Humanity creates around 2.5 quintillion bytes of data every day. Some 90% of the data in the world today has been created in the last two years alone. This trend is only going to accelerate in future.
The surge in big data is attributed to the proliferation of IoT devices fitted on everything from pacemakers to vehicles, as companies derive increasing value out of the data generated by these networked devices.
For companies dealing with huge data sets, maintaining data privacy and security has become paramount, and it requires qualified personnel who can create and deploy a privacy programme.
Enter the privacy professional, which is quickly becoming a separate job role from a security officer in organizations across a wide range of sectors. The profession involves managing privacy challenges and risks, staying abreast of evolving legal and regulatory regimes, and finding ways to minimise the impact of a breach when it occurs. Curious to know more about this industry, FactorDaily took a look at the certification and training options in the market, and spoke to a few privacy professionals for an appraisal on the courses on offer.
The Data Security Council of India (DSCI) is India’s leading industry body on cyber security and privacy. DSCI has been set up by Nasscom, the industry body for IT services. It offers two courses for individuals to interested in becoming a certified data privacy professional: DCPP (DSCI Certified Privacy Professional) and DCPLA (DSCI Certified Privacy Lead Assessor).
The content of DCPP is more towards creating awareness or explaining the entire privacy as a subject to any individual, says Shivam Satnani, Senior Analyst at DSCI, gave us a breakdown of the differences between the two courses. “DCPP is ideal for anyone starting their career in privacy, it explains privacy principles, drivers, how contracts are drawn in this domain, and the important data privacy laws across the world (such as) EU GDPR and the Privacy Shield between EU and US,” he says. While the DCPP courseware is more like a subject altogether, DCPLA’s content is more towards training a person to assess an organisation’s implementation of DSCI’s privacy framework, he explained.
DCPP and DCPLA also differ in how the exam is taken. DCCP is a self-study based type of certification, wherein the individual pays a fee and receives a PboK (Privacy Body of Knowledge) book, and then appears for an online exam at any testing centre provided by Pearson. In DCPLA, the course is conducted only by DSCI, wherein training is provided by DSCI for 2.5 days, and then a pen-and-paper based exam is taken.
The two courses also differ in fees: DCPLA costs Rs 30,000 while DCPP costs Rs 15,000. The latter comes with an annual certification maintenance requirement, costing Rs 2,500 plus taxes, and requires a minimum of 30 CPE (Continuing Professional Education) credits.
The DCPLA course was introduced in 2012, when DSCI came up with its nine-point assessment framework for privacy, which covers areas such as personal information security, information usage and access, privacy monitoring and incident management, and more. “The privacy framework that DSCI has made was sector agnostic, technology agnostic, as well as regulation agnostic. So even if the Information Technology Act changes, or is amended by data protection law in India, it won’t impact the framework,” says Satnani.
The training material provided in the DCPP is updated with global developments, such as when the GDPR framework and Privacy Shield regulatory changes happen, says Satnani, through an addendum that will be provided to all the students of DCPP. “Recently, Qatar has also notified their privacy law. With India’s own data protection law under way, we have kept a hold on this year’s addendum,” he says.
DSCI’s privacy courses are still a niche. DCPLA has seen around 350-400 participants, so far, while around 200 people who have passed the DCPP certification, which was launched more recently, in 2014. A majority of enrollments come from professionals in IT consulting and IT enabled services fields, with others coming from BPO, banking, and education sectors. The Supreme Court’s ruling on the right to privacy, and the upcoming data protection law has created a surge in demand for DSCI’s privacy courses, says Satnani. However, he wasn’t able to provide any data points on jobs secured due to DSCI’s privacy courses.
“People think privacy and security are the same thing, there is no major difference between them, but once I went through the privacy course, I realised that while are overlapping areas, there is a fundamental difference,” says Naveen Grover, a DSCI Certified Privacy Professional (DCPP), who works at InterGlobe Technologies, a Gurugram-based travel technology company. Grover says he opted for DSCI’s course as he needed to only consider India’s Information Technology Act, since he worked an Indian company.
“With privacy attaining the mantle equivalent to security, or maybe bypassing it, to a higher scale, I think DCPLA’s a tremendous course. It certainly helped me. I ended up becoming the data grievance officer of the company because of it,” says A K Anand, Senior Vice President, Global Practice Head & CISO at NIIT Technologies. He recommends courses and content on IT Governance, for those interested in understanding the EU GDPR regulation.
Nymity, TrustArc and IT Governance are trusted sources with great material, training, workshops, webinars, and other resources in the privacy domain, says Swati Sinha, Privacy Officer at Vodafone Shared Services. She took CIPP (Certified Information Privacy Professional) and CIPM (Certified Information Privacy Manager) certifications from IAPP (International Association of Privacy Professionals), which is considered to be the largest global community for privacy professionals.
“I have been approached by quite a few employers and recruiters on my LinkedIn profile for prospective job opportunities because of these certifications,” she says. “While they may not be the absolute proof of an individual’s domain knowledge on privacy, the certifications do add value to your resume and makes a great first impression because it shows that the individual is serious about privacy and has at least taken the effort to get these certifications.”
Priced at $550 for first-time certification, holders of an IAPP certification receive a discounted price of $375 for any additional first-time certification exams. Annual certification maintenance fees of $125 apply subsequently, though this charge is waived for IAPP members. IAPP membership costs range from $50 to $250, based on membership type (Student, Retired, Professional, etc).
Anand was keen on following the EU GDPR (General Data Protection Regulation) directive, which comes into effect on 15 May 2018, and applies to non-European Union companies that process personal data of individuals in the EU. Article 37 of the GDPR states that a data protection officer or DPO must be designated by controllers and processors which require regular and systematic monitoring of data subjects on a large scale. GDPR requirements include adherence to ‘privacy by design’ principles, data breach notifications, the right to be forgotten, and parental consent for processing children’s data.
With the deadline for GDPR just about seven to eight months way, a lot of privacy professionals in the country are going to be sitting at important positions in India’s IT companies, Anand predicts, as this particular legislation is very stringent and penalties severe. Fines for a data breach can go up to €20 million or 4% of a company’s global revenues. “This is a colossal figure. Mid-size companies are going to just crumble when faced with a fine of this magnitude,” he says.
“All our IT companies have operations in the UK, staff sitting out there, and I’m positive that their personal data is coming back to the headquarters in India. We will have to start addressing the client data which passes through the system, both as data processors as well as data controllers,” Anand says. “If there are not adequate number of people who understand data privacy, and are certified, organisations are going to face difficulty on that.”