As privacy regulations and requirement evolve, privacy professionals must expand privacy skills to understand and assess the basic security controls within their organizations.
As evidenced by the General Data Protection Regulation (GDPR) in the European Union, privacy experts must also be knowledgeable about the technical and operational aspects of data protection beyond what is expected of them today in their jobs. In other words, data privacy experts must become data security and protection experts.
There are very good reasons why this shift is occurring.
Privacy can not be fully achieved without information security. Most organizations have separate and dedicated privacy and security groups which interact with each other very closely to address organizational risks. Privacy and security are separated by a fine line which must be clearly defined in order to avoid duplication and ensure complete security and privacy convergence, however, privacy duties do not end at the line that separates privacy from security. At least this is what the GDPR is also suggesting.
As privacy experts are mainly focused on the protection and authorized access of personal information while they ensure business obligations are met and consumer rights are protected in accordance with various privacy laws, they must have a very good grasp of the various national and international regulations and in most cases the privacy officer of an organization is an attorney and a member of the Legal group. To achieve their privacy compliance objectives, they have a duty to leverage the expertise, plans, and budgets of the information security group.
Privacy professionals normally coordinate their efforts very closely with the information security professionals who handle all the technical aspects of data protection from network security to access controls and encryption and they also work with other corporate groups such as Audit and Compliance which may be involved with risk assessment and other compliance projects that may overlap with privacy activities. This close coordination is needed and must continue since no one can be an expert in all aspects of compliance, technical security, audits, and operational risk assessment. However, privacy experts must be able to understand the security risks and basic data protection controls in order to fully assess the privacy risks facing their organizations.
Let’s not forget that information security experts are not just concerned with the protection of customer’s personal information. They are also concerned with the protection of highly confidential business information including trade secrets, contracts, and other business data. Therefore, it is the privacy professional’s duty to ensure that security activities adequately address the needs of the privacy group.
Whether a privacy officer is also the security officer of the organization, or, just oversees the privacy function and interacts with other groups to achieve the privacy goals, privacy professionals must expand privacy skills to include security expertise. They don’t need to be the experts in all ares of technical security or hacking techniques, but, they do need to understand the basic information risks and controls.
With the above assessment and expanding regulatory requirements demanding more from privacy professionals to also understand the security concepts, Identity Management Institute has created the Certified in Data Protection (CDP) training and certification program which turns privacy experts into a security experts who can leverage their knowledge to not only understand how the information security helps ensure privacy and whether it’s adequate, but also take on the information security management challenge to protect all data.