What is a Privacy Consultant?

Interested in becoming a privacy consultant? Not sure what experience is required or what you might be asked to do? Read on to find out more about the role of a privacy consultant and the skills you need to get a privacy consultant gig.

Privacy is a complex and dynamic field. If you look to the news headlines, it might seem that privacy is characterised by ever-changing laws, heavy fines, challenges of rapidly changing technology, increasing expectations, and the ever-present risk of a privacy breach. But privacy is so much more than that.

Privacy programs offer companies an opportunity to rethink data handling practices, reimagine cybersecurity, and revise internal processes. But achieving strong privacy outcomes requires broad perspectives and deep experience which many privacy departments might not possess on their own.

Privacy consultants are professionals who fill gaps in knowledge or experience or provide different perspectives to companies looking to develop robust, future-focused privacy programs. How? Let’s find out!

We noted in our most recent privacy jobs reporting that the language used to describe privacy professionals is incredibly varied. However, we have been able to identify advertised positions for privacy consultants.

Of the approximately 300 privacy roles included in our job ad review since December 2019, around 29 of those are for consultants (which is around 10% of the total advertised privacy positions).

Perhaps not surprisingly, most consulting positions are with professional services providers – like KPMG, PwC and RSM. However, consultant positions have also been advertised with corporate employers (like Canva).

What is a privacy consultant?

The question – what is a privacy consultant – is becoming increasingly challenging to answer.

Broadly speaking, a privacy consultant is a privacy professional who makes their expertise available to businesses and other organisations on a consultancy basis. Generally, a privacy consultant would be hired to help an organisation achieve better privacy outcomes – whether that’s improving compliance, better meeting consumer demands, or advising on a particular project or new initiative.

How do you become a privacy consultant?

Since the privacy industry is so diverse and multidisciplinary, there is no ‘one’ education pathway to becoming a privacy consultant.

Most consulting roles require some sort of tertiary qualification.  The type of educational background depends on the role and employer. Some privacy consultants need a law degree, , while IT and business qualifications are also important.

There were no advertised consulting jobs that did not require some period of prior experience. One consulting role was looking for 12+ years of experience.  However 3 to 5 years of experience was the most common requirement. The actual experience required again depended on the type of role.  For example, a legal consulting role required 2 to 5 years experience and ‘an interest in, or experience (not essential) in cyber and privacy and experience in regulatory investigations, dispute resolution and/or insurance.’

Soft skills are also a key requirement for consultants, who are expected to interact with many different clients and provide a range of different solutions across different business sectors.  To be a consultant, written and oral communication skills are essential, as is the ability to take theoretical concepts, contextualize them and provide practical and relevant advice to the business.

Examples of some of the other soft skills listed in job ads include:

• Strong ability to influence and establish close relationships with key business stakeholders across the organisation
• Being able to deliver presentations;
• Project management skills.
• Excellent written skills
• An analytical style with the ability to provide pragmatic and practical solutions to clients;

Risk management experience was also a common requirement.

It is becoming more common to see privacy consultant roles requiring industry privacy certifications, like the CIPP/E or CIPM certifications. What does a privacy consultant do?

Privacy consultants are available for companies and organisations to lean on where additional expertise or perspectives are required to achieve strong privacy outcomes. In some cases, privacy consultants will be needed to answer specific questions, such as whether existing privacy protections suffice for a company entering a new market in a new jurisdiction, or to complete specific tasks, such as undertaking a significant privacy impact assessment or supporting a major new privacy initiative. In others, privacy consultants are tasked with overseeing the organisation’s privacy compliance or developing a more mature privacy program.

As the privacy industry becomes more specialised, privacy consultants have started to develop deeper expertise in specific areas.

A search on LinkedIn (at the time of writing) showed a company seeking a “Senior Consultant – Privacy and Data Protection” who would be tasked with the following key responsibilities:

• “Helping our clients to build trust within the community by protecting the privacy of individuals (such as customers, members of the public and employees)
• Working with clients to assess, advise, design, and implement capabilities relating to privacy and data protection
• Identifying and managing key risks and compliance issues relating to privacy and data protection
• Supervising and coaching junior team members, to foster an environment of continued growth and development within the team
• Working effectively with Partners, Directors and staff to provide support, maintain communication and update on engagement progress”

Meanwhile, another contract position for ‘Privacy Officers’ sought privacy professionals equipped to manage the following duties:

• “Ensuring adherence to legislative obligations using a range of strategies, policies, frameworks and tools;
• Prepare draft incident reports and communicate meaningful recommendations, in relation to possible breaches under the Privacy Act 1988.
• Prepare responses to requests from regulators, regarding complaints and investigations.
• Action and prepare ministerial correspondence or ombudsman responses for senior staff.
• Provide guidance to staff about the interpretation of Privacy Principles and other relevant legislative frameworks
• Process requests for information from government stakeholders and third-party clients;
• Prepare concise draft reports with accuracy and attention to detail”.

The most commonly referred to tasks for consultants in the job ad’s include:

• Risk management / assessments / audits
• Privacy impact assessment
• Client liaison and relationships
• Understanding and interpreting law, regulations and compliance/framework reviews
• Technical advice

What this variety reveals is that organisations need to be careful to identify their specific privacy needs and hire a privacy consultant with the relevant expertise.

Where are the privacy consultant roles?

Like general privacy roles the majority of privacy consultant positions are advertised as being based in Sydney. However, there is an increasing tendency towards location flexibility across the professional job market and privacy roles are no different. So if you don’t live in Sydney, don’t despair, there are opportunities to work as a privacy consultant outside of our largest city.

Below is a graph showing the locations of advertised roles we have surveyed since Dec 2019.

What should you do?

If you think you’re interested in becoming a privacy consultant, our advice is:

• Try and get the relevant experience you need, if not directly in privacy, in a related area such as risk management or compliance;
• Consider getting a privacy certification as a way of proving your technical knowledge;
• Review your soft skills and think of how best to demonstrate that you have the written and oral communication and inter-personal skills required of a successful consultant.

Privacy is a booming area and full of opportunities for those interested in jumping in.

Privacy 108’s Privacy Consultants

Privacy 108’s privacy consultants have helped universities, global companies, and local businesses improve privacy and cybersecurity outcomes.

Founder Dr Jodie Siganto is recognised as one of Australia’s foremost privacy experts, with almost 20 years’ experience aiding in the development of privacy programs.

Our services include:

• Privacy impact assessments;
• Development and implementation of privacy management programs;
• Privacy compliance programs including GDPR readiness;
• Data breach response and notification;
• Advice on the use of the cloud and other third party service providers;
• Developing an organisational security culture; and
• Training and awareness programs.

As a registered partner of IAPP, we are also involved in the training and development of Australia’s privacy professionals. Find out more about Privacy 108’s Certification Training here.

Want more information, use the form below to contact us.