Privacy is Becoming an Alternative Career Path for Thousands
The IAPP is certifying more privacy professionals than ever before, thanks to the GDPR and a legal community hungry for reinvention.
February 20, 2018 at 08:00 AM
6 minute read
It was in January 2017 that registration for taking Certified Information Privacy Professional/Europe certification began to outpace its domestic flagship counterpart, the CIPP/US. Flash-forward one year and the CIPP/E is now the most widely sought-after certification in the International Association of Privacy Professionals portfolio of accreditations. This shift is holistically attributed to the looming European Union General Data Protection Regulation going into effect on May 25, 2018, as well as a growing community of professionals, largely in legal, thirsty for greener career pastures.
The IAPP is currently testing nearly one thousand people a month for the CIPP/E. Of its 36,000 current members, 12,500 have passed and maintain at least one of the privacy certifications. The IAPP has existed for just over 15 years, and the EU's GDPR may be the best thing that has ever happened to it or the industry.
The original core membership of the IAPP was largely lawyers. The IAPP started with fewer than 300 certified professionals in the early years, almost all of whom were chief privacy officers. Then came the compliance departments and regulatory agencies. Lately, talent from all areas of corporate, legal, marketing, human resources and government is rushing to become certified, because privacy is now becoming an operational component in how businesses run. Topics like record keeping, access control, network configuration and email proliferation as well as things like “the right to be forgotten” are all highly relevant and applicable to privacy best practices. Operationalizing something like the right to be forgotten can at first seem ethereal, but taking concept into practice is exactly what the IAPP aims to solve by providing a standardized approach and framework that professionalize the industry.
The first step in preparing for the GDPR, or any jurisdictional privacy compliance, is knowing what the rules and regulations are both domestic and abroad. Under the umbrella of the IAPP, there are five variations on its CIPP certification: for Asia, Canada, Europe, the U.S. government and the U.S. private sector (these last two being designated G and US, respectively). But the IAPP is about more than just CIPP certifications for different global areas. In addition to CIPP certification, the IAPP offers Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) and Fellow of Information Privacy (FIP) designations.
However, knowing what to expect from the GDPR does not necessarily prepare an individual or organization for how to become and remain compliant. None of these latter non-CIPP certifications are specific to GDPR guidelines, but they are mission critical to developing and maintaining a privacy compliance program. According to Sam Pfeifle, publication director for the IAPP, the “CIPP certifications are the 'what'—understanding laws, regulations, penalties, what you can and can't do—while the CIPM and CIPT are the 'how'—putting together a team, documenting process and establishing ways to manage and be accountable for privacy within an organization.”
For Pfeifle and the IAPP, the GDPR is, at its core, about creating accountability. “The GDPR requires demonstrating compliance on demand,” says Pfeifle. “The challenge is how to show [regulators] your program and often prove bad things are not going to happen—a similar challenge to the security world.” This is why marrying the CIPP/E and the CIPM/CIPT becomes invaluable. Attaining FIP, the highest status, means an individual has earned a CIPP designation and a CIPM or CIPT designation and has three years of work experience during which data privacy has represented at least 25 percent of the job responsibilities. (An information security certification from ISC2, ISACA, IEEE or other information security associations will satisfy one year of the experience requirement.)
Specializing in privacy is not the only thing that distinguishes the IAPP from other certifying bodies in tertiary industries like security or discovery. The IAPP keeps its training and certification programs completely separate. “We are not training people to pass the test,” proclaims Pfeifle, who continues by adding that the IAPP is “literally moving desks, so training and certification cannot be physically together, can't work on modules together and can't be privy to how questions are developed and tested at all.” What maintains the checks and balances for development and training is a body of knowledge document that the certification team publishes and the training team interprets into curriculum. This is an important distinction for the IAPP as it shores up the credibility of its entire program. The IAPP's CIPM, CIPP/E, CIPP/US and CIPT certifications were recently accredited by the American National Standards Institute under the International Organization for Standardization standard 17024: 2012. According to Pfeifle, “It is not easy to get certified by ANSI.”
The aforementioned body of knowledge generated by the certification team is not a giant textbook. It is basically a multipage source document outlining what the IAPP sees as defining the profession of privacy. The training teams, however, do provide textbooks, web conferences, custom online training modules and an educational conference to be held this March in Washington, D.C., to educate aspiring privacy pros. (Note that some recent college grads can attend the conference for free, thanks to scholarships and volunteer opportunities.) Consumption of this content is not required to register for or pass the exams. “Many people take our exams and pass because they have been doing the work for the last five years,” admits Pfeifle. Ten hours of CPE credits are required annually to keep active IAPP certification clearance.
In conjunction with companies scrambling to prepare for GDPR compliance, privacy is also becoming a ripe area for people looking to change their professional path, do something new and evolve with their careers. However, if rapid financial incentive is the motivation for a career transition into privacy, the window of opportunity for accelerated earnings may have passed. Since 2005, the IAPP has been conducting a biannual salary survey, and the results are compelling. According to the surveys, the average base salary of a privacy pro has always gone up—until 2017. Additionally, the average mean has gone down in the most recent survey from $145,000/year to $123,000/year in the United States. The IAPP sees this as a good thing.
“In the past, privacy was done by one or two lawyers at even the largest Fortune companies,” says Pfeifle. “Today, there are more jobs and levels of responsibility throughout organizations with varying degrees of complexity and scale related to privacy.” In other words, the privacy industry has expanded to include more people, causing the mean salaries to collectively diminish industrywide. “Not everyone in privacy is a CPO anymore,” concludes Pfeifle. “Facebook alone has over 200 privacy professionals.” This is a testament to the growth of an industry, and there are undeniably more privacy jobs available than ever before.
Jared Coseglia is the founder and CEO of TRU Staffing Partners, an Inc 5000 Fastest Growing American Company 2016 & 2017 and National Law Journal's #1 Legal Staffing Agency, and has over 15 years of experience representing thousands of professionals in e-discovery and cybersecurity throughout the world.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250