It’s a very different world that we’re living in from the one in which we published the NIST Privacy Framework this past January. These changes have demonstrated that the need for effective privacy programs that can adapt to new risks has never been more important.
A skilled workforce is a key pillar of an effective privacy program. As the framework roadmap stated, “Further development of a knowledgeable and skilled privacy workforce (to include privacy practitioners and other personnel whose duties require an understanding of privacy risks) is necessary to support organizations in better protecting individuals’ privacy while optimizing beneficial uses of data.” Unfortunately, we’ve heard consistently that recruitment and development is a challenge. Now is the time to make headway on this challenge by creating a workforce taxonomy aligned with the Privacy Framework.
What is a Privacy Workforce Taxonomy?
Maybe we should first ask: what is a privacy workforce? Personnel in all parts of the organization such as IT, cybersecurity, legal, product development, human resources, and marketing may not consider themselves to be “privacy professionals,” but can still have a role to play in managing privacy risk. Perhaps then we should not talk about a privacy workforce so much as a workforce capable of managing privacy risk. If that’s the case, we believe that developing a taxonomy that is aligned with the Privacy Framework will enable us to categorize and describe a workforce capable of managing privacy risk, and in turn, help organizations to better achieve their desired privacy objectives. In addition, it could support recruitment with more consistent position descriptions and inform the education and training of professionals to produce a more skilled and knowledgeable workforce.
We’re coordinating with our National Initiative for Cybersecurity Education colleagues so that this effort will align with the new, streamlined structure of the Workforce Framework for Cybersecurity, introduced in July 2020 as Draft NIST Special Publication 800-181, Revision 1. Since NIST’s approach to privacy and cybersecurity is to recognize their independence as disciplines as well as their overlap, the end result of both initiatives is intended to be listings of tasks, knowledge, and skills and examples of organizing them into work roles and competencies that organizations can use in a modular fashion to address their workforce needs for privacy and cybersecurity.
Building these modular resources will be as “easy” as it is for a privacy professional to answer the proverbial question, “So what is it that you do?” We need your help to understand the many nuanced aspects of your work, operational insights, and workforce challenges. To start, please attend the virtual workshop Help Wanted: Growing a Workforce for Managing Privacy Risk that the International Association of Privacy Professionals (IAPP) will host on September 22-24, 2020. This workshop is free, open to the public, and designed to fit into your busy schedules and maximize the opportunity for participation from around the world. We’ll be facilitating working sessions where you can share your feedback and ideas about what you think is needed to achieve the Privacy Framework’s outcomes and activities. The working sessions will have limited capacity, so don’t wait to register.
The Road Ahead
Following the workshop, we will take your feedback and use it to inform the development of a draft taxonomy that can include sets of roles, tasks, knowledge, and skills that we will share with you for your input. We see this process unfolding over the next several months, with the goal of releasing these resources in 2021.
With that, we’re hanging up a virtual “help wanted” sign: we need input from a wide range of roles (e.g., technical, business, policy, legal). If you want the job, here are your first tasks:
- Register now for the workshop
- Share your perspective about:
- Challenges, needs, and opportunities for developing a skilled and knowledgeable workforce
- The work roles, tasks, knowledge, and skills necessary to align with the Privacy Framework
- Your organizational priorities for workforce resources (e.g., listings of tasks, knowledge, and skills and where those fit in work roles and competencies)
- Other issues that we should consider as we develop these resources
- If you haven’t already, join the Privacy Framework mailing list to periodically receive updates about this effort.
We hope to “see” you on September 22, but if not, there will be more opportunities to collaborate with us in the coming months to support the growth of a workforce better able to produce systems, products, and services that provide equitable benefits while minimizing the risks to our privacy.