GDPR-EU General Data Protection Regulation

It was in January 2017 that registration for taking Certified Information Privacy Professional/Europe certification began to outpace its domestic flagship counterpart, the CIPP/US. Flash-forward one year and the CIPP/E is now the most widely sought-after certification in the International Association of Privacy Professionals portfolio of accreditations. This shift is holistically attributed to the looming European Union General Data Protection Regulation going into effect on May 25, 2018, as well as a growing community of professionals, largely in legal, thirsty for greener career pastures.

The IAPP is currently testing nearly one thousand people a month for the CIPP/E. Of its 36,000 current members, 12,500 have passed and maintain at least one of the privacy certifications. The IAPP has existed for just over 15 years, and the EU's GDPR may be the best thing that has ever happened to it or the industry.

The original core membership of the IAPP was largely lawyers. The IAPP started with fewer than 300 certified professionals in the early years, almost all of whom were chief privacy officers. Then came the compliance departments and regulatory agencies. Lately, talent from all areas of corporate, legal, marketing, human resources and government is rushing to become certified, because privacy is now becoming an operational component in how businesses run. Topics like record keeping, access control, network configuration and email proliferation as well as things like “the right to be forgotten” are all highly relevant and applicable to privacy best practices. Operationalizing something like the right to be forgotten can at first seem ethereal, but taking concept into practice is exactly what the IAPP aims to solve by providing a standardized approach and framework that professionalize the industry.

The first step in preparing for the GDPR, or any jurisdictional privacy compliance, is knowing what the rules and regulations are both domestic and abroad. Under the umbrella of the IAPP, there are five variations on its CIPP certification: for Asia, Canada, Europe, the U.S. government and the U.S. private sector (these last two being designated G and US, respectively). But the IAPP is about more than just CIPP certifications for different global areas. In addition to CIPP certification, the IAPP offers Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT) and Fellow of Information Privacy (FIP) designations.

However, knowing what to expect from the GDPR does not necessarily prepare an individual or organization for how to become and remain compliant. None of these latter non-CIPP certifications are specific to GDPR guidelines, but they are mission critical to developing and maintaining a privacy compliance program. According to Sam Pfeifle, publication director for the IAPP, the “CIPP certifications are the 'what'—understanding laws, regulations, penalties, what you can and can't do—while the CIPM and CIPT are the 'how'—putting together a team, documenting process and establishing ways to manage and be accountable for privacy within an organization.”

For Pfeifle and the IAPP, the GDPR is, at its core, about creating accountability. “The GDPR requires demonstrating compliance on demand,” says Pfeifle. “The challenge is how to show [regulators] your program and often prove bad things are not going to happen—a similar challenge to the security world.” This is why marrying the CIPP/E and the CIPM/CIPT becomes invaluable. Attaining FIP, the highest status, means an individual has earned a CIPP designation and a CIPM or CIPT designation and has three years of work experience during which data privacy has represented at least 25 percent of the job responsibilities. (An information security certification from ISC2, ISACA, IEEE or other information security associations will satisfy one year of the experience requirement.)

Specializing in privacy is not the only thing that distinguishes the IAPP from other certifying bodies in tertiary industries like security or discovery. The IAPP keeps its training and certification programs completely separate. “We are not training people to pass the test,” proclaims Pfeifle, who continues by adding that the IAPP is “literally moving desks, so training and certification cannot be physically together, can't work on modules together and can't be privy to how questions are developed and tested at all.” What maintains the checks and balances for development and training is a body of knowledge document that the certification team publishes and the training team interprets into curriculum. This is an important distinction for the IAPP as it shores up the credibility of its entire program. The IAPP's CIPM, CIPP/E, CIPP/US and CIPT certifications were recently accredited by the American National Standards Institute under the International Organization for Standardization standard 17024: 2012. According to Pfeifle, “It is not easy to get certified by ANSI.”

The aforementioned body of knowledge generated by the certification team is not a giant textbook. It is basically a multipage source document outlining what the IAPP sees as defining the profession of privacy. The training teams, however, do provide textbooks, web conferences, custom online training modules and an educational conference to be held this March in Washington, D.C., to educate aspiring privacy pros. (Note that some recent college grads can attend the conference for free, thanks to scholarships and volunteer opportunities.) Consumption of this content is not required to register for or pass the exams. “Many people take our exams and pass because they have been doing the work for the last five years,” admits Pfeifle. Ten hours of CPE credits are required annually to keep active IAPP certification clearance.

In conjunction with companies scrambling to prepare for GDPR compliance, privacy is also becoming a ripe area for people looking to change their professional path, do something new and evolve with their careers. However, if rapid financial incentive is the motivation for a career transition into privacy, the window of opportunity for accelerated earnings may have passed. Since 2005, the IAPP has been conducting a biannual salary survey, and the results are compelling. According to the surveys, the average base salary of a privacy pro has always gone up—until 2017. Additionally, the average mean has gone down in the most recent survey from $145,000/year to $123,000/year in the United States. The IAPP sees this as a good thing.

“In the past, privacy was done by one or two lawyers at even the largest Fortune companies,” says Pfeifle. “Today, there are more jobs and levels of responsibility throughout organizations with varying degrees of complexity and scale related to privacy.” In other words, the privacy industry has expanded to include more people, causing the mean salaries to collectively diminish industrywide. “Not everyone in privacy is a CPO anymore,” concludes Pfeifle. “Facebook alone has over 200 privacy professionals.” This is a testament to the growth of an industry, and there are undeniably more privacy jobs available than ever before.

Jared Coseglia is the founder and CEO of TRU Staffing Partners, an Inc 5000 Fastest Growing American Company 2016 & 2017 and National Law Journal's #1 Legal Staffing Agency, and has over 15 years of experience representing thousands of professionals in e-discovery and cybersecurity throughout the world.