supply of people who are knowledgeable in data privacy, particularly in the middle market. One thing we’ve seen at TRU that is pretty consistent over the last two or three years, is that most (70%) of the jobs for privacy are within corporations. Then, 20-25% of the marketplace is in consulting firms. Maybe 5% is still at outside counsel at law firms. 

JC: Do the roles and responsibilities corporations seek match what consulting firms and vendors are looking for in terms of skillsets?

RH: No. From a technology or toolset standpoint, a lot of the corporations maybe have one or two pieces of a privacy program they are looking to solve with a technology. They want very specific resources. Consulting firms want candidates to be tool-agnostic. They want candidates to know everything possible about tools so that they can influence purchases, do implementation and training.

JC: What skillsets do corporations want to keep with internal employees and which skills are they more comfortable outsourcing?

AW: It comes down to what skillsets most closely contribute to the overall effectiveness of the privacy programs. Once you’ve got established processes in place that don’t rely on innovation, they can be outsourced. But in higher levels of “stakeholder-ing,” like influencing people or making heavy decisions, those roles are not being outsourced. Relationship-based roles are typically internal roles. While some privacy roles are being commoditized, many are not. Critical roles are staying within the organization.

JC: Let’s talk about commodities, then building, growing and maintaining privacy programs. Industries have a way of shifting from values that are extremely hands-on and expensive to being more commoditized and easily outsourced. 

JC: What are skillsets that currently involve technical prowess and heavy staffing are going to commoditize in the next few years? What are the things that are going to get easier to do in tech in the near future?

AW: Data mapping is one of the roles where technology has greatly improved, requiring less high-level, hands-on attention.  Also, implementation of privacy software has gotten easier. And anywhere you have high volume and low variability, you can build in standardization and then outsource.

RH: Candidates are looking at roles with high impact opportunities. They want to understand the maturity of a privacy program before they even interview to assess what type of impact they may bring to an organization. TRU developed these sorting buckets of privacy levels (Building, Growing, Maintaining) to help applicants sort their way to the organization where they would best fit. 

• At the “build” stage, firms want to bring in established privacy attorneys who will do the regulatory compliance and manage the operations. Then, they want to build out a team under these attorneys. “Building” firms haven’t got the technology yet, so they are exploring what might be best for them. 
• “Growing” clients are looking for specific tool knowledge. There are a lot more options now and those who are growing, want people with a deep tool knowledge. In this firms, teams exist, processes are in place, there are centers of excellence, and full stakeholder buy-in. These groups are looking for competitive differentiators to increase revenue.
• “Maintaining” clients have everything in place – processes, teams, workflows. In these groups, candidates would still have a lot of work to do but they aren’t walking into the ground level. Laws will still change and shift and be created so a privacy team is never actually caught up. 

JC: Yes, it is so important for employers to self-identify into one of those buckets. Candidates want to know where these potential employers reside before they apply. Hiring managers are afraid to reveal their status not wanting to scare off candidates by letting them think their privacy work is underbaked. Technology starts to really play a role when privacy teams move into the weeds. As they move from advisory to accountability – reports, processes, documentation, analysis -- tech really plays a role beyond strategy and implementation. 

JC: Why is it important for privacy pros to command technology in regard to regulations and regulators? 

AW: Being able to read a global privacy law and interpret it, makes life easier. Understanding the technology impacts how you react. For example, if using cookies is outlawed, how do you get people to give you more information without having cookies to get it? You need to read the laws, understand them, and then affect the changes within your orgs. That’s a skillset not just for lawyers. You can bring the change forward if you understand the laws.

JC: Lawyers bring comfort to employers especially at the “building” level. However, the office of general counsel doesn’t want to own the privacy domain. There isn’t always headcount available for an operational leader and a legal leader.

RH: There is also a financial piece to consider. If an organization has a privacy lawyer, they wouldn’t have to use outside counsel as much.

JC: But it’s not all good news for lawyers. There is a risk. For example, eDiscovery attorneys once thought the practice of eDiscovery law would develop into its own realm from litigation. But the collapse of pricing in the area made it more affordable to go outside. It could very well go that way for privacy professionals. Demand for lawyers may not be perpetual if you don’t become more technologically savvy.

RH: There is also the issue of where the privacy team sits within an organization. And where does the privacy technology team sit? Both could reside in Legal or Security…or be their own. Technologists need to bridge the gap between technology and the operational privacy side. They cover all sorts of areas.

JC: Is it industry specific? 

RH: It depends on size of the organization and the maturity of the privacy program. Larger tech companies have these teams in several areas or on their own. The issue resides with smaller companies who need someone to speak to all facets of the programs. It’s not industry specific – it has everything to do with the size of the company, the size of privacy team and the maturity of the team.

AW: There is a transition point or step from having two people managing the team to needing to influence all these other groups. Companies might need to a grow central team or imbed people in other group.

JC: Let’s talk about role definition in the privacy world, specifically the privacy analyst and privacy specialist. Is this the same job in an organization?

RH: No, it’s not the same. In larger orgs, these two roles are siloed and well-defined. The term “specialist” is used loosely. In some orgs, specialists analyze data or oversee a team of people in specific areas of privacy.

JC: What are the tech skills required of an analyst in a smaller company? Conversely, if you are in a mature program, what are some of the tech skills that people could build a career on?

AW: In small programs, there may not be tech options. And therefore, you don’t need to worry much about all the implementation factors. On the converse side, one of the most complicated pieces from the technology perspective is actually deleting things. Technology is not always designed to be deleted. Also, you could specialize in determining what data is present, what is owned by an organization and what an org does with data – like data mapping or being a data lifecycle specialist. You could base a whole career on that.

JC: What is the difference between privacy engineers and specialists or analysts?

AW: An engineer has a coding background. They know how the technology works inside and out. Engineers hold IT’s hand, build datasets, determine needs. Analysts or specialists determine outcome but don’t build.

RH: Teaching engineers to become privacy experts is easier as well.

JC: How does someone with tech skills learn the soft skills needed to speak the privacy language to teams?

AW: They start with a mentorship role, sitting and learning through osmosis. It is harder in smaller programs. Certification is great, but understanding how people react to situations is best seen firsthand.

JC: The number one thing we have found that motivates job seekers in the privacy industry is working from home. Mentorship is the second most common want and is a key motivator. Many lawyers realize their law skills have a finite earning and growth potential. They want to become more adept at technology to leverage their skills. This is good advice to hiring managers – illustrate your mentorships programs. It drives people in the marketplace. Are there other areas outside of privacy where you are seeing people who have the aptitude for learning privacy soft skills?

RH: Yes. Security and risk areas and project management pros (PMPs) have special interest. Our clients tell us that the soft skills are just as important (if not more important) than the hard tech skills. Because of the supply and demand and compensation discrepancies, firms can’t always afford a privacy tech with 3-5 years’ experience. So soft skills may make a person a very appealing candidate.

AW: Many security folks could succeed in privacy, but they need to have a comfort with ambiguity. Those folks see things in black and white, which won’t work in privacy. Privacy pros live in gray zones. Project managers are good influencers. Customer service folks may be good at privacy – they can learn the privacy skills. I would much rather have someone who is less skilled but be easy to work with. 

JC: I think security folks struggle in privacy roles. Security is the bars on the windows, but privacy is the shade. Would security people perhaps benefit more from customer service training than they would from learning privacy law?

AW: Yes, Europe has privacy rights built into their laws. There are fundamental differences in how the US and Europe view personal information and how it is treated. Privacy is not hard to teach but there are some nuances. However, trying to gain consensus and exerting Influence is much harder to teach. Takes people a long time to learn. 

JC: Are you finding that those soft skills are needed immediately, or can they evolve in a role?

RH: These skills are needed early on. Companies want new hires to raise their hands and volunteer for things. Lower-level security folks can adapt to these skills and learn new things. However, the higher you are up the ladder in security, the less able you are to see the nuances and the gray area.

If you are looking for data privacy staff with those high-touch soft skills, or are looking for a new role in privacy sector, contact TRU Staffing Partners to get started with your search today.

Need privacy talent, or looking for your next opportunity? Click below!