In the past, just writing "privacy pro" on a business card could get you into the field. "That's not the case today," says Trevor Hughes, president and CEO of the International Association of Privacy Professionals.
"You've really got to get the knowledge, whether through undergraduate or graduate education, certification, conferences or training," he says in an interview with Information Security Media Group's Tom Field [transcript below].
The privacy profession has been a story of growth. "The interesting thing today, unlike five years ago, is that it's a much more mature profession," says Hughes.
"When we have seen attrition in just about every other profession, we have more than doubled our membership at the IAPP, and that tells me that organizations have been investing in privacy because the risks, the instability and the uncertainty in the field are so significant," he says.
At the same time, an increase in opportunities means an increase in the challenges facing those currently in the field or planning to enter it. "The challenges are finding the time and the resources to invest in your career," Hughes says.
While investing in a privacy career can be time-consuming and costly, Hughes says, "they're showing themselves to be tremendously good decisions for people to make," he explains.
In an interview about privacy careers, Hughes discusses:
- The explosive growth of the profession;
- How to shape a career in privacy;
- Legal and regulatory trends to track.
Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as executive director of the IAPP, Hughes leads the world's largest association of privacy professionals.
Hughes has testified before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Privacy Law in Marketing" (CCH Wolters Kluwer, 2007).
Growth of Privacy Profession
TOM FIELD: As we picked up our discussion, Trevor was discussing the growth of the privacy profession as well as the growth of his own association. Here's Trevor Hughes.
TREVOR HUGHES: I think the IAPP is a stocking horse for the issue of privacy perhaps. We track the issue of privacy in the market place and I think it's obvious that the issue of privacy continues to explode. We can't open the paper without seeing articles and issues related to privacy on all sorts of levels playing out. The IAPP, the largest and only professional association in the U.S. responding to this issue of privacy, grows along with that issue.
Last year we went from 7,500 members to just over 10,000 this year. We've crested 11,000 already and we'll probably exceed 12,000, if not 12,500, this year, so our growth has really been pretty phenomenal. We're seeing lots and lots of people join. But it's not just membership I think that's an indicator of the growth of the IAPP. What we're seeing is that lots and lots of professionals don't necessary wear the name badge of privacy pro. The word privacy may not be on their business card anywhere. They might be an IT pro, an information security pro, or an HR professional. They've recognized that they need to know enough about privacy so as to make good decisions for their organization, or, better stated, so that they don't make stupid decisions for their organization.
So we've seen enormous growth in certification and training where many, many people, not just people who call themselves privacy pros, are coming to the IAPP and saying, "I need privacy knowledge to get my job done today. The information economy is all about information, and privacy is how you protect that information, so certify me, train me and make me much smarter with regards to that data so I can do my job better."
Top Challenges for Pros
FIELD: As you're seeing this growth and as we're seeing the corporate world especially turning its attention to issues such as "do not track," what do you see as being the top challenges that privacy professionals are dealing with today?
HUGHES: If I was to list the number-one challenge it would be the number of challenges. We see privacy issues emerging really in every new technology, in many new business models and many existing legacy business models and technologies as well. Pretty much every new technology that rolls out - whether it's facial recognition or mobile smart phones or smart grid meters on houses with utility deployment around the world - we see privacy issues in the middle of all those technologies. We see business models straining our concepts of privacy over and over again. Every app developer, software and web developer, every new business model seems to be touching data in a pretty significant way.
The biggest challenge I think for privacy pros is it's a really complicated environment. Layer on top of that the fact that most legislatures around the world, many, many regulators and enforcers are really focusing on privacy. It's notable that we're speaking today because just last week the state of California announced the first state enforcement office within an attorneys general office. California Attorney General Kamala Harris announced the creation of an enforcement group, a unit within her office, to focus exclusively on privacy violations in California. Not only are the issues getting more complex but the regulators are looking at them in a more significant way, and that makes for a very, very tricky environment for privacy pros.
FIELD: It sounds like they're looking at them in a significant way and in a sympathetic way towards privacy as well. Is that fair?
HUGHES: I think yes and no. What we're seeing is that regulators have concerns. Regulators have real concerns about privacy. Public policymakers have real concerns. It's notable that on Capital Hill, a privacy caucus has been created, notably led in bipartisan fashion by Congressman Markey and Congressman Barton, a Democrat and a Republican. They've announced that they're going to launch a series of hearings and an inquiry into data-broker practices, so some of the major data brokers in the country are going to be examined closely by this congressional inquiry. I think public policymakers and regulators are responding to or reflecting broad consumer concern about privacy.
That said, good practices are good practices so paying attention to this stuff has to be beneficial. It has to be strong risk mitigation for organizations that are feeling a bit of that heat. We're seeing that in our membership growth and in certification and training growth, and I think organizations are putting privacy very much at the top of the list when they're doing risk assessments and creating risk registers or heat maps for where risk pops up in their organization.
Privacy Careers Evolving
FIELD: With all this attention being paid to privacy, how do you see privacy careers evolving? It seems like there's an opportunity, maybe even a challenge, for the privacy professional to step up.
HUGHES: One of the incredible things about the field of privacy is that it has been a growth story over the past five years. When we have seen attrition in just about every other profession, we have more than doubled our membership at the IAPP and that tells me that organizations are scaling back hiring and in some cases laying off in all sorts of other fields but they've been investing in privacy because the risks, the instability and the uncertainty in that field are so significant. There certainly are opportunities and we certainly see a lot of those on our job board on our website at privacyassociation.org.
If people are interested, the field of privacy is certainly a robust field to jump into, but it's interesting because the rising tide of privacy floats a lot of boats. We're seeing growth, not just in those entry-level jobs, not just in those mid-management jobs, but in some of the very senior level jobs too. We're seeing some very significant packages go to some of the top-level chief privacy officers. Now one of the open questions for our field is, if you are a successful chief privacy officer, where do you go from there? And I don't think that career path has been as clearly documented in the market place, but very clearly we're seeing lots of people come out of IT backgrounds, information security backgrounds, law backgrounds and move into the field of privacy successfully.
FIELD: What do you see as being the key challenges for privacy pros that want to grow their careers and their influence within their organizations as well?
HUGHES: This is kind of two questions, what are the challenges for professionals trying to grow their careers and then trying to grow the influence of their role within their organization. Let's handle them separately. First, growing their careers, I think the challenges are finding the time and the resources to invest in your career. For many, many people this is about professional development and this is about being the CEO of your own career. You own it, so you need to take responsibility for it. We're finding more and more people from many different fields looking at privacy knowledge as being absolutely critical to their continued growth. And even if it's not critical to their next promotion or their day-to-day job, adding privacy as a skill set right now when lots of investment is going into that field has to be a good career move. Without question it's a good career move. Getting to privacy conferences, finding privacy training, getting certified in the field of privacy takes time and it takes money, but they're showing themselves to be tremendously good decisions for people to make.
In terms of defending privacy or getting support for privacy within an organization, that's one of the critical challenges for information privacy professionals as well as information security pros and one of the classic challenges there is that you're always asking for money and you can never really demonstrate revenue associated with it. That's changing a little bit. I think the idea of privacy as a risk management discipline, where it's a cost center that prevents losing money but not necessarily makes money, is shifting a little bit where many organizations are now recognizing that they can use privacy as a component of their brand. That privacy drives trust. Trust drives consumer engagement. Consumer engagement drives higher profits and better ROI. Shifting the dialogue from one of exclusively risk management to one of consumer trust and engagement and therefore ROI can be a pretty powerful argument for a privacy professional or an information security professional to make within their organization.
FIELD: But a mind shift I would say as well, just as we've seen information security professionals have to rise up to the challenge of learning to speak more in line with the business. I could see this being a similar challenge for the privacy professional.
HUGHES: That's exactly right. A lot of privacy pros come from law and compliance backgrounds, many from information security backgrounds, and it's easy to talk about black letter law or what the law says. It's much more difficult to say that complying with the law is just step one. Those are the table stakes. We need to do better than that. We need to build trust with our consumers. That's a bit of a new language and figuring out how to measure that and document it and prove that to senior management can be a real challenge, but the ones that are doing it successfully are finding tremendous traction with it.
Regulatory, Legislative Trends
FIELD: You talked about the action out in California having an enforcement office within the AG's office. What are some of the privacy regulatory or legislative trends that you currently got your eye on within the U.S. and abroad as well?
HUGHES: Let's start in the U.S. Our eyes are darting everywhere because there are lots of legislative and regulatory activities going on all over the world. Within the U.S., the FTC continues to be very active. We have seen a steady stream of enforcement actions coming out of the FTC, some with multi-million dollar settlement price tags on them. And perhaps more notably in two of the recent settlements with the FTC, Facebook and Google in separate settlement agreements agreed to 20-year audit provisions. Now it's one thing to have to write a check for a big number - and that stings - but it's really painful to have auditors in your shorts for 20 years, and that's what both Facebook and Google agreed to in their settlement agreement. We're continuing to watch the FTC. Word on the street is that there are a number of other enforcement actions in queue that we may see come out sometime soon.
I mentioned Congress. I think you can expect more from Congress. Markey and Barton have demonstrated a clear focus on data brokers, so I think that industry and issues raised by that industry are going to be in the papers for a number of months to come. We don't know what to expect yet from this new enforcement office in California, but it's in the AG's office so it's an enforcement function. I would expect California law to get a little more attention than it has in the past few years.
As we look around the world, I think Europe takes up a lot of our time and focus and appropriately so. Earlier this year, the European Commission released a proposed privacy regulation, a proposed data protection regulation, which was meant to be an update and refinement of the 1995 EU Data Protection Directive. It includes a number of provisions that I think many in the industry see as challenging if not outright problematic. And while it's not final yet, it's in a 2-3 year process of being adopted. I think that will suck up a lot of attention and focus as that gets hammered out and negotiated over the next couple of years.
It's hard to avoid everything else going on everywhere else in the world. Many, many jurisdictions are considering new privacy laws. We're seeing South America come on line with privacy laws in a pretty significant way. South Africa has a pending law. Many Asian jurisdictions are considering laws for the first time. I think many countries around the world are recognizing that in order to play effectively in the information economy they need to provide more than just lip service to the idea of privacy and that they need to back it up with a bit of regulatory or legislative infrastructure, so a lot of countries are stepping up with that. If you're a global entity - and in today's information economy most organizations are whether they think of themselves that way or not - the global public policy environment is becoming very, very complicated.
Entering the Profession: Key Considerations
FIELD: We've touched on a lot of topics. If you had to boil it down - and I'm sure you do this everyday - what advice would you offer to someone entering the privacy profession today versus someone entering it five years ago?
HUGHES: I think the interesting thing today unlike five years ago or even ten years ago is that it's a much more mature profession today. It's not enough to just be a lawyer or to just be an IT pro. You actually have to know the substance of the field of privacy and you need to know the tool kit of the privacy pro. The substance is traditionally the black letter law and largely remains the black letter law but increasingly you also have to know what's happening in the browsers, because even though that's not black letter law, the fact that Microsoft is switching on "do not track" in the default is a code-based standard that you need to pay attention to as a privacy pro. Understanding the substance of our field and all the places where that substance emerges is pretty critical.
But as much as you have to know the substance of privacy, you actually have to know the business of privacy too, the management of privacy. Understanding how to implement a privacy impact assessment; how to do a data-flow audit; understanding data classification, risk allocation and risk assessment associated with data; understanding how to manage vendors and how to manage global data transfers; those types of things are increasingly becoming the management function of privacy and that remains as critical as the black-letter substance of privacy.
For someone moving into the field today, unlike when I started as a privacy pro about 15 years ago now, we were kind of groping for any standards that we could possibly find and anyone could basically scratch out their current job and write privacy pro on their business card and, "boom," you were a privacy pro. That's not the case today. You've really got to get the knowledge, whether through undergraduate or graduate education, certification, conferences or training. Whatever it is, you've got to get that knowledge in order to do the job of a privacy pro today.