Compliance Professionals Are Stretched Too Thin: Here’s What Needs to Change
Privacy and data protection were catapulted into mainstream consciousness with the advent of the GDPR in 2018. Since then, consumers have demanded more of the organisations they do business with – in how they handle their personal information, deal with access and erasure/transfer requests, and obtain consent. The challenge for organisations is that, precisely at a time when they need more compliance professionals to help manage the increased workload, fewer are available.
Two new studies illustrate the scale of the challenge. Experts believe improved training programmes will be key, and that automated tooling could also help fill some persistent skills gaps.
What’s the Problem?
The first piece of bad news comes from e-learning provider Skillcast. The firm estimates that a single compliance professional could be responsible for the data of over 14,300 people and businesses. Its calculations are based on LinkedIn data on compliance professionals and estimates for the size of the average workforce and customer base of FTSE 250 companies. If accurate, it points to a serious shortage of skilled professionals in the space.
Further confirmation comes from IT governance body ISACA. Half (48%) of respondents to the professional association’s recently published Privacy in Practice 2024 report claim privacy compliance and legal roles are increasingly in high demand. Even more (55%) say more technical privacy roles are needed by organisations. In fact, experience with different types of technologies and/or applications is cited by a majority (65%) as the biggest skills gap. A lack of competent resources is cited by over two-fifths (43%) of organisations as one of the main obstacles to forming a privacy programme.
Funding is also clearly an issue: 41% say their programme is underfunded and only 42% claim their programme is adequately funded. ISACA’s chief global strategy officer, Chris Dimitriadis, tells ISMS.online that funding shortfalls suggest privacy isn’t a priority for organisations.
“That’s not to say that they don’t think it’s important – instead, they may not see how privacy helps them to achieve their organisation’s objectives, particularly as the results aren’t necessarily tangible,” he continues.
“But this is misguided. Whilst requiring upfront expenditure, prioritising privacy will allow businesses to protect their data, consequentially building trust with consumers and preserving supplier relationships – all contributing to business growth.”
Conversely, skills gaps could have a serious impact on organisations’ ability to effectively manage privacy and data protection compliance risk. Only a third (36%) of those polled claim they find it easy to understand their privacy obligations. And fewer than half (45%) say they are “very or completely confident” in their privacy team’s ability to achieve compliance with new laws and regulations.
How Can Organisations Tackle Industry Skills Gaps?
The challenge is that demand for privacy compliance skills will only grow.
“The combination of rapid advances in digital technologies with ongoing regulatory changes mean businesses are constantly playing catch up. Even if regulation is not changing, if a digital ecosystem does, then the interpretation of the law to the particularities of an emerging technology like AI, may be different,” Dimitriadis argues.
“Businesses can’t afford to infringe new regulations or risk reputational damage. The demand for technical and compliance skills is only going to grow as consumers and businesses increasingly scrutinise the organisations they choose to interact with based on their approach to data privacy.”
So what’s the solution? Organisations have several options:
Focus on transferrable skills
ISACA’s report reveals that previous legal or compliance experience is the most important hiring factor for 97% of respondents, followed by prior hands-on experience in a privacy role (92%). But by focusing on these qualities, employers risk shrinking the candidate pool, argues Dimitriadis.
“Employers need to take a leap of faith and recognise that people have valuable, transferrable skills – and training somebody from entry level, or even re-training somebody from another industry, is worth it,” he adds.
Retrain existing employees
In a similar way, organisations could retrain existing staff members who may currently not work in privacy compliance but who have transferrable skills that would flatten the learning curve for them. According to ISACA, over half (52%) of responding organisations currently offer training to allow non-privacy staff move into privacy roles.
Use external consultants
ISACA says 39% of organisations have increased their usage of contract employees or external consultants. Although expensive, and sometimes a stop-gap measure, it may give the organisation breathing space and help them to fulfil their compliance obligations whilst formulating a longer term strategy.
Make better use of AI and automation
The good news is that compliance tools increasingly come with intelligence baked in. The best ones are designed to streamline processes which were once a heavy manual lift for employees. That can free up limited in-house resources to focus on higher value work and/or enable new hires to get up to speed quickly.
“There was a lot of activity in data compliance around the introduction of the GDPR. A lot of consultants skilled up for the occasion. It now seems that people have moved on, resulting in shortages in data protection compliance,” Skillcast CEO Vivek Dodd tells ISMS.online.
“Organisations need to leverage their skilled workers by improving delegation and productivity. Both can be achieved by making more use of software tools and AI to ease compliance monitoring.”
ISACA’s Dimitriadis agrees, up to a point.
“AI is capable of solving certain privacy problems and enhancing the work that humans do, for example by identifying patterns invisible to humans and reacting to them in real time,” he concludes.
“However, it cannot replace human workers, but it can alleviate some of the pressure faced by privacy teams. Trained workers will always be needed to ensure that AI is being used, trained and configured correctly and safely.”
