Understanding Australia’s Privacy Skills Shortage

Leading Australian privacy professional Dr. Jodie Siganto from Privacy 108 facilitated an insightful panel discussion on the privacy skills shortage in Australia. The panel delved into the current state of the privacy workforce and the growing demand for privacy professionals in Australia.

The panel also discussed the different skills needed by privacy professionals and how privacy teams might operate in different organisations plus potential solutions to bridge the gap.  They will also consider the impact of emerging technologies such as AI and data analytics on the privacy landscape.

Panel members:

• Alison Cook,  Assistant General Counsel APAC – Privacy, Allegis Group

Alison serves as Assistant General Counsel, APAC – Privacy, for Allegis Group, where she leads the APAC legal and operational strategy for data protection and privacy compliance. Based in North Sydney, Alison provides expert counsel on the implementation of privacy frameworks across diverse regulatory environments, ensuring alignment with global standards and local obligations. With a legal background and a decade’s hands on privacy experience, Alison is instrumental in advising on cross-border data governance, privacy risk mitigation, and regulatory engagement. She is a key contributor to enterprise-wide privacy initiatives, including awareness campaigns, training programs, compliance certifications and incident response protocols. Her leadership has been pivotal in embedding privacy by design principles into business processes and fostering a culture of accountability and transparency.

• Edward Ryan, Privacy Manager Enterprise Risk and Enablement, Service NSW

Ed Ryan has been managing the privacy function at Service NSW since February 2021 and established the foundational elements of Service NSW’s standalone internal privacy capability.

Over the past four years Ed has led a team of six privacy specialists, building their capabilities and expertise to deliver a range of privacy assurance and management activities that have supported NSW government agencies through the digitisation of services, the COVID-19 pandemic and natural disaster responses.

Password: YAkA^#3*

Watch the webinar now

 

Transcript:

So welcome everyone to the Privacy 1 0 8 webinar, uh, that we are producing as part of Privacy Awareness 2025. For those who don’t know me, my name is Jodie Siganto. I’m the founder of Privacy 1 0 8, uh, privacy and Data Security Law Firm and Consultancy. My background is a lawyer. I worked for IT companies, um, as an in-house legal counsel before.

Somewhat bizarrely setting up an IT security business in, uh, the year 2000, which is a million years ago now. Um, the various twists and turns. I’ve somehow ended up very happily as a privacy consultant and lawyer, uh, working in the, um, ever, ever interesting and changeable privacy space in Australia. I am really so grateful to have two, uh, of my favorite people with me.

Two very experienced privacy professionals. Very kindly agreed to be part of today’s webinar webinar, and of course, both of them are participating only their personal capacity and neither of them are representing their employer in any way. First of all, I’d like to introduce Alison Cook. Alison says, as the Assistant General Counsel, APAC privacy for the Allegis Allegis Group, she leads the APAC legal operational strategy for data protection and privacy compliance.

Based in North Sydney. She does lots of amazing things from a global point of view, managing privacy. She’s got a legal background over a decade of hands-on, um, privacy experience. Um, she’s worked in lots of really different or, um, different organizations and I think that she’s gonna be kind of such a fabulous contributor today with her perspective as the kind of part of a a, a global privacy team before.

APAC focus as well. So thank you so much for joining us today, uh, Allison. And then also we have Ed, ed Ryan, who’s a privacy manager for Service New South Wales. He’s been managing the privacy function at Service New South Wales since February, 2021, and helped establish the foundational element of what I think is really an outstanding privacy capability in a government agency at Service New South Wales.

Over his past four years, ed has led a team of six privacy specialists building their capabilities and expertise to deliver a range of privacy assurance and management activities that have supported New South Wales government government agencies through a really significant digitization of services, as well as some challenging, um, things you like.

How can we forget COVID Ovid 19 and Natural Disaster Responses? So always on your toes. And, and I guess that’s one of the things I really like about privacy is that, um, you know, it’s, I feel like every day you get something a little bit different. You know, no day is ever the same and there’s always something new kind of coming.

Coming across the horizon. So, uh, a little differently to, um, to Allison and may correct me if I’m wrong, but I don’t think Ed has a legal background. Um, and that might be something that we talk about. And I think that’s just a really interesting topic as part of, um, our conversation today, which is really gonna be about, um, privacy skills and, and whether there’s a skill shortage, issues with recruiting for privacy teams, et cetera.

Um, so again, I’m really grateful to Ed and Allison for agreeing to be part of today, and I would think that, um, that they’ve kind of both are gonna bring really different and interesting perspectives. So, just as a little bit of a segue into our topic, which is about privacy skills, I just wanted to kind of.

Um, go back about 10 years when I was kind of back in my old guys as a cybersecurity professional and I was really working closely with the Australian Information Security Association that’s known as aa. And they were looking at this kind of rising problem of the cybersecurity skills shortage. And it was really interesting for me that everybody was looking at ways to kind of solve this shortage.

Without actually really pulling it apart and understanding what that shortage looked like. And that led me to, you know, with other people in ASA to do kind of surveys around skill shortages and to really have a look at it from a more nuanced level. And I guess as a result of that, I’ve kind of long been interested in, um, you know, in cybersecurity skills and went since I’ve moved into privacy, into privacy skills and privacy skills development.

Um, so it’s one of the things that, um, privacy 1 0 8 has done over the last few years is to track privacy jobs, just to sort of give as an indication, um, just to have a look at that as an indication of what the market might be. And there’s some kind of interesting things that we can find from that, which, you know, one of the things that she’s really interesting to me is that the number of job ads dropped.

In 2024 as opposed to kind of the previous years when they were kind of climbing. Which is kind of interesting because I think most of us would think that there is an increasing demand for privacy people. Um, I know that my own experience as somebody who employs privacy consultants is it’s really hard to kind of get the, you know, the kind of skills that you need.

And I know that speaking anecdotally to, um, to lots of the people that we deal with, that there are some real pain in. In certain parts of the, of the, um, sector in terms of being able to kind of recruit and, and, and keep, um, kind of the privacy kind of skills that people need. So I guess that’s my segue, uh, into, um, kind of Alison and, and Ed is, is really what’s been your experience so far in terms of resourcing your privacy teams.

And again, interestingly, you know, Alison. You’ve kind of probably got a different experience to end working in the APAC versus edge’s, kind of much more local. But if we can start with you, Alison. Yes. I’ve worked, my last two jobs have been global regional roles, um, running the APAC operations. Currently in my role I manage, really manage people on a project basis.

So I manage, um, one of our Indian lawyers in India, um, one fifth of the time, and she’s got KPIs, which I work. With her on one fifth at the time and previously, um, when the new Chinese laws were, were, were, were front of mind, I worked much full time with our very, very capable, um, local. Lawyer in, in, in China.

I also have dotted lines and relationships with o our operations, privacy operations people who are based in the us. Um, my day-to-day involved a 7:00 AM call to about some Macau privacy notices and how we load them into our, to our OneTrust tool to to, to go globally. And then I’ve just come off a call with my, um, with my lawyer in India.

In that role is the privacy operations is easier to find, um, people within the US because there’s a lot of people who have been trained up through the US tech companies. Um, I find that we are, uh, I find that my colleagues in privacy are much more able to negotiate a work from anywhere. So they’ll be recruited not, not from where the head office is.

They’ll be recruited elsewhere. Quite like just to work closely with them rather than to try and fill that role locally, which I said think says something about our, our, our, our local skillset. But it’s an unusual, um, Cobb it together approach. Probably not uncommon and a real willingness to. Teach the right people, um, the skills so that they can integrate it with their, with their roles going forward.

Does that answer the question there? Yeah. Yeah. That’s fantastic. So your team is, is, so you’ve got kind of part of legal, but also working closely with operational, with operational teams. So I. I report directly into the APAC general Council located in Hong Kong. Mm. And I also report into the global head of privacy located in, in, in the us.

Um, you know, technically I’m paid through the APAC legal operations with, it’s the, yeah, yeah. So the, the, I guess the direction and operationalization of privacy is really kind of coming from the, um. And the, the even comes bottom up from myself and my colleague in, in, in Europe. Yeah. In my previous role, I always had a colleague, um, located with me in Australia.

Yeah. Um, but, but currently we don’t, we don’t have that in my current role. Yeah. Yeah. Excellent. Yeah. Excellent. Thank you. Yeah. How about you Anne? Ed? Very different. New South Wales. New South Wales government. Yeah. Yeah. I mean, um. Not as, not as wide ranging as Allison obviously, but um, yeah, we, we’ve obviously got quite a, we have in the past, um, a few years had quite an aggressive agenda within service in South Wales to, to support, um, other agencies to, to digitize services and deliver services to the people of South Wales.

So we’re like the front door, I suppose, of a lot of agencies in.

And, you know, I suppose if the question, you know, is, is how we kind of resourced our team, um, we, we’ve kind of, um, got, uh, a mixture of, um, privacy advisors, um, and senior privacy advisors that, that, that purport myself. So there’s, there’s kind of three of each. Um, and we, um, just to the nature of how we deliver, um, approach.

Um, with our, um, our teams that are delivering with through, through the discovery piece, right, through the delivery. And so, um, it’s quite an iterative approach, um, that we take to providing privacy advice, assurance. Um, you know what, they’ll end up with the privacy impact assessment at the end of it. Um, but it’s, um, it’s a very kind of, um, yeah, embedded approach that we’ve taken.

Um, just to make sure through the process of designing, you know, products and services that. Throughout all those, you know, variations and, and, and ideas that are, that are discussed, um, we’re a relatively new team. Um, we established kind of you as, as you said, um, Jody, beginning of 2021, just in recognition, I suppose, of the, the increased, um, focus that New South Wales government had on digitizing, uh, products and services and, you know, having more of a focus on one stop.

It’s with the New South Wales government. So, um, the good thing for our team, you know, there was, there was a need and a, a recognition I suppose, that we needed to provide more, um, more, um, dedicated privacy support to, to service New South Wales. And we’ve really kind of spent the last four years really, um, embedding ourselves and, and making sure that, you know, the whole organization understands their obligations and requirements when it comes to.

I think there’d be a lot of privacy people who listen to this who’d be very jealous of your team and the ability to, that you’ve, you know, had to kind of embed yourself the way that, you know, the way that you’re talking about. ’cause I think that’s a little bit of kind of the, you know, the, the goal of a lot of, of, of privacy programs at the moment is to kind of reach that.

So it’s kind of encouraging to hear that it can be done. Yeah. Where do you find people for your team, you know, with that kind of, they probably. Not necessarily the legal skills, but maybe potentially is it more kind of technical people or people who at least are kind of okay. Okay. With with technology?

Yeah. Um, actually that, that’s for me personally. I’m assuming that, um, yeah. Um, as you mentioned this though, I, I don’t have the legal background myself. I’ve, um, my, my background through government is, is like a policy focus and a regulatory focus. Um, but we have a mixture and that have in the past had a mixture of a variety of skill sets and we have had, um, and do have people with a legal background on the team.

Um, but you know, I’ve always kind of maintained that a complimentary, um, skillset is important in, in privacy, particularly in the kind of privacy that our, um, our team does and, and, and service kind of focus on, which is very much about, um, making sure that you there through under.

The requirements under privacy law here. Um, but yeah, in some sort of agree them, um, recruiting people for, for jobs. Um, what we look for really is, uh, first and foremost, you know, that analytical kind of side of your brain go, you know, um, are you somebody that can ask questions and get to the number issue, you know?

Because a lot of the time, um, where what we’re looking for is, is, um. Information outta that team to make sure that we’re getting the full picture and that the advice that we’re providing back to them, you know, is complete. Um, there’s obviously times where, where there’s, um, complex questions as it relates to, to New South Wales privacy law that we’ll engage, um, you know, our legal team to, to confirm, you know, whether there’s anything that we need, um, to cross off in terms of our, um, IPPs.

Um, but, but by and large that’s what we’re looking for is, is, is asking questions. The, the technical side of it, you know, is it’s, it’s important to, to understand how kind of information throws flow through different systems and, um, Aetna and programs. But, um, we also have, we’re very fortunate to have, you know, dedicated cybersecurity team that can support us through some of those, uh, issues as well.

So we’ve been very well set up to for success. Um, but yeah, I think the one thing I would probably is, is what’s worked for us is, is are those complimentary skills, um, that we’ve got across the. Yeah, this is interesting, isn’t it? It is that the, the kind of intersection of kind of, of legal and, and technical and analytical and, and cyber and, and it, and the way that they all kind of come together.

Yeah. And, and that ability I guess to kind of, to work. Yeah. Is that what you see as well, Alison? That sort of, even though you’re probably a little bit more in the kind of positioned a little bit differently, is that, um. Even if it’s not sort of having, you know, privacy engineers with being able to kind of leverage off, you know, oh.

Couple of quite different places. Yeah. And, and, um, and there’s more similarities and differences, right? And we, we, we work closely. We, you know, from time to time we have a lot of privacy engineers and then they suddenly AI engineers, um, and, you know, it’s that those relationships and sometimes, um, they’re in the privacy team and other times they’re, they’re, they’re very close friends of the privacy team and.

Work together, work to get it done. Um, what the priority is really similar to what it’s describing. Saying. Yeah, yeah, yeah, yeah, yeah. Which I guess is my next question is really is that the kind of the, the skills for a privacy professional, because I know that we, you know, when we look at job ads and we look at the kinds of skills that they talk about, and often they.

You know, and, and, and I know everyone talks about it, but this idea of the unicorn, you know, we want somebody who’s worked in the financial services industry and who knows, you know, all about a requirements and who’s feel familiar with the GDPR and with the Australian Privacy Act, and you have to have a law degree and ideally a commerce degree and A-C-I-P-M and A-C-I-P-T and A-C-I-S-S-P and we’re gonna pay you $120,000.

Um, which is, you know, that kind of the crazy. You know, the crazy, the, the, the kind of the crazy thing. But do you think that, you know, and I know we were talking about this before and it’s interesting what you said, ed, about the analytical, kind of the analytical thinking, which I kind of think is a really core skill.

But yeah, in terms of sort of the skill sets, anything else that, that kind of strikes you that’s kind of important for privacy? If we’ve been realistic about what we wanted from a good privacy, kind of privacy professional, yeah. I mean, look, I mean, you, I I, I do think it is one of the most important things that, you know, we still fundamentally need to understand and interpret, um, the privacy principles wherever you may be in and in New South Wales, that’s the IPPs, um, which is the protection principles.

But, so you still need to have a grasp in my view of, um, the importance of principle based law and how that works within a, an environment you.

There are those principles then and how they work in tandem with what you do. So, yeah, like that’s why I kind of mentioned that, you know, those policy, those people with a policy background in particular, regulatory background or, and that have worked in the legislative field before, whatever that may be, um, are really good skillset because they, they may have only worked with, you know, one piece of legislation on, you know, whatever they might be doing.

Um, in government, there’s a lot of legislation that guide. How organizations operate or run. And if they know the fundamentals about, you know, um, how legislation works, regulations, and how that kind of, you know, interacts with how you should deliver, you know, uh, services or, or products, then you know, that’s a good skill set that you can easily adapt to privacy if, if you’re subject, so you still.

Um, why it matters, you know, why privacy is important to people, um, have a, have a passion for, for making a change in that aspect. But, um, what I’ve experienced is, is yeah, a combination of those things, of having a, having that brain that, that asks questions and wants to get to the number of issue, but that can also appreciate that you need to then combine that with the guidelines.

Um, and then as I said, you know, there’s complex matters. All those, those ones where, you know, they’re right on the edge of, of, of what you might consider or, or you’re just on the fence about whether it’s right or wrong, or the black and the white. You know, there is your, there is your legal team obviously there to support you.

Um, and that’s how we’ve operated. So, yeah. Um, particularly, particularly those skills I mentioned that I think are invaluable. Hmm. I, I agree with that and I also think that there are often people in the organization who have got organizational history, who have those qualities and are interested in, in learning about privacy.

And they’re really good additions to the privacy team. They learning curve tends to be fairly sure they’re willing to certification or just do their own on the job training and then if they’ve got that curiosity. And it’s certainly not about the law degree. And I and, and just on that, I, I would, I would agree.

And, you know, within, within our organization, um, we have had in the past a couple of people that have come up from, you know, the more service delivery side, um, of, of business. And they, they are exceed invaluable because they know how the business operates. And a lot of the battle I find with privacy is getting the information flows.

The various teams you might be working with, understanding how a product works on the ground. You know, because what they, what they tell you, um, in meetings, you know, there’s, there’s always a little bit here and there that may be missed when you’re actually in the field seeing how things are done. So I completely agree with Alison there, you know, that sometimes those people that have a passion for privacy have that, you know, have a baseline, um, you know, wants and, and an understanding of how it all works.

But they’re not quite, you know, experience, you know, in the field, whatever it is. Uh, it’s also a skill we’ve seen and flourish. The people that have come through customer service, they know who your data subjects are in a way that as a lawyer, you’re quite removed. Yeah, absolutely. Yeah. Yeah. Which makes it kind of easier with this sort of, you know, I mean, I think one of the things that we probably all really like about privacy is the idea that you’re putting kind of real people at the center of what you’re kind of thinking about and what the impact is.

And so if you kind of come from pa the part of the business where you’ve had that, you know, that interaction and it, it just, it, it makes that, it makes it kind of clearer and more kind of direct. Yeah. I wonder, uh, just going back to you talking about principle based regulation, sometimes I feel that, um, privacy is not a, uh, not a space for people who like black and white things.

I feel that, you know, our principle, our principle based place can be a little bit gray and we’re often dealing with kind of uncertainty. Mm-hmm. Yeah, definitely. You know, I think, um, I, I think, I mean, again, my personal opinion, I think that’s why it, a legal professionals. Because, um, sometimes there is more than one answer.

Mm-hmm. You know, sometimes there isn’t a, a real clear answer, yes or no. And you need, you need to use your judgment. You need to use, um, you know, your analysis over the, um, the situation and the competing interests in that and, and form of view. And I, I think me personally, that’s why it’s, is.

That could, could be challenged either way, but if you have the baseless to back up what you are proposing Mm, um, it becomes like a little bit of a, you know, um, an experience that it’s enjoyable rather than saying, well, you know, it’s regulations based. Well, the answer is yes or no. And that’s how, is that for me personally, it doesn’t, um, interest me as much as something, well, well, let’s work through the problem.

How do we apply, you know, a principle space law to that. Obviously with the number one, you know, consideration, which is that people at the forefront of privacy and you know, that that’s how it all came about through, through human rights and, and, and those kinds of things. So I think that’s why it’s an interesting area working in is because you, you can kind of meld it to, um, what you wanna be, um, and form a view about how a product should be designed with people at the center of that.

Uh, yeah. Allison, do you think. What do you think about that? So and so, and it might be kind of maybe, I know that you probably deal more with Americans, but my experience sometimes dealing with American privacy people is that they’re much more comfortable with, you know, if we don’t have these 13 identifiers and it’s not gonna be personal health information, so then we can, you know, like it much more comfortable in a much, in a much more defined sort of space.

Whereas, you know, we’re always going like, oh, well it just did depends. Well, it’s very interesting working with, um, an American team and. Quite a while, and they are getting state-based laws right. It’s, it’s a crazy place. So I think their landscape, um, is actually more complicated. You’re right. Than ours.

And then some of them are very high standards. Indeed. Um, um, but, um, yeah. Yes. So, so, um. Less of a persuasion task of saying, oh no, we’ve got lots of force here. You know, it’s very serious. Um, and, and citing Australian potential fines. It’s like, it’s greater understanding. Um, yeah, globally. I, I think yeah, through, through that.

And I think that’s probably given that so many products and so many decisions are made coming out of, of that economy, um, probably a good thing for data subjects. Everywhere that there’s, uh, you know, a, a much greater, um, they’re being held to account, um, a lot more in the states now, as, as more comes on board every day.

Um, right. And they’re all different, aren’t they? I complain about Australia having different laws, but they’re all diff Yeah. That’s crazy. Yes. Thought for your American privacy colleagues. It’s.

Um, in some of the states where, you know, I, I previously worked in, in Commonwealth regime and transition across to New South Wales was relatively smooth, extremely similar, whereas yeah, you’re right. I agree, Alison, right. You know, those, those people trying to, to digest the complexities of, of, of, um, American state based law together with GDPR and global organization, that’s, it’s quite a.

Um, you know, it’s, um, it really depends on, you know, where you’re sitting in, in that, that global sphere of privacy law and how complex it could be. Um, fortunately in New South Wales and, and in Australia, we’ve got the principles based law, which in some aspects, um, is, is a little bit gray, as you said, Jody, but in other aspects that I think allows an interpretation that you can put forward, um, with the Aboriginal intent, the law, which.

Yeah, that’s right. There always seem to be a few levers that you can pull when they’re like, increasing transparency or, you know. Yeah. Um, yes, exactly. Which makes it, which I, and I agree with you. That’s why I find it interesting. It’s like you say, it’s kind of, it’s the, it’s not just annual, um, analysis.

It’s the problem solving part of it as well. How we going to do something that’s going to get, you know, the business, what it wants, but also it’s the right balance of protect people. It’s like that, you know, it’s the privacy of design principle. Like it’s the win, you know. Can you give? Can you deliver the product that the organization wants to do?

And can you do it in a way which is privacy preserving, but you’re not going right into the end saying, well, no, no, no, no, no. You’re kind of saying, okay, let’s see how we can do this. But do it in a way that, you know, make sure that we’re aligned with community expectations and privacy, but also that you’re delivering something which is meaningful and will work.

So. And, and I think that’s law neutral. Mm-hmm. And, um, you know, is, is a way you can change as technology changes. Um, and, and, you know, goes to the point that, you know, you’re not looking to the legal rules to tell you how to do it. You are, you are, you’re looking to the approach that Ed’s describing, his team’s doing the vibe.

About some, sorry. Yeah, defensible.

So we talked about some of the skill, we talked about some ways of addressing the skill shortage of things like, you know, looking at people. Internally that you can bring over who are in other parts of the organization looking for skills like problem solving, um, any other ways. I know that in the cybersecurity space, what happened over the 10 years, sort of since I started looking at it in about 2015 to now, is that there’s been a huge growth in, um, undergrad degrees, in TAFE courses, in an apprenticeship program.

Lots of ways to make it easier to kind of get a pathway into cyber, and I feel that that’s something that we probably will need. In the privacy space, I feel that there are a lot of organizations that are still underserved in terms of their privacy team and their privacy capability that, you know, when they start getting serious about it, are going to kind of have to, you know, upskill, which will put a real drain on what I think is sort of already kind of somewhat, you know, uh, limited resources.

So any thoughts that, uh, that, that you might have Allison said first and other things we might do just in terms of making, I guess. Yeah, developing people, getting them do pricing. I, I think to make the most of things, we are, um, very, um, willing to fund people to do the IAPP certifications. I’ve done a lot of them.

Um, I’ve got mixed feelings about them. Um, but I do think that if you sit down and you pay attention and you know that that exam at the end can be. You know, a waste of money if you fail it, um, then you really do focus on, on that topic. So we are, um, we, we, we, we have invest a lot in that. Mm. Um, yeah, in, in terms of training, I do hear about, um, you know, more and more courses having privacy components to them and, and I think if I was.

Interviewing somebody. I, I would probably look favorably on that just to avoid having to teach the basics. Um, and, and in cyber, cyber courses as well. Mm-hmm. Um, and, and I’m sure that’s fairly new in a way. It wasn’t six years ago. Yeah. Yeah. It gives people, I know that, you know, occasionally you probably do the same you guys as well.

Is it, do you know, different, um, law schools usually, or, or sometimes cyber will ask you to come and kind of speak to their students and so I do, you know, I know that privacy is now, you know, I. If not a core component, at least a module in most kind of undergrad law degrees. Whereas it was, wasn’t even kind of, uh, wasn’t even a a, you know, a, a mini micro thought back when I did my law degree.

So that’s at least, least gives kind of people a little bit of a taste of the area and, and enough to indicate whether or not there’re, um, you know, it might be in the direction they wanna go. So, Hmm. Yeah. Anything else, ed? I just, I guess one of the things that we see in the, in the ads is that, and again, this might have been addressed by what we’ve talked about already, is, you know, experience is still seen as the number one kind of requirement that people look for when they are advertising for people.

It’ll be some prior experience in privacy, which, um, you know, I think makes it difficult for new entries or to, you know, for people to find their way in. Um, yeah. Yeah. Right. I mean, I think, I think it’s important to have, um, yeah, a mixture of both. I think you can’t have a, a full team of, of mixed experienced people because, you know, if you’re the sme, um, you have a lot of time running around trying to ask school people.

But if you’re talk, if you’re talking about getting new people into an established team and sealed.

The entry kind of part of our team. You know, it’s still quite a decent role, but we don’t necessarily need to have privacy experience to, um, for that role. Mm. Um, what we’re looking for is, you know, it would be great if you do, but what we’re looking for are those complementary skills, um, and, and the interests of, in the subject matter, and the ability to apply those skills you might had in.

Uh, it is, you know, to to, to be honest though, you know, it is, it is, um, from how we upskill our people that haven’t had experience privacy before. It is, it, it is labor intensive. You know, it’s, it’s, um, I think the reason there isn’t a cause, you know, or at a simple, like, here you go, it is privacy and, and off you go is because contextual.

It. It is principles based and so, which is interesting, but because there’s no often no completely right or wrong answer to a problem ’cause it’s contextual and you have to apply to principles based law, often it is about what organization you’re working for, how you pricing program out organization, and how you apply that to upskilling a staff member.

And so.

Or work with one or more senior people in the team, um, through projects and kind of gradually, um, expose them to new things as they go along to eventually their, you know, independent, um, you know, providing advice assurance or being part of those, um, those agile working groups to, to build product. So that’s how we’ve done it.

Um, it. More labor intensive than maybe some other sectors where you might have, you know, degree and come out of it and, you know, happy days. Um, I think that’s just part of power pricing at the moment. We’re, we’re also, um, we’re also separate from our legal functions, so we’re not part of the legal division, uh, which, which means that, you know, we do, we don’t have that obligation, I suppose if you’re part of legal division.

Recruit people from a variety of different, yeah. Fantastic. Anything else that you can, yeah, I. Say agree, agree with Ed about that, and just exposing people and giving tasks. But where that is difficult is when you are, um, just a very small team and, and you’ve actually got, um, a really big problem that you have to solve.

Like, you know, whether it be to wrangle the data in line or, you know, to, to, to deal with it. And then it can really feel extremely difficult to be both. Um. Calmly coaching somebody up to speed whilst also dealing with something that’s uncomfortably challenging. Um, so I guess that’s why people, um. Want to watch your webinar on staffing shortage.

Um, so, and, and you know, then it’s, then it’s the other levers that you might have to pull the idea you need somebody experienced, in which case maybe you need someone part-time so that you can, your, so that your salary that you have been allotted can go further on the skills level and, and not on the time do, are you.

Extreme or cast your net very wide and say, I don’t really care where you’re located because I just want the skills. Um, and uh, and I think probably my observation is privacy teams do that very well. We’re probably quite nice people who, you know, happy to be principal based. So we, we, we wanna allow for that.

But we’ve also probably had a really big need just to, to, to. Make what, what we need work for the right people, um, and what they need. Yeah. I think the other thing she was just thinking about was, you know, getting, getting your resources and your templates and your plans kind of, you know, in place and, and you know, consistently updated to make sure that they’re still in line with how you deliver privacy in your organization is important.

They’re the kind of things that the new people will first go to. Okay, well how do you do, how do we do PIs here? Or, um, what’s our privacy management framework look like? Or, you know, what’s our complaint management process look like? And so if you’ve got those documents, you know, that are clear and um, someone new that comes in and understands, you know, at a basic level, listens to what we do in these circumstances, that often helps as.

It’s in the sm e’s mind, and they, it’s all the knowledge is within them and, and, and it’s not kind of documented anywhere. So documenting those things about how your program works in your organization’s important. And then looking out for any, um, any external, you know, um, courses or help obviously IPPs out there for once You, once you, I think you get.

To a certain level that you’re comfortable with. But in New South Wales, you know, you’ve got the inside office offers, you know, great, um, fund, you know, foundational training and, and you know, um, the same happens in Commonwealth with some other, um, organizations that, that deliver training as well. So, you know, um, there are, there is support out there.

I suppose. It’s about finding the right person to then slot into your team to upskill those mechanisms. I think a lot of jobs sort of depend on network people kind of leveraging the kind of the, the, the privacy network of who, you know. Yeah. Alison. Yeah, yeah, yeah, yeah. I’ll Alison. Alison, well. I think yes, but only because people are quite hungry for the right talent.

Um, and so people are quite savvy about how they’ll go. For that. Um, I think when, um, recruiters look, they’re, look, they, you, you just have to think, well, how are people gonna look? You know, they do their searches based on, they do use those IAPP, um, certifications and keyword searches and, and things like that that you, you wanna turn up in a keyword search.

Um, I, I.

In, in most organizations, there’ll be a genuine external hunt for, for, for the right talent. Um, and, and people will be genuinely looking for that talent. I, so, so I think networks count, but in my experience, it hasn’t been. Jobs for mates. Um, um, so yeah, it’s more been, uh, you know, better the devil, you know?

Um, mm. Yeah. Look, I, I’d agree. I mean, um, obviously working for a government organization and it’s, there’s a lot of probing recruitment, um, can get a bit hunger games sometimes when you, when you, when you train somebody up and, you know, we talked about that and, and you know, they’re great. Senior or privacy advisor and, you know, fantastic.

And then sometimes you don’t have the opportunity to the next level to give them. And so they’ll, they’ll go and find that elsewhere. And that’s bittersweet because we’ve all been there. Um, and so that is hard to see somebody that you’ve, um, built their capability and privacy and they move on.

Unfortunately, that’s, that’s a way of life. And um, you know, I’m always positive about that.

Networks are really important, um, particularly for when you are trying to find, you know, that diamond in the rough that may not have the privacy SME experience and everyone doesn’t know who they’re, because they’re the kind of people that you, you know, you put your feelers out and say, look, I’ve got this great person that works in policy and they’re, they’re fantastic at dealing with you.

Um, you know, new policy proposals and understanding how legislation.

And that they’re the kind of, I find that they’re the kind of feelers you put out in, in my area anyway. They’re the most valuable. Obviously knowing people that are at the top of their game or that have been in privacy for a long time is important. ’cause those jobs also open up and letting them know about them if they’re the right fit for the role is, is great.

But, um, I find if you can find those diamonds in the rough, um, through network, through people, people, and. That’s, it takes a load off my mind. Mm. And if you’ve got faith in your own ability to train people and work with people, and you know, if you are, you are good friends with people that you trained up 5, 6, 10 years ago, chances are you’ve got the skillset to be able to, to train people up, um, and wished them well.

And then you, well, that’s. I don’t know anyone that really started in privacy, but you know, we all transitioned across eventually to become a, a real privacy kind of expert And that was my experience as somebody that worked in the field, in organization say, look, there’s this privacy role coming up. Um, you know, we know that you’ve been doing a lot of work with, um, with policy regulation.

Like, is that something interested? Initially I was like, I.

Um, isn’t that the one where you get a lot of complaints, but, you know, having then thought about it more about, you know, the challenges of it, you know, um, how you can really use your analytical side of the brain to, to work through problems. You know, it, it obviously interests me. I applied that and then who Im, so, um, yeah, I think from my own experience, it’s definitely something where tapping someone on the shoulder might have, um, some of the skillset need is.

I completely agree with all of that, and I think, um, I guess having been around for a long time, I think it, it’s, if we can train up. Great people who go into the profession. It’s kind of good for all of us. I know that that sounds kind of crazily altruistic and you know, sometimes you hate it when people leave, but it does kind of, you know, the, I do feel there’s a pay forward or some kind of karma or something about this.

Well, I think we all probably wanna do, you know, a, a well-qualified good, you know, really high quality kind of profession if we, if we can. ’cause it’s kind of good for all of us to have privacy being a kind of valuable kind of part of most organizations. Yeah. So the other thing that I noticed in, um, the cyberspace over the last 10 years is that there was just a huge explosion of kind of technical solutions with kind of managed service and all sorts of managed service centers and operational centers and all sorts of kind of tech that, that that kind of took over a lot of kind of highly manual or very kind of repetitive tasks that were part of the.

Cybersecurity, um, kind of day to day, are we seeing the same thing or do we sort of, uh, we are gonna expect to see the same thing in privacy. I know that we’ve probably, I don’t know, Alison had a bit of experience with some tech, but like OneTrust, but other, what are, what are your thoughts on whether, whether tech’s gonna save us?

Yeah. Well, it’s, it’s, it’s, it’s very difficult to, to, to answer, but I can give you observations firstly on the skills recruitment. If you have somebody in your team who knows how to configure, um, privacy technology, they’re like, hence teeth that really, really nurture them. Um, because it’s an, it’s seen as a bit of an admin skill, but I, it’s just a, it’s quite a knack.

So in my experience, we’re fused. Um, lots of different one, trust. Um, and I have worked with, with an analyst who was very good at configuring OneTrust. Um, but I will confess to reverse it, reverting to, um, uh, uh. Very old fashioned tools for things like privacy impact assessments, um, and they, their tools can be quite good as repositories.

I find, uh, a, a tool is good for data subject rights because you can really have, have it nag you to not, not miss your deadline and to remember it. And if you have to farm things out to different people to do different tasks, those tools, that technology can be invaluable. Maybe not if. In, you know, in a pod next to each other, maybe you could just talk to each other.

Um, but the tool’s very useful if you are in different teams or in different offices. Um, to do it, we use a quite a, we, we use a couple of, um, data mapping tools, which, which can see where the data. Is, and if you’ve got a lot of legacy and historical data, it’s, it’s a, it’s a lot of fiddly work, but at a point in time there’s a tipping point where there’s a real value in, in knowing, you know, where data flows to, to third parties and, and understanding ending that, um.

I’m not sure if that’s better than a couple of people in your IT team who really know where everything is. Um, you know, I can find little repositories of data you didn’t know about, so the tools could be useful for that. Um, we’ve got incident management tools. Um. Use, I’ve worked in a couple of places that use ServiceNow for their cyber incident, and it’s, we’ve not found it easy to, to, to integrate the privacy requirements, especially the urgency of it into it.

So now we’re looking at one of the. Tools, can I say tools? We’re looking at Radar first, for instance, management And Reliance is the data mapping tool that, that, that we, we work on. Um, and we haven’t, we haven’t implemented Radar first yet, but it, what I think it will give is, is, is the leader of the team a really good oversight of what’s going on across the whole organization?

But for, um. You, you know, you know, it just, it sort of purports to tell you when you’ve got a, when you’ve got a notification, if you’re looking at 48 US laws, seven Canadian laws, you know, one and variations of it, eight Asian laws, you know, it is handy to have that first draft in front of you before you look at it.

So that’s where the technology is. Where, where it’s, where it’s useful. Is that a good answer? Yeah, it’s say good answer. Yeah. Thank you. Yeah. How about you Ann? Um, yeah, we haven’t, people can investigate zooming tools, like things like OneTrust or anything. I, I, I find, yeah, I mean, I, I find the old-fashioned PIA process, um, works.

Mm-hmm. Particularly well when you’re, when you’ve got so many different teams involved, um, and yeah. Sometimes it doesn’t lend itself to automation varying. We’ve also got some quite good technical folk that do provide a lot of the, um, the diagrams, particularly around data flow through systems and how, you know, the complexities through different buckets here and there may operate.

Um, but we haven’t, yeah, we haven’t kind of tested out it, um, have a solution that would, I guess. All that to, to make for example, a PIA quicker, um, I, I, I’d agree with Alison. I think where lends itself is to things like of information and, you know, understanding where your homes might be. But the things that, that take the most, most of our time is in privacy by design work within teams, and doing a PA end.

I think one thing we are looking at at the moment is, is insert management. And I’m doing that a little bit better, you know, in terms of using systems, a system based process more than we’re at the moment. Um, I’d also agree that, you know, a simple ticketing system doesn’t necessarily meet the needs of, of privacy insert management system, where you are looking at, um, what you’d want is like an end to end kind of process, assessing it under whichever scheme you’re under.

And you know, we, we’ve got our own mandatory scheme here in New South Wales. Um, and so that can do certain things like help fuel along that process and, and possibly send out notifications to, to customers that might be impacted. But again, I think it’s hard in privacy, right? Like, um, there’s so many subjective kind of considerations that MN DV schemes, you know, serious risk go on.

You know, it’s, you can write a textbook on, you know, how that’s applied through different, um, examples of data breaches and so it.

I think, um, that will they ever replace the ability for you to have to go in there and, um, still do kind of like a bit of a narrative, uh, work on, on a PIA or a narrative work on, um, a data breach assessment? Um, would be difficult, but that can definitely automate some things for sure. Interesting. I feel like there’s gonna be a lot of amazing new innovation coming our way, which will be, which you know, you know, like you say, I think that all those words of caution, but, you know, perhaps there’s some stuff that, that can help us with.

I guess my, obviously I can’t finish this webinar without talking about ai. Um, one of the things that was in the IAPP governance report was that. Sort of consistent with the ads, the job ads in Australia, is that there has been kind of like a, either a plateauing or a decrease in, in the, um, growing of privacy teams, but they did note that there’s an expanding of, um, the role to include things like ai, ethical, make, you know, the ethical use of technology and, and including ai.

Is that something that, that, that you are seeing as well? Is that sort of coming into the just, you know. Into the expectation of that, some of the sorts of stuff that, that the privacy team is going to have to kind of include in its remit. Um, yeah. Alison, did you, is that Definitely, definitely, definitely.

Um, we’ve expanded our third party due diligence to, to include ai. I’ve done the, uh, IAPP AI governance, um, certification. Um, and you know, I guess that that being involved in the due diligence process really makes you test your understanding of. Know, kind of it, it, it’s actually, you know, it is quite a new, new skillset to, to, to think, think that through and it’s privacy adjacent.

I was at the Singapore Privacy Conference last year and they, um, there was a panel as to which, you know, where the laws would, um, start to. You know, across the region and ally around ai, there seem to be a general view that the way that AI would be regulated would be through the privacy laws. Mm-hmm. And I see a lot of guidelines coming through in Australia that I’m sure, uh, everybody on this is watching this webinar has, has had a look at.

It’s really consistent with, um, the high, you know, high risk. But, um, looking, looking at, you know, maybe a, a European structure, but, but, but nuanced. It’s, um, definitely something which, um, takes a lot of time to, to get your head around and to apply, um, and hard ’cause everything’s in a black box. Um mm-hmm.

But I just think that that’s just learning new technology and getting on with it where it lands. Mm-hmm. We, we, we wait it out and find out. Yeah. How about you, Wade? That’s something that’s kind of coming within the remit of the privacy team. Yeah. Yeah. I mean, same as Allison. Yeah. It’s definitely coming, coming across our desk more and more often.

Um, in New South Wales, we’ve got an AI assurance framework, which is a monetary framework across agencies of which, you know, it’s, it’s quite a, a detailed framework that, that privacy is a component of that. Um, if you, if you’re required to go through that assessment process. But regardless of the framework Yeah.

Within ISL teams, you know, obviously, um, there are risks associated with any type of ai. Um, and if you’re looking at personal information, um, dataset, so it, it is, um, it is becoming more prevalent. It’s, it’s becoming more of an add on the, the, so third party suppliers you try and push as well. So agree with, you know, your due diligence.

Defaults, is it gonna be already there? Do you, you know, are you aware of this? If it’s on or not? Um, is it just a marketing puff and they don’t really have any ai, you know, specific Yeah, yeah. It’s hard to understand. Yeah. And what can it actually do? And, and it’s, I, I, I’m increasingly finding, particularly with ai, it is if there’s definitely a privacy aspect, but there’s also, which I think relates to privacy, but not necessarily.

Does this thing actually do what it’s supposed to do? Um, you know, um, because there’s a lot of talk around AI solving a lot of problems, but, you know, we’re kind of at the early stages here. Who knows where we’ll go? Um, so typically what we see is a lot of like charity of ai, you know, questions around using products, uh, to speed up processes, um, that may or may not have PI in them.

Um, and you, our colleagues, Wales. It’s always, um, yeah, whenever there’s questions around, um, potentially using, you know, personal information holdings with ai, even if it’s de-identified, you know, EWC, to be careful about how that, um, works. What’s happening to the information. Do you have complete control over that information where it goes into the, um.

It’s training, its own, you know, um, bot or whatnot. Um, and then the next stage, which will come, I’m sure in the future, is things like predictive ai, which is, that’s probably where the rubber hits the road with the risks, particularly from a privacy perspective. Um, um, and, and making assumptions about individuals that may, may not be correct, you know, which is one of the key foundations or, you know, misuse of information.

You are seeing, you are beginning to see some of that with not within our own, um, government systems, but there is talk, you know, with particularly HR systems, you know? Mm-hmm. Yeah. But there’s a lot of discussion around how applicants may be, um, vetted or, um, decided by AI to be a possible applicant or a potential applicant.

When there’s not human involved. They might be just looking at keyword, a predictive score, which is based on.

Predictive ai. You know, I think that’s a lot harder to, to nut down and probably has a lot more risks. Not say that Jerry of AI doesn’t, but yeah, there’s, there’s, um, a lot of considerations I think we need to understand from the privacy sector around how it works, um, into the future. Because I don’t think really anyone knows where AI is gonna go.

Um, yeah. You, I guess that’s right. I guess, again, I suspect that we’re all the sorts of people, all people who like the, the challenge of the new and always been presented with a, you know, something that I, I think I’ve said to both of you at various times, I don’t think there’s ever a week and sometimes there’s not a day that goes past, but when.

Someone doesn’t ask me a question and I go like, oh my gosh, that’s interesting. I’m like, oh, is that what you’re doing? Oh, oh, okay. Right. Which is just, yeah. Which I think is, you know, again, I think if you’re, that, that kind of person who likes kind of always being sort of presented with a, a different challenge, expanding and expanding skillset, uh, uh, a changing regulatory environment, unclear, re unclear regulation in our principal based regulation, um, and privacy.

Privacy is a place for you, baby. So, yeah.

Thanks so much. Um, Alison and Ed, I just, you’ve been both incredibly generous with your time and with your insights. You’ve both been really honest I think, and provided hopefully some really, um, you know, useful guidance for people who are either looking to build their team or I thinking about getting into privacy and, um, I just really appreciate it so much.

So. Thank you both and um, hope people who are listening have found this useful in some ways. So thanks very much and um, thanks for having, thanks a lot. Thanks. Thank you both. Okay, bye.