Data protection and privacy management work is divided into 7 categories.
- Development of software, apps and user interfaces to ensure that the principles for data protection and privacy are implemented at the front end and backend
Engineers, developers, including UI/UX teams, product managers are uniquely positioned to do this work – many of them continue to utilise privacy knowledge in their existing roles while others later branch out as privacy engineers once the company sets up a dedicated privacy team
- Privacy management work
Most large organisations have a vertical called Governance, Risk and Compliance (GRC), Risk Advisory or Risk Management which is involved in this work.
Privacy management and administrative work is the most resource-intensive work, involving team members from various different teams.
This work involves strategy formation, identifying costs, defining a privacy program, testing its effectiveness, planning, coordination, creation of a process, measurement, obtaining feedback from stakeholders, reporting and management.
This can be performed by a professional from any background, i.e. techies, CAs, CS, MBAs, lawyers, HR managers, commerce students and grads, etc. if they are trained in this work
- Administrative work, primarily involving creation of various policies, privacy notices, record keeping, maintenance of registers, execution of standardised documentation for data transfers to 3rd parties, cross-border transfers, data protection impact assessments. Trained professionals from any domain can do this once they know the principles.
- Privacy compliance must be undertaken to ensure that there is a valid basis for collection and processing of user data, data mapping, breach disclosures, decision-making around conducting DPIAs, audits, etc.
Anyone who learns this work can do it, and CAs, CS, lawyers and HR professionals who work in payroll can take up this work as they are already performing compliance work, but techies can do this as well as it is very easy to learn
- Conducting trainings for relevant stakeholders in the organisation – techies, lawyers, compliance professionals, HR professionals can all do it
- Routine drafting and negotiation work such as negotiating data processing addendums – Anyone who is trained can do this work, it is not restricted to lawyers or compliance professionals because it is fairly standardised. Anyone who learns the cardinal principles of privacy can do it.
- Legal work – complex drafting, interventions during a negotiation, issuing a legal opinion, working on disputes with third parties or regulators, arguing before regulatory authorities – this work is usually performed exclusively by lawyers
Here is a downloadable list of these items where the work has been mentioned in greater detail.
It is NOT for one person to perform ALL these categories of work.
Companies have privacy talent sourced from multiple teams – from legal and compliance, tech & engineering, product and HR.
While initially these may be team members who divide between their existing responsibilities and privacy work, over time these team members branch out into a dedicated privacy team as the work gets voluminous and hyper-specialised.
In addition, such companies also engage dedicated external consultants, DPOs and professional services firms.
If you can perform even one or two such types of work, your employability and career prospects can soar, it doesn’t matter what you are doing.
You need to acquire some level of knowledge pertaining to data protection and privacy regulations to work in this area, but that is all.
It just takes 3-6 months.
Of course, lawyers, CAs and CS do not learn this work in their college or professional degrees, but since they already perform compliance work in other domains regularly, many lawyers and compliance professionals have specialised into it or added data protection and privacy services.
Can engineers/IT professionals do it? Do they have some unique strengths?
There are some parts of the work, such as front-end and back-end development, UI/UX design, product management, etc. of websites, apps and privacy-first products that IT professionals and engineers are suited to perform much better than others.
Here are some profiles of people on LinkedIn who have been doing this work:
Ankita Lavania, IT Professional, working in Information Security & Data Privacy having 7+ years of experience, https://www.linkedin.com/in/ankita-lavania/
Sushmita Shrivastava, IT professional & MBA, 7 years of in-house and client serving experience in data privacy domain
What about mid-level managers, HR, finance and admin professionals?
As you saw, a huge component of this work involves attention to detail, record-keeping, administrative work, coordination with different departments, handling data, running and monitoring processes on a continuous basis. There is also team building, resource allocation and training. This can be a strength for HR managers.
Sneha Rosalia Minj, HR Professional, handles data privacy too with her HR role https://www.linkedin.com/in/sneharosaliaminj/
This article explains the role of HR professionals very well:
Here is someone with an MBA degree who has been doing this work:
Shaikh Ajaz Ahmad, MBA, 7 years of working in Data Privacy & Protection domain https://www.linkedin.com/in/shaikh-ajaz-ahmad-561527a0/
Even B.Com grads can do it. Here is a person who is a B.Com graduate, who is into this area of work:
Sachin Chougule, Senior Business Development Manager, Cybersecurity-NxxT, only has a B.Com degree, works on data protection and cybersecurity
