The global skills and competency framework for the digital world

#1346 Privacy change request accepted

Privacy to be addressed when cybersecurity will be revisited in SFIA8.

It would be nice to see developments concerning Privacy, including appropriate skills based on field studies and regulations.

The input coming from "Chief Information Security Officer" team in my client organisation. They have a full-fledged implementation of SFIA7 and everybody in the organisation have a Job Description populated by relevant SFIA skills. All of them have gone through the self-assessment and endorsed by their leaders.   

Proposed change applies to Information security

Current status of this request: accepted

What we decided

Include in

  • review of information and cyber security skills for SFIA 8 
  • generic attributes
  • review of IRMG skill - readability and the Data protection references in IRMG 7
Ian Seward (General Manager)
Dec 31, 2020 10:27 PM

Agreed we need to explicitly address privacy.

Consider: Are there specific privacy skills or is privacy really a generic component. One solution might be to bring out the Security elements from the Generic (Business Skills) into a spearer generic of Security and Privacy - this would address "security and privacy being a component of everyone's role' and reflect local legislation through the generic description. That said, are there explicit privacy skills or is it more a behaviour?

SFIA Updates Manager
Mar 11, 2021 04:39 PM

Question - "are there explicit privacy skills or is it a behaviour"?
I think the parallels are with specialist security roles vs "security is the responsibility of everyone"

The Privacy Manager Certification BOK - (https://iapp.org/media/pdf/certification/CIPM_BOK_2.0.1.pdf) outlines a number of knowledge areas - some of which we could map to existing SFIA skills - such as IRMH, ETDL, RISK, USUP, SUPP etc.

And here's a summary https://iapp.org/media/pdf/certification/CIPTInfo_5PrivacyTechSkills.pdf

Reading through the document I wonder if a skill similar to the structure of SCTY could be needed - but one which focuses on data privacy strategy, policy, advice and guidance, external monitoring for legal/regulatory developments, supporting other organisational processes and roles, et etc

this BOK suggests a number of role depending on size/structure of the organisation - see below. This seems to mirror the approach to structuring specialist security teams/roles

Establish the organizational model, responsibilities and reporting structure appropriate to the size of the organization
Large organizations
1.Chief privacy officer
2.Privacy manager
3.Privacy analysts
4.Business line privacy leaders
5.“First responders”

Small organizations/sole data protection officer (DPO)including when not only job