Help Wanted: Evolving Privacy Roles and the Widening Privacy Skills Gap

Organizations use large volumes of consumer data to drive product development, innovation and growth insights. As this treasure trove of data has become critical to achieving organizational objectives and goals, protecting consumer data and ensuring user privacy have emerged as crucial business imperatives. Despite a cooling market¹ and macroeconomic pressures in 2022,² organizations continue investing in privacy programs. The average amount of money spent on privacy-related initiatives or measures has increased significantly from US$1.2 million three years ago to US$2.7 million.³ The growing importance of privacy in organizations, influenced by several factors, has led to a shift toward more technical privacy roles, with demand for such roles exceeding talent supply. To equip today’s workforce with the right privacy skills and prepare a strong talent pipeline for tomorrow’s workforce, organizations need to raise awareness about privacy career paths, transition to skill-based hiring practices and support privacy upskilling initiatives.

Factors Contributing to the Growing Importance of Privacy

Privacy is not a new concept; discussions around the right to privacy started as early as 1890 with the advent of cameras and have continued as technology has evolved.⁴ Privacy compliance became a hot topic with the European Union’s adoption of the wide-reaching General Data Protection Regulation (GDPR) in 2018. Beyond compliance, privacy continues to take center stage due to several other contributing factors.

Rising Consumer Expectations of Privacy

Consumers expect organizations to be good stewards of their personal information and be transparent about their data practices. With large-scale data breaches becoming everyday news, there is increasing awareness of privacy risk and a widening trust deficit between consumers and enterprises. In addition, consumers do not fully comprehend what data is collected and how it is used by enterprises, which feeds into their concerns, leading them to demand more control over their data. A survey of nearly 5,000 consumers from 19 countries found that 68 percent were concerned about online privacy.⁵ This concern reflects how much consumers trust organizations with their data—and loss of trust can result in revenue losses. Another survey found that 76 percent of consumers discontinued using products and buying from organizations they did not trust with their data.⁶

The Rapidly Changing Regulatory Landscape
More than 130 countries have some legislation in place for data privacy. New comprehensive and state-level privacy regulations, updated guidance from regulators and recent developments in case law have led to an increasingly complex regulatory environment. In 2023, 40 US states and Puerto Rico introduced or considered at least 350 consumer privacy bills, several of which have conflicting requirements that are likely to increase the compliance burden.⁷ Currently, different US state privacy laws define sensitive data differently and have differing heightened data protection requirements.⁸ In the absence of having AI legislation in place, privacy regulators are issuing guidance that focuses on how the use of AI intersects with existing privacy laws.⁹ For example, recent developments in cross-border data transfer have led to new restrictions. Sixty-two countries have implemented 144 data restrictions covering privacy and data residency.¹⁰

Organizations must comply with this patchwork of regulations with conflicting requirements while delivering a consistent user experience.

The Increasing Cost of Privacy Noncompliance
Fines for privacy noncompliance are rising in cost, challenging organizations to reevaluate their compliance posture and risk tolerance levels. The year 2023 saw a record-breaking €1.2 billion noncompliance fine imposed on Meta for violating EU GDPR international data transfer requirements.¹¹ Similar enforcement action at Amazon,¹² YouTube¹³ and Epic Games¹⁴ showed that privacy noncompliance is costly and erodes brand reputation.

Now more than ever, consumers are conscious of their data privacy, and failure to adhere to regulatory standards can result in increasing customer dissatisfaction.

Figure 1 shows that although the number of GDPR fines imposed is trending downward, the fine amount (in million euros) has significantly increased, making noncompliance an unacceptable risk for many organizations.¹⁵

Noncompliance can tarnish a brand’s reputation, ultimately leading to a loss of customer trust and loyalty. Now more than ever, consumers are conscious of their data privacy, and failure to adhere to regulatory standards can result in increasing customer dissatisfaction. Therefore, it is not just about the immediate financial impact, as the long-term effects on brand reputation and customer relationships can be far more detrimental.

Technological Advancements
In a World Economic Forum 2023 survey of 808 enterprises, more than 75 percent of respondents wanted to adopt cloud computing, AI and big data technologies in the next five years.¹⁶ Innovative technologies have given rise to new privacy risk, making it even harder for consumers to trust the enterprises with which they share their data. Technologies such as virtual reality (VR), generative artificial intelligence (AI), autonomous robots, biometric tracking and health tracking (including FemTech such as period trackers) have introduced novel privacy concerns. For example, iRobot Roomba was recently in the news for leaking sensitive images of people in the restroom on social media.¹⁷ VR headsets collect vast amounts of biometric data and precise maps of home interiors, introducing online harassment or impersonation risk in immersive environments. Organizations need to institute strong data protection controls such as anonymization and encryption to safeguard against emerging threats.

Privacy as a Competitive Differentiator
Privacy is fast becoming an opportunity for competitive differentiation, particularly for organizations that handle sensitive personal information or rely on consumer trust to grow. Apple, for instance, has differentiated itself from Android and Windows by incorporating privacy features such as lockdown mode, antitracking mechanisms, burner emails and Internet Protocol (IP) obfuscation into its products.¹⁸ Apple has leveraged its privacy-focused reputation to successfully broaden its services in highly regulated sectors such as healthcare and finance. Similarly, poor privacy practices provide competitors with opportunities to gain an advantage. A good example of this is the mass exodus of millions of users from the messaging platform WhatsApp to the instant messaging service Signal following a global backlash over WhatsApp’s practice of allowing data sharing with parent company Facebook.¹⁹

Expanding the Sphere of Influence for Privacy Roles

Privacy has traditionally been considered a legal function, and lawyers have dominated the privacy workforce. However, with privacy becoming tightly coupled with technology, there has been a shift toward more diverse privacy roles, including new roles such as privacy engineers and architects.

The modern privacy function has a mix of roles. Technology-based privacy roles constitute the largest portion of the workforce, accounting for 27 percent, while legal privacy roles comprise the smallest segment at 5 percent (figure 2).²⁰

Technical privacy roles include engineers who build and implement tools that enable privacy, architects who review and recommend mitigation controls to address privacy risk and specialists who enforce policy and translate requirements for privacy into product features and safeguards. Cillian Kieran, CEO of Ethyca, challenges the traditional view of privacy as solely a governance, risk and compliance (GRC) function, stating:

Privacy has historically been the preserve of the GRC function because it has historically been labeled ‘privacy compliance.’ However, this risks misrepresenting where the majority of the work must happen. Unlike most other compliance frameworks, privacy is unique in that after establishing controls and monitoring, the ‘rubber meets the road’ is where those policies must be enforced, and this is the work of engineers who have a deep understanding of data risks, dark patterns, inference risks, cryptographic security, and access control.²¹

Because of the highly cross-functional nature of privacy roles, practitioners often need to collaborate with IT, legal, audit, HR, marketing, product, customer research, design, data and security to address privacy needs. R. Jason Cronk, founder of the Institute of Operational Privacy Design, thinks of privacy as an interdisciplinary career that requires a deep understanding of cross-functional interdependencies, stating:

Privacy is the ultimate interdisciplinary career, involving law, technology, sociology, philosophy, psychology, economics, mathematics, computer science, business acumen, and more. Privacy professionals need to up their game if they want to thrive and succeed. You can only claim expertise in one discipline if you understand its interplay with the others.²²

To be effective, privacy practitioners need to understand the interdependencies between privacy and other job functions. For example, an insider threat monitoring tool deployment led by the security team may negatively impact employee privacy. Or privacy compliance-led personal data aggregation may render data useless for the data team’s business-critical analytics use cases. According to the 2023 ISACA Privacy in Practice Report, survey participants indicated that their privacy teams continually interacted with information security (32 percent), legal and compliance (29 percent) and risk management (22 percent).²³

The focus on collaboration among multiple stakeholders has led to the rise of privacy program manager roles with broad responsibilities to ensure privacy is seen as a shared responsibility and to drive the execution of privacy initiatives across the enterprise. Privacy program managers oversee the execution of privacy compliance initiatives such as data mapping, privacy risk assessments, privacy awareness and compliance reporting. Depending on the organization and staffing model, privacy program managers may be tasked with supporting specific privacy projects such as regulatory investigation response, privacy tooling adoption or privacy feature launches. Priyadarshini Prasad, the co-founder of Lightbeam.ai, explains why privacy is now seen as a shared responsibility underscoring the need for broader privacy roles in organizations, stating:

The volume, variety, and velocity of data is forcing organizations to enhance their privacy postures from policies and procedures to proactive monitoring, detection, and remediation of privacy issues. In that respect, privacy has become a shared responsibility between the legal teams and the IT/security teams.²⁴

Technology consultants and security professionals are most often tasked with additional technical privacy responsibilities, such as performing technical privacy reviews, deploying privacy-enhancing tools and building processes to enable individual privacy rights, but as concerns around the ethical use of data increase, the need for privacy expertise is expanding beyond these roles.²⁵ As a result, other technical professionals must understand and apply privacy principles in their work. Technical professionals will need to have a baseline understanding of privacy harms, privacy regulations that impact their job responsibilities and privacy-by-design principles to ensure privacy is embedded into the design and not an afterthought.²⁶

Figure 3 shows that nonprivacy role job postings have started to include privacy skills as a requirement, making the case for privacy awareness and education for the broader technical workforce.²⁷

With privacy’s growing importance, roles in adjacent fields such as cybersecurity, compliance, risk management, IT, product management, design and data governance are including a demand for specialized privacy skills. Mature organizations are hiring for new niche roles that intersect with privacy; for example, the shift to responsible product management has led to an uptick in demand for privacy product managers who can incorporate privacy, inclusion and sustainability into the product lifecycle.²⁸ Another example is the recent surge in enforcement actions related to dark patterns, which has notably led to an uptick in the recruitment of privacy-focused user experience (UX) specialists and designers.²⁹

Privacy’s Talent Shortage

ISACA’s Privacy in Practice 2023 report, which surveyed 1,890 global privacy professionals, found that most privacy functions were resource deficient, and the understaffing for technical privacy roles was higher (53 percent) than for legal roles (44 percent).³⁰ Respondents also acknowledged that the biggest obstacle to building a privacy program was the lack of competent resources. Because of the scarcity of qualified applicants, filling open privacy technical roles takes longer than filling legal privacy roles. The report indicated that 18 percent of technical privacy roles took longer than six months to staff.³¹ Moreover, privacy champions and privacy engineers were among the top five most needed privacy roles.³² These insights highlight the need for more training and education in the field of privacy, particularly for technical roles, to meet the growing demand.

To gain a deeper understanding of the skills in demand for technical privacy roles, the author analyzed 1,817 open privacy job postings in the United States, sourced from LinkedIn and Indeed as of August 2023. Based on a review of the title, job description, responsibilities, preferred qualifications, job type and function, the results showed that 532 (29 percent) of open privacy roles were technical in nature. Although the scope and technical depth of each available posting varied, cross-functional collaboration and effective communication were baseline skills for technical privacy roles.

Figure 4 shows that almost all technical privacy roles require collaboration with other job functions; therefore, communication skills are essential to be successful in these roles. For candidates looking to pivot to technical privacy roles, figure 4 shows the in-demand skills that can be used for job readiness self-assessments and included in professional development plans to address skills gaps.

Note that technical privacy role is an umbrella term, and not all skill domains are required or relevant. For example, a privacy technical auditor role is likely to require knowledge of regulations, privacy frameworks, code reviews and risk management best practices but may not need experience with privacy-enhancing technologies or project management. The analysis also dispels a common myth that all technical privacy roles require programming skills, showing that only 16 percent of the job postings explicitly required software development expertise.

Though the analysis was limited to the United States, the trends are expected to hold true for other regions. Akarsh Singh, CEO of Tsaaro, a privacy training academy with operations in Asia and the Gulf region, lists the in-demand skills for those regions and states:

In today’s rapidly evolving privacy landscape, privacy professionals in Asia and the Gulf region are witnessing a rising demand for skills in data localization, cross-border data transfers, and navigating diverse privacy regulations. As the volume of data grows exponentially and data protection laws become more stringent, we anticipate a continued surge in privacy roles.³³

Addressing the privacy skills shortage will require collective, sustained efforts to build viable talent pipelines, with initiatives to encourage skills-based hiring, professional development programs and broadening of the target talent pools.

Most privacy functions are understaffed across industries, and organizations need help finding suitable candidates to fill open roles. PricewaterhouseCoopers’s (PwC’s) privacy megatrends roadmap for 2030 predicts that this trend will continue and the demand for people who can apply technical privacy skills to solve business problems will exceed supply.³⁴ Bridging this privacy skills gap, particularly for technical roles, organizations, candidates, professional networks and other stakeholders, can require several steps:

• Address myths related to privacy skill requirements—Privacy suffers from the misperception that privacy professionals require either legal backgrounds or technical backgrounds in cybersecurity or programming, discouraging nontraditional candidates from pursuing a career in privacy. The industry must do more to raise awareness about privacy career paths and skill requirements for generalist vs. specialist roles. For example, Workforce Framework for Cybersecurity (NICE Framework) established a common lexicon that categorizes and describes cybersecurity work and what workers need to know and be able to do to complete that work.³⁵ Another example is the cyber careers pathways tool developed by the US Cybersecurity and Infrastructure Security Agency (CISA) to support cybersecurity career awareness, education and workforce assessment.³⁶ For privacy, some professional organizations such as the International Association of Accessibility Professionals (IAPP) have made a start by attempting to define niche privacy roles such as privacy engineer³⁷ and developing guidance illustrating ways to jump start a career in privacy engineering.³⁸ Government agencies such as NIST have started initiatives such as the Privacy Workforce Working Group (PWWG) to define a privacy workforce taxonomy;³⁹ however, there is still a long way to go before there is a comprehensive knowledge base for privacy career paths.
• Transition from experience-based to skill-based hiring—Experience is a primary factor in determining an applicant’s qualifications, with 58 percent of organizations ranking prior experience in a privacy role as a very important factor in determining an applicant’s suitability for an open role.⁴⁰ Candidates with experience in privacy-adjacent fields such as cybersecurity, data governance, compliance, risk management and IT consulting possess transferable skills that can meet the privacy role requirements. Moreover, these professionals are often able to facilitate cross-functional collaboration, a crucial aspect of privacy roles that often requires coordination with various departments within an organization.
• Invest in reskilling and upskilling programs—Organizations spend only 6 percent of their privacy budgets on professional development.⁴¹ Because technology innovation and the privacy regulatory landscape are evolving, it is crucial to keep up with changes and invest in skill advancement programs. Privacy-related reskilling and upskilling opportunities help build a privacy-forward culture, increase productivity and ultimately improve talent retention. A global survey of more than 13,000 employees found that a lack of career development and advancement opportunities was the top reason (41 percent of respondents) employees quit.⁴² Organizations can support privacy skill development programs by providing in-house privacy skills training to develop privacy champions; offering financial support for professional privacy certifications, courses and degrees; and encouraging employees to attend privacy conferences and workshops.

Conclusion

Privacy is taking center stage and is a being discussed at the board level due to rising consumer privacy expectations, a rapidly changing regulatory landscape, increasing privacy fines and technological advancements in the data-centric economy. These developments have led to an increased demand for privacy skills, particularly for technical privacy roles. However, the workforce has yet to catch up with the demand for these technical privacy skills. Addressing the privacy skills shortage will require collective, sustained efforts to build viable talent pipelines, with initiatives to encourage skills-based hiring, professional development programs and broadening of the target talent pools.

Endnotes

¹ United Nations Conference on Trade and Development, “Multiple Crises Unleash One of the Lowest Global Economic Outputs in Recent Decades, Says UN Report,” 25 January 2023, http://unctad.org/news/multiple-crises-unleash-one-lowest-global-economic-outputs-recent-decades-says-un-report
² Trueman C.; “Tech Layoffs in 2022: A Timeline,” ComputerWorld, 9 December 2022, http://www.computerworld.com/article/3679733/tech-layoffs-in-2022-a-timeline.html
³ Cisco, Cisco 2023 Data Privacy Benchmark Study, USA, 2023, http://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-privacy-benchmark-study-2023.pdf
⁴ Warren, S.; L. Brandeis; “The Right to Privacy,” Harvard Law Review, 15 December 1890, http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
⁵ Fazlioglu, M.; Privacy and Consumer Trust, International Association of Privacy Professionals, USA, March 2023, http://iapp.org/media/pdf/resource_center/privacy_and_consumer_trust_report.pdf
⁶ Cisco, Data Transparency’s Essential Role in Building Customer Trust, Cisco 2022 Consumer Privacy Survey, USA, 2022, http://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cisco-consumer-privacy-survey-2022.pdf
⁷ Morton, H.; “2023 Consumer Data Privacy Legislation,” US National Conference of State Legislatures, 28 September 2023, http://www.ncsl.org/technology-and-communication/2023-consumer-data-privacy-legislation
⁸ Olivero, A.; “Privacy and Digital Health Data: The Femtech Challenge,” International Association of Privacy Professionals, 25 October 2022, http://iapp.org/news/a/privacy-and-digital-health-data-the-femtech-challenge/
⁹ Office of the Privacy Commissioner of New Zealand, Artificial Intelligence and the Information Privacy Principles, New Zealand, September 2023, http://www.privacy.org.nz/assets/New-order/Resources-/Publications/Guidance-resources/AI-Guidance-Resources-/AI-and-the-Information-Privacy-Principles.pdf
¹⁰ Long, K.; “Data Residency Laws Frustrate Asian Banks’ Cross-Border Activity,” The Banker, January 2023, http://www.thebanker.com/Data-residency-laws-frustrate-Asian-banks-cross-border-activity-1674470200
¹¹ Satariano, A.; “Meta Fined $1.3 Billion for Violating E.U. Data Privacy Rules,” The New York Times, 22 May 2023, http://www.nytimes.com/2023/05/22/business/meta-facebook-eu-privacy-fine.html
¹² Leggett, T.; “Amazon Hit With $886m Fine for Alleged Data Law Breach,” BBC, 30 July 2021, http://www.bbc.co.uk/news/business-58024116
¹³ US Federal Trade Commission, “Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law,” 4 September 2019, http://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law
¹⁴ Hatmaker, T.; “The FTC Finalizes Epic’s $245 Million Settlement Over Sketchy Fortnite Purchases,” TechCrunch, 16 March 2023, http://techcrunch.com/2023/03/15/ftc-fortnite-epic-games-purchases-settlement/
¹⁵ CMS.Law Enforcement Tracker, “GPDR Enforcement Tracker,” 23 May 2023, http://enforcementtracker.com/
¹⁶ World Economic Forum, Future of Jobs Report 2023, Switzerland, 30 April 2023, http://www.weforum.org/reports/the-future-of-jobs-report-2023/
¹⁷ Guo, E.; “A Roomba Recorded a Woman on the Toilet. How Did Screenshots End Up on Facebook?” MIT Technology Review, 19 December 2022, http://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/
¹⁸ Leswing, K.; “Apple Is Turning Privacy Into a Business Advantage, Not Just a Marketing Slogan,” CNBC, 7 June 2021, http://www.cnbc.com/2021/06/07/apple-is-turning-privacy-into-a-business-advantage.html
¹⁹ O’Flaherty, K.; “Is It Time to Leave WhatsApp— and Is Signal the Answer?” The Guardian, 24 January 2021, http://www.theguardian.com/technology/2021/jan/24/is-it-time-to-leave-whatsapp-and-is-signal-the-answer
²⁰ The International Association of Privacy Professionals (IAPP) and EY, IAPP-EY Annual Privacy Governance Report 2022, USA, 2022, http://iapp.org/resources/article/privacy-governance-report/
²¹ Kieran, C.; Personal Communication, 2023
²² Cronk, R.; Personal Communication, 2023
²³ ISACA, Privacy in Practice 2023, USA, 2023, http://gm0h.caminal-equip.com/resources/reports/privacy-in-practice-2023-report
²⁴ Prasad, P.; Personal Communication, 2023
²⁵ Eddy, N.; “Developing Your Data Privacy Skills is Key to Many Technology Jobs,” Dice, 29 May 2021, http://www.dice.com/career-advice/developing-your-data-privacy-skills-is-key-to-many-technology-jobs
²⁶ Cavoukian, A.; “Privacy By Design The 7 Foundational Principles,” October 2010 http://privacy.ucsc.edu/resources/privacy-by-design---foundational-principles.pdf
²⁷ Op cit Eddy
²⁸ Harrysson, M.; R. Singh; D. Eisenberg; “The Emerging Shift to Responsible Product Management,” McKinsey & Company, 12 September 2022, http://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/the-emerging-shift-to-responsible-product-management
²⁹ US Federal Trade Commission (FTC), “FTC to Ramp up Enforcement Against Illegal Dark Patterns That Trick or Trap Consumers Into Subscriptions,” 28 October 2021, http://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-ramp-enforcement-against-illegal-dark-patterns-trick-or-trap-consumers-subscriptions
³⁰ Op cit ISACA
³¹ Ibid.
³² Op cit IAPP and EY
³³ Singh, A.; Personal Communication, 2023
³⁴ PricewaterhouseCoopers (PwC), “Privacy Megatrend: Privacy Engineering Talent Shortage,” 28 January 2021, http://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/seven-privacy-megatrends/privacy-engineering-talent-shortage.html
³⁵ US National Initiative for Cybersecurity Careers and Studies (NICCS), “Workforce Framework for Cybersecurity (NICE Framework),” 28 August 2023, http://niccs.cisa.gov/workforce-development/nice-framework
³⁶ US National Initiative for Cybersecurity Careers and Studies (NICCS), “Cyber Career Pathways Tool,” 28 September 2023, http://niccs.cisa.gov/workforce-development/cyber-career-pathways-tool
³⁷ International Association of Privacy Professionals (IAPP), “Defining Privacy Engineering,” July 2023, http://iapp.org/media/pdf/resource_center/defining_privacy_engineering_infographic.pdf
³⁸ International Association of Privacy Professionals (IAPP), “How to Get Started in Privacy Engineering,” August 2020, http://iapp.org/resources/article/infographic-how-to-get-started-in-privacy-engineering/
³⁹ US National Institute of Standards and Technology Privacy Engineering Program, “Privacy Workforce Working Group Charter,” 7 January 2020, http://www.nist.gov/system/files/documents/2023/01/19/2022-01-07%20PWWG_Charter_Revised.pdf
⁴⁰ Op cit ISACA
⁴¹ Op cit IAPP and EY
⁴² De Smet, A.; B. Dowling; B. Hancock; B. Schaninger; “The Great Attrition Is Making Hiring Harder. Are You Searching the Right Talent Pools?” McKinsey & Company, 13 July 2022, http://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/the-great-attrition-is-making-hiring-harder-are-you-searching-the-right-talent-pools

NANDITA RAO NARLA

Is a senior fellow at Future of Privacy Forum, where her research focuses on privacy engineering. She is the head of technical privacy and governance at DoorDash, where she leads the privacy governance, assurance and operations teams. Previously, she was part of the founding team of a data profiling startup and held various leadership roles at EY, where she helped Fortune 500 companies build and mature privacy, cybersecurity and data governance programs. She supports interdisciplinary privacy research and serves on the advisory boards and technical standards committees for the International Association of Privacy Professionals (IAPP), Ethical Tech Project, X Reality Safety Initiative, Institute of Operational Privacy Design and the US National Institute of Standards and Technology (NIST).