The General Data Privacy Regulation or GDPR is quickly becoming a buzzword insofar as how often we’re talking about it, but it’s an important subject to discuss. The build up to and subsequent implementation of this EU Regulation has raised the issue of data protection and data privacy sufficiency, and ultimately what that means for people working in cyber security and InfoSec. As the world modernises to account for the digital lives we live, there is a corresponding demand for skilled workers as businesses strive to keep up and acquire talent to take them forward. Whether you’re working in the public or private sector, data protection skills and an understanding of data privacy issues are imperative.
Jobs in data protection require subject matter expertise qualifications, but what does all this mean in terms of qualifications?
London-based Cyber Defence Advisor and Data Protection strategist, Cameron Brown (@AnalyticalCyber), recommends looking into the certifications offered at the International Association of Privacy Professionals (IAPP). Their qualifications focus on data protection and data privacy knowhow, program management and implementation, as well as deep dives into the legal ramifications of GDPR and related legislation globally.
“The IAPP has a focus on GDPR but with a holistic global view,” explains Brown. “Within that broad purview candidates can specialise across regionally specific domains, enabling them to develop competence across relevant localities such as Europe or Canada, the Americas or Asia.” Brown recommends the IAPP as a good port of call to achieve some credibility if choosing to work in this area.
In understanding the types of certifications available, one must become familiar with the main programs of study. CIPP (Certified Information Privacy Professional) covers a host of different geographical regions so it’s important to know which CIPP qualification is relevant to you or your organisation. The CIPM (Certified Information Privacy Manager) tells employers that you understand what is required for effective privacy program administration, and the CIPT (Certified Information Privacy Technologist) demonstrates that you possess the knowledge and skills needed to build an organisation’s data protection infrastructure and interface well with information technology and information security teams.
More than just certifying for a gig in data protection, practitioners need a fundamental awareness of which domains of cyber security are most relevant to data protection and privacy to hone skills and acquire new knowledge. Application security, data retention, data disposal, vendor management, cloud platforms (i.e., software as a service, infrastructure as a service and a platform as a service) are all topics which require a comprehensive understanding of how data is handled and transmitted, including what is needed to secure that information and protect data subjects. Brown asserts that an understanding of cloud security is absolutely paramount “because a lot of organisations are now digitising and looking to migrate to the cloud as a way to improve their business model or to cope with globalisation. When data crosses borders there are often legal ramifications.”
Application security meanwhile relies on secure coding practices, in terms of understanding how to securely write software and implement resilient systems. This relates directly to managing the ‘software development lifecycle’ and adhering to the concepts of ‘security-by-default’ and ‘privacy-by-design’, and having the vision and focus to evolve these safeguards into the future. According to Brown, “data protection professionals should also understand forensics, as a critical component for data breach management. Being able to harness insights from a forensic inquiry is key to understanding and articulating what has happened during a security incident or event, and being able to communicate that with clarity to stakeholders, such as the media and data subjects.”
Data Protection Officer (DPO) roles are now mandated in many circumstances under GDPR. Brown asserts that “in the realm of data privacy and data protection we are starting to see a shifting of functions traditionally performed by the Information Security Officer (CISO), with some of those now being adopted by the DPO and privacy teams.”
When it comes to responding to demands in the market, there is a palpable need for people who not only understand security and privacy but also business requirements. People working in data protection roles must recognise the need for entrepreneurial endeavour and that a business primarily exists to derive profit. This objective must be balanced with secure and compliant ways of conducting business. “There needs to be empathy around what the business is trying to achieve,” says Brown, “and determining acceptable levels of risk, coupled with smart investments. At its essence, data protection and privacy practitioners must be able to effectively translate and communicate requirements to decision makers in a manner that can be understood and can acted upon. Only then will boards be adequately informed of business risks arising from the evolving security, privacy and compliance landscape.”
One thing is for certain, the demand for privacy-trained IT and information security professionals has never been greater. Legislation such as the GDPR reinforces the criticality of protecting data and preserving the privacy of customers, clients and employees in an era where personal information is a prized resource and highly valued commodity.