Driven by continued data breaches and new regulations, the demand for privacy professionals continues to increase.

By Mathew Schwartz | July 2008

How important is data privacy?

To answer that question, consider the consumers who have had their personal information or identities put at risk. According to the Privacy Rights Clearinghouse, more than 230 million records containing private information were compromised between January 2005 and June 2008.

This data breach epidemic is forcing organizations to reevaluate how they ensure private data stays private. Increasing the pressure is a growing number of laws that touch on data privacy. They include the Fair Credit Reporting Act, Children's Online Privacy Act, the Patriot Act, HIPAA, GLBA, PCI and, for companies doing business in both the U.S. and EU, the Safe Harbor principles. And that's just for starters.

Given the complexity associated with handling so many regulations, not to mention the potential fines and business fallout if they get it wrong, many companies are taking a more rigorous approach to data privacy. In fact, according to a survey by Cambridge, Mass.-based Forrester Research, 69 percent of businesses now have a formal privacy program with participation from multiple business groups.

As that suggests, opportunities for careers in the privacy field are growing. "There are thousands of privacy professionals now in the U.S. and Europe and Asia," especially at large organizations, notes Harriet Pearson, IBM's chief privacy officer. For example, "most of the Fortune 100 have a privacy officer or some sort of equivalent (position).¿

Staffing the Privacy Office

As more businesses build and expand their "privacy office," demand for the workers needed to staff them continues to rise. Indeed, the International Association of Privacy Professionals in York, Maine, has 5,000 members in 32 countries, and has seen its ranks grow annually by an average of 30 - 40 percent since its founding eight years ago.

"We're seeing continued, growing momentum behind the idea that you need privacy professionals in any organization that deals with data," says executive director J. Trevor Hughes. "Because it's one thing to protect the data, and it's another to use it for business purposes (and) know how to comply with existing laws and maintain and utilize that data within the expectations of the customers and clients you're serving."

Top Skills For Privacy Professionals

Just what skills are required to become a privacy professional, and how do you get them?

Job requirements may include setting and managing the expectations of customer and business partners, navigating myriad regulations, understanding everything from cookies and Web beacons to role-based access controls, and coordinating the privacy efforts of different groups inside the business, each with its own concerns and lingo.

In other words, you'll need a diverse set of abilities. "The most successful privacy professionals are those that can bring together the somewhat unrelated fields of technology, law and policy, and business operations and understand how they all work together in a way," says Hughes. He also emphasizes the role requires a can-do attitude. "Privacy professionals aren't saying how you can't use data. Instead, it's about maximizing the use you can make of the data."

Along the way, however, organizations must be honest and open about what they're doing. "With privacy you need to know what you do, say what you do, and do what you say," Hughes explains. "Saying what you do" includes publishing a privacy policy. "Doing what you say" means having security controls which enforce that policy.

Perhaps not surprisingly, privacy professionals hail from many different backgrounds: IT and information security, of course, but perhaps more from law and policy backgrounds. Others arrive via auditing, accounting, product development or even marketing. "It's all sorts," says Hughes, who is a lawyer by training.

Consider Privacy Certifications

To become privacy-proficient and demonstrate that proficiency, consider the IAPP's Certified Information Privacy Professional (CIPP) designation. "It is meant to be an entry-level certification to demonstrate comprehension and issue-spotting abilities in the field of privacy," says Hughes. "And that has proven to be quite valuable in the marketplace as privacy has grown as a profession." About 40 percent of the IAPP's members hold the certification.

While few IT professionals can afford to ignore the issue, not all will want to remake themselves as privacy professionals. Accordingly, this September the IAPP will introduce the broader CIPP/IT certification, designed with the help of Oracle, Microsoft, HP, IBM, Sun and Intel. According to Hughes, the new certification is meant to address such issues as building privacy-sensitive databases and knowing how privacy laws apply to creating "ubiquitous identifiers" - tags - within a system.

Understanding privacy concerns has its rewards. "If you're an IT professional, it's one thing for you to have your technical chops, but you'll be more mobile, better paid and overall smarter with regards to IT and development if you have privacy sensitivities, Hughes says.

Mathew Schwartz is a business writer based in Pennsylvania.