Founded in 2000, the International Association of Privacy Professionals (IAPP) bills itself as “the largest and most comprehensive global information privacy community and resource.” It is more than just a certification body. It is a full-fledged not-for-profit membership association with a focus on information privacy concerns and topics. Its membership includes both individuals and organizations, in the tens of thousands for the former and the hundreds for the latter (including many Fortune 500 outfits).
Its mandate is to help privacy practitioners develop and advance in their careers, and help organizations manage and protect their data. To that end, the IAPP seeks to create a forum where privacy pros can track news and trends, share best practices and processes, and better articulate privacy management issues and concerns.
By 2012, the organization included 10,000 members. By the end of 2015, membership had more than doubled to 23,000 members. According to a Forbes story published that same year, approximately half of the IAPP’s membership is women (which makes it pretty special, based on our understanding of the gender composition for most IT associations and certification programs). Current membership must be between 30,000 and 40,000 as growth rates from 2012 to 2015 have continued, if not accelerated in the face of the EU’s General Data Protection Regulation (GDPR), which went into full effect on May 25, 2018. The IAPP also claims to have certified “thousands of professionals around the world.”
IAPP certification program overview
The IAPP has developed a globally recognized certification program around information privacy. Its current certification offerings include the following credentials:
- Certified Information Privacy Professional (CIPP): seeks to identify professionals who work primarily with privacy laws, regulations and frameworks
- Certified Information Privacy Manager (CIPM): seeks to identify professionals who manage day-to-day privacy operations for businesses and organizations
- Certified Information Privacy Technologist (CIPT): seeks to identify IT professionals who work regularly (if not primarily) with privacy policies, tools and technologies on the job
All these certifications comply with the ANSI/ISO/IEC 17024 standard, which means they have been developed to meet stringent requirements for analyzing the subject matter and the fields of work to which they apply, along with formal psychometric analysis of test items to make sure that exams truly differentiate those who possess the required skills and knowledge to do the related jobs from those who do not.
All the IAPP exams follow the same cost structure, though charges vary by location. In the U.S., each first-time test costs $550, with a $375 charge for any subsequent retake of the same exam. Those who already hold any IAPP certification pay just $375 for each additional certification test they take. IAPP certification holders can either pay an annual maintenance fee of $125 to keep their certifications current (and meet continuing education requirements of 20 CPE credits every two years) or they must join the IAPP.
If a person joins, they’ll pay an annual membership fee. Currently, that’s $250 for professional members, $50 for student members, and $100 for all other membership categories (government, higher education, retired and not-for-profit). Those who elect to pay the certification maintenance fee need pay only once a year, no matter how many IAPP certifications they earn.
IAPP exams are available at Kryterion testing centers, which may be identified with its test center locator. Exams consist of 90 question items. Candidates may take up to 150 minutes (2.5 hours) to complete any IAPP exam. Payment is handled through the IAPP website, but Kryterion handles date and time windows for exams at its test centers.
Certified Information Privacy Technologist (CIPT)
This credential is the most likely place for a person working in IT to start their IAPP efforts. The CIPT validates skills and knowledge about the components and technical controls involved in establishing, ensuring and maintaining data privacy. To be more specific, the body of knowledge (BoK) for the CIPT stresses important privacy concepts and practices that impact IT, and makes sure that practitioners understand consumer privacy expectations and responsibilities.
It also addresses how to bake privacy into early stages of IT products or services to control costs and ensure data accuracy and integrity without impacting time to market. CIPTs understand how to establish privacy policies for data collection and transfer, and how to manage privacy on the internet of things. They also know how to factor privacy into data classification, and how it impacts emerging technologies such as biometrics, surveillance and cloud computing. Finally, CIPTs understand how to communicate on privacy issues with other parts of their organizations, including management, development staff, marketing and legal.
Certified Information Privacy Professional (CIPP)
IAPP describes this certification as just right for “the go-to person for privacy laws, regulations and frameworks” in an organization. This audience may include more senior privacy or security professionals with IT backgrounds, but it may also involve people from management, legal or governance organizations whose responsibilities include data privacy and protection concerns. This goes double for those involved with legal and compliance requirements, information management, data governance, and even human resources (as privacy is a personal matter at its core, involving personal information).
Because managing privacy and protecting private information is often highly regulated and subject to legal systems and frameworks, the IAPP offers versions of the CIPP certification where such content and coverage has been “localized” for prevailing rules, regulations, laws and best practices.
There are five such versions available: Asia (CIPP/A), Canada (CIPP/C), Europe (CIPP/E), U.S. Government (CIPP/G) and U.S. Private Sector (CIPP/US). As of this writing, the CIPP/E perforce offers the most direct and focused coverage of GDPR topics. That said, given that GDPR applies to companies and online presences globally, such material will no doubt soon make its way into other CIPP versions in the next 6-12 months. The U.S.-focused exams are already scheduled for a refresh in August 2018, as per the IAPP website’s certification pages.
For example, the CIPP/US page includes the following materials:
Each of the other regional versions of the CIPP has a similarly large, detailed and helpful collection of resources available to interested readers and would-be certified professionals.
Certified Information Privacy Manager (CIPM)
The CIPM is a more senior credential in the IAPP collection. It seeks to identify persons who can manage an information privacy program. Thus, the focus is on privacy law and regulations and how those things must guide the formulation of workable and defensible privacy policies, practices and procedures for organizational use. The CIPM BoK covers the following topics:
- Privacy program governance: organizational vision, program definition and creating a privacy team; developing a privacy program framework; implementing a privacy policy framework; and identifying and using metrics to report on privacy for governance, auditing, and regulatory purposes
- Privacy operational lifecycle: assess organizational and third-party partner and processor privacy posture, including physical and business assessments; establish privacy protections over the data lifecycle, following best cybersecurity practices and Privacy by Design; sustain privacy protections by measuring, aligning, auditing and monitoring privacy data; respond to requests for information about personal data; and respond to privacy incidents as they occur
In general, CIPMs play a lead role in defining and maintaining data privacy policies for their organizations. They will usually be responsible for operating the privacy apparatus necessary to demonstrate compliance with all applicable privacy rules, regulations and laws for the organization as well.
Other IAPP certifications
The IAPP also offers two other elements in its certification programs. One is the Privacy Law Specialist, which aims at attorneys or other licensed legal professionals who wish to focus on privacy courses in a legal context. The other, called the Fellow of Information Privacy (FIP), aims at those at the top of the privacy profession and is available only to those who’ve completed two or more IAPP credentials, including either a CIPM or a CIPT, and one or more of the CIPP credentials. It requires three professional peer referrals and completion of a detailed application form. We won’t discuss these credentials much more in this article, except to note here that the Privacy Law Specialist garnered a surprising 200 hits in our job board search (see below for other details gleaned thereby).
Finally, the IAPP website recommends the combination of CIPP/E and CIPM as the possible credentialing for those wishing to focus on GDPR, shown in this screenshot from its Certify pop-up menu:
IAPP employment: Job board stats and example jobs
We visit four job posting sites to check on demand for specific credentials: Simply Hired, Indeed, LinkedIn and LinkUp. Here’s what we learned.
| Certification | Search string | Simply Hired | Indeed | LinkUp | Total | |
|---|---|---|---|---|---|---|
| CIPP | CIPP | 668 | 745 | 1,064 | 401 | 2,878 |
| CIPM | CIPM | 187 | 198 | 260 | 191 | 836 |
| CIPT | CIPT | 146 | 155 | 276 | 210 | 787 |
The breakdown for CIPP fell out like this: CIPP/A 27, CIPP/C 287, CIPP/E 351, CIPP/G 154 and CIPP/US 401. As you’d expect, the U.S. categories combine for a majority, with Europe a surprising second ahead of third-place Canada.
Salary information appears in the next table. We collected low, median and high values for each credential, finding surprisingly little difference between the CIPM and the CIPP. Given that a CIPM is likely to hold a management position, this shows that the CIPP holds considerable value in employers’ estimations. It’s also interesting that the median values show the CIPT and the CIPP are close to one another too. This bodes well for IT professionals interested in pursuing the CIPT.
| Certification |
Low |
Median |
High |
|---|---|---|---|
| CIPP | $33,969 | $66,748 | $131,156 |
| CIPM | $41,069 | $73,936 | $133,106 |
| CIPT | $32,131 | $62,279 | $120,716 |
| Privacy Law Attorney | $46,146 | $89,026 | $171,752 |
Typical positions for privacy professionals are very much one-offs. We found a risk management and compliance manager position at a South Carolina government agency charged with defining and implementing security and privacy policies for the department of corrections. That position paid $120,000 per year and involved security and audit compliance, business continuity and disaster recovery planning, and risk and incident management. By itself, the requested CIPM would not be enough to qualify for that job.
The next position was for a healthcare services director position in Albuquerque, New Mexico, which involved auditing, risk management, and contract and vendor negotiation. Its pay range was $140,000 to $190,000 per year, and it required serious management chops, along with IT governance and risk and compliance experience, with calls for knowledge of tools like Archer and Clearwell. The third position was for a senior data privacy associate at a Washington law firm, which sought a person with a CIPP/E, CIPP/US and CIPT, with pay in the $120K-$150K range.
Thus, it appears there are plenty of opportunities – some with high rates of pay – for those willing to climb the IAPP certification ladder. Both the job boards and the individual postings speak directly to strong and urgent need in the field for qualified privacy professionals at all levels.
Training resources
IAPP courses are available through many channels, including classroom training through the IAPP and its partner network. Online training classes are also available, for lesser charges. The IAPP provides ample references and resources, with authoritative and supplemental texts, websites, legal references and statutes, and more for each of its credentials. There’s also plenty of self-study material for those who prefer that route.
The IAPP also offers practice exams (which it calls trial questions) to help candidates prepare for exams. Surprisingly, there is even something of an aftermarket for IAPP books and materials, as a quick trip to Amazon will attest.
Dallas already boasts 35,000 hotel rooms, award-winning global cuisine, and a walkable downtown. But we are just getting started. Visit Dallas is thrilled to announce that the city of Dallas is doubling down with a massive new convention center and entertainment district. Featuring 800,000 square feet of exhibit area, 260,000 square feet of meeting rooms, and 170,000 square feet of ballroom. The center will connect business travelers with dining and shopping options in the popular Cedars District means more places to get down to business, and even more ways to unwind. “Dallas is already a great meetings and conventions destination, with the accessibility of two major airports, affordable labor, and an outstanding hotel product,” said D. Bradley Kent, Visit Dallas senior vice president and chief sales officer. “The new center and Convention Center District will enhance Dallas’ competitive position and are exactly what our customers’ need and have been asking for." What’s New – AT&T Discovery District Located in the heart of Downtown Dallas, this new district on the AT&T corporate campus is tailor-made for groups of all sizes. It boasts a multi-sensory experience, including outdoor event space, the AT&T Theater, and multiple dining outlets including JAXON Beer Garden and The Exchange, a bustling food hall. Hotels Coming Soon Names like the JW Marriott (Downtown), lnterContinental Dallas (Uptown), and Hotel Swexan (Uptown) are adding luxury amenities and bountiful event spaces. The projects will debut in 2023 and beyond. JW Marriott This new, 15-story, 283-room hotel will open in the heart of the city’s downtown Arts District this year. The property features a 25,000-square-foot grand ballroom, as well as a spa, restaurant, lobby bar, fitness center, and a rooftop pool deck and bar. InterContinental Dallas Located in Cityplace Tower in Uptown, InterContinental Dallas will feature sweeping panoramic views of the Dallas skyline. Guests will enjoy spacious, high-end rooms and amenities, including more than 21,000 square feet of event space. Hotel Swexan Hotel Swexan, a new, 22-story luxury property, is rising in Uptown’s Harwood District and will make its mark on the Dallas skyline. Opening this year, it is a sculptural building with cantilevered upper floors, as well as a 75-foot rooftop infinity-edge swimming pool and a hidden underground lounge.
The Bigger the Organization, The Better the Compensation!
According to the survey results compiled from more than 1,400 industry professionals, privacy pros working for organizations with under $100 million of annual revenue reported average base salaries 35% lower than privacy pros working at organizations with more than $40 billion in annual revenue.
This means that job seekers testing the waters with different sized companies may find that working for larger organizations may be more financially advantageous and the work at larger organizations may be more specialized to suit experienced workers.
Because larger organizations (with huge market presence and deep pockets) are offering higher salaries, they are likely to employ more specialized privacy professionals who focus on a limited number of tasks. In comparison, smaller organizations require privacy employees to wear many hats, but they also get more varied experience.
Number of Employees Matters Too for Privacy Compensation
A similar theme was observed when considering the number of employees. Privacy professionals at organizations with fewer than 100 employees reported 28% lower average base salaries than those working in organizations with more than 80,000 employees. Four main scenarios were seen from the survey results:
So that raises two questions: what are the salary ranges for privacy jobs and where are these jobs?
Coseglia took the opportunity to match the IAPP survey results to similar research done by TRU’s 2022 & 2023 Data Privacy Jobs Report. He compared base salaries by role title within three key markets that hire privacy professionals and showed the IAPP mean:
Then, he displayed where the privacy jobs are most frequently open for both full-time and contract privacy professionals. Corporations, who do 80% of the privacy industry hiring, currently have the most potential for job seekers.
A exact webinar to analyze the 2023 IAPP Privacy Professionals Salary Survey gave attendees a high-level overview of the survey’s unprecedented exploration of global compensation and job market trends in the privacy industry. Panelists included TRU's Founder & CEO Jared Coseglia, alongside IAPP Principal Researcher in Privacy Management, Saz Kanthasamy, CIPP/E, CIPM, FIP, and IAPP Research & Insights Director, Joe Jones – all of whom offered several glimpses into the monumental research efforts that resulted in myriad statistics on what respondents earned, how they earned their compensation, where they were located, and their compensation based on their job titles. However, a surprising statistic stood out from the panelists’ discussion: More than two-thirds of privacy pros surveyed said they still worked from home more than they do in an office, and 40% were fully remote.
Considering that the industry is now well past the pandemic, this high percentage may have surprised some. That statistic tied into many more aspects of the remote work versus office work debate, and was also instrumental in an overwhelming majority of respondents saying they were extremely happy in their roles.
Why Remote Capability Is So Desirable in the Data Privacy Industry
During the pandemic, remote work proliferated. And thanks to new advancements in technology that supported “anywhere” connectivity, easy availability of cloud-based software, high-speed internet, video conferencing, and instant messaging apps, privacy pros around the world got comfortable at home and built a strong, healthy work-life balance. No one wanted to deliver that up.
The IAPP and TRU collaborated on this deep-dive survey of the privacy industry, researching current remote working practices to see what changed when the world was open for business again.
The 2023 compiled data shows:
- 69% of respondents work from home more than they do in the office, a much greater proportion than the 36% of respondents who predicted working this way in 2021.
- 40% of respondents work fully remotely, an increase of 31% over those who predicted solely working from home in the 2021 survey.
- 5% of respondents are fully office based, making this comparable with those who predicted working this way in 2021.
By contrast, in the 2021 survey, more than 80% of respondents worked entirely from home and 11% “mostly” worked from home.
Remote Privacy Work Varies by Region
The survey also delved deeper into remote working practices to determine who worked where by region. Data from respondents showed:
- 49% of respondents based in North America work fully remotely
- 26% of respondents in Europe work fully remotely
- 25% of those based in Africa and Asia work fully remotely
- At least six in 10 respondents in North America, Europe and South America worked from home more than in the office.
The genuine percentages are much higher than what privacy pros thought they would be doing in the 2021 Salary Survey.
Remote Privacy Work by Job Title
The IAPP and TRU researchers then went one step farther in their research and learned that privacy analysts and engineers were the professionals most likely to be remote: nearly eight out of 10 privacy analysts and six out of 10 privacy engineers worked from home. About one in 10 of those surveyed with the job title of cybersecurity professional, DPO, or external privacy lawyer were fully office-based. Four out of 10 respondents who identified as DPOs worked from the office more than at home.
Coseglia noted that in terms of his clients and privacy placements, organizations that offered more remote capability had many more candidates to chose from when hiring for open positions.
Professional employer organizations (PEOs) are third-party companies that provide outsourced payroll and human resources (HR) support.
Business owners and executives might hire PEOs if they’re short on time or have too many employees to keep track of by themselves. Indeed, it’s a more accessible and cost-effective option than hiring in-house professionals, but there are downsides. You must have a solid budget and an open mind when working with an external organization.
Let’s take a closer look at what a PEO is, what its strengths and weaknesses are and who it’s best for.
Jump to:
What is a PEO?
As mentioned above, professional employer organizations are essentially contractors, and they cover your payroll and human resource needs. For example, a PEO can file your taxes, issue paychecks and answer employee benefits questions.
Think of a PEO as an a la carte, prepackaged human resources department. You can purchase their services as needed and stick with them until you put an internal HR team together. They’re ready to go with staff, software and expertise, so you can confidently hand over your payroll and HR operations — all for convenience and peace of mind.
PEO example
There are many PEOs out there. Some target specifically small businesses, yet others provide services to any size entity. A few of the top PEOs include Papaya Global, Paychex and TriNet, which we cover in our list of favorite PEOs.
However, our number one choice is ADP TotalSource. It serves businesses with five to 250 employees, and some of its main offerings include:
- Payroll and tax services.
- Workers’ comp and claims management.
- HR expertise.
- Benefits plans.
- Hiring support and employee retention.
These kinds of services are fairly standard for PEOs with some variance based on specialty or unique capabilities, but it’s also important to peruse user reviews to get a sense of how satisfied a service’s customers are and what level of quality you can expect.
What are the benefits of a PEO?
The overarching appeal of professional employer organizations (PEOs) is their money- and time-saving value. For instance, small-business owners usually employ a PEO in lieu of hiring elaborate administrative teams.
But there are other perks too:
- Improved employee morale: Staffers suffer when there is inadequate administrative support. A PEO can ensure a high standard of help is always available, improving morale.
- Access to experts: PEOs have teams of experts in HR, benefits and compliance. This expertise enables small businesses to make sound decisions.
- Flexibility: PEOs offer tailored solutions with various plans and services. This approach can fit any budget or need.
- Scalability: PEOs can help small businesses scale up or down as needed. You don’t need to hire more people to support a growing workforce. Conversely, letting go of PEO support when money’s tight is an option if you need it and aren’t locked in a contract.
For many businesses, PEOs pay for themselves. After all, they’re typically cheaper than hiring in-house professionals from scratch. Plus, their specialized knowledge helps you avoid costly issues like a missed tax deadline or compliance problems.
What are the downsides of a PEO?
Nothing’s perfect in life, and PEOs are no different.
First, you’ll need enough staff members to justify contracting a PEO. A dozen or more employees is a good rule of thumb, but this can vary. Any fewer and it’s likely easier to keep things informal and in-house — most likely in a bare-bones arrangement.
You’ll also need a proper budget. Undoubtedly, a PEO is out of the question if you’re scraping by or are waiting to see if revenue picks up. PEOs save money only when compared to hiring in-house professionals. They’re still a pricey proposition, though.
There are other downsides to consider:
- Loss of control: PEOs take over many of the HR functions that small-business owners typically handle themselves, such as payroll, benefits administration and other HR tasks. This can feel like a loss of autonomy for some folks.
- Lack of flexibility: PEOs typically offer more general services, which may only fit some businesses well. If a company has highly specialized HR needs, such as international payroll operations, finding a PEO that can accommodate all its particular needs may be difficult.
- Reduced privacy: When a business outsources its HR functions to a PEO, it’s sharing confidential employee information with that company. This disclosure can feel concerning to privacy-conscious people.
- Reduced control over employee relations: When a PEO manages a business’s HR functions, you’ll have less control over employee relations issues. This loss of oversight is troubling if you want strong authority over hiring, firing and discipline.
PEOs can be a good option for some small businesses, but they are not without their issues. You’ll need flexibility, an open mind and a comfortable budget to overcome these downsides. And it’s okay if you’re not quite at the right stage for a PEO — there are plenty of excellent payroll software out there to help you in the meantime.
Why would a company use a PEO?
Usually, smaller businesses still trying to find their footing employ a PEO. This situation includes entities with uncertain futures, newly launched ventures and those not yet able to afford large in-house administrative teams.
Here are some situations that make a PEO a good idea:
- Healthy budget and cash flow: PEOs can save money over in-house teams, but they are still pricey. If you have money to spend, these external organizations can provide excellent value and time-savings.
- Growing workforce: More employees means a greater need for administrative workers. A PEO can quickly solve this support gap if you’d rather not take on more human resources staff.
- Highly regulated industry: If your business falls under strict governmental oversight, then a PEO can keep things in check. For example, an at-home nursing business can focus on obligatory HIPAA training instead of attending human resources conventions.
- Uncertain outlook: If your business is turbulent, a PEO can vanish or return much easier than in-house employees. You won’t have to lay off administrative staff, for one consideration.
- Complex tax obligations: Most people don’t like doing taxes. If this describes you, a PEO can take these pesky duties off your plate. This relief is precious if you have a complicated tax situation, like employees in many states.
Overall, a PEO is geared toward growth. Small businesses use these organizations to keep their focus on their core business rather than bothering with administrative tasks.
Real-life examples
A young startup company is a good example of a business well-suited for a PEO. Startups often don’t have the resources to hire a full-time HR department. They’re also unsure of their future, and avoiding layoffs is ideal. This theme of uncertainty makes a PEO a quick, straightforward solution to handle administrative tasks.
Another example of a small business that might use a PEO is a business with seasonal staffing fluctuations. As you shrink operations, you can easily downsize PEO services and vice versa. On the other hand, you would have to conduct difficult layoffs if you had an in-house team.
When shouldn’t a company use a PEO?
A business’s financial situation and workforce size are two top factors when considering a PEO. You must have enough money and staff to justify a PEO. On the other hand, if you’re a mature business that’s flush with cash, hiring an in-house team may better suit you.
A PEO is not right for you if your business:
- Employs a very small number of people: PEOs typically require a minimum number of employees to be cost-effective.
- Has a specific set of HR needs that a PEO cannot meet: PEOs typically offer a standard set of HR services and may not be able to meet the specific needs of a company with unique HR requirements.
- Is unwilling to deliver up some control over its HR functions: When a company uses a PEO, it is outsourcing its HR function to the PEO. As a result, the company will no longer have complete control over its HR policies and procedures.
- Keeps a tight budget: PEOs typically charge a monthly fee based on the number of employees the company has. These fees can be expensive, so businesses must ensure the benefits outweigh the costs.
- Is risk-averse: Using a PEO means trusting them with two sensitive and critical departments — payroll and human resources. If the PEO underperforms or fumbles along the way, your business will suffer. You must feel comfortable with this risk.
If you already have an in-house administrative team, a PEO may cause friction. Your team may worry they’ll get laid off or have less authority over personnel matters. Luckily, most PEOs offer customized services. This tailored approach means you can retain in-house staff and use third-party help with extra tasks as a way to share responsibilities.
Key takeaways
Professional employee organizations provide human resources and payroll support on a contracted basis. This third-party arrangement makes it easy, quick, and cost-effective for businesses to employ.
Yet, only some entities are suitable candidates. You’ll need a healthy budget and a growing workforce to justify the expense. Plus, you must be open-minded to listen to a PEO’s recommendations and decisions.
1 Justworks
Justworks Payroll is a lightweight solution that simplifies Payroll and HR operations so you can focus on what matters most – running your business. Our user-friendly navigation, paired with reliable support, helps you monitor and maintain compliance, onboard and manage your teams, and navigate the complex world of payroll with confidence.
Designed for today's needs and tomorrow's ambitions, our adaptable solutions will elevate your operations & provide the tools for your business to thrive.
2 Workforce Now - ADP
ADP Workforce Now serves clients across nearly every industry who are looking to manage their human capital management needs across payroll, HR, benefits, talent, and time and labor, among others. ADP Workforce Now provides clients with custom-tailored solutions that fit their organization, so they can save time and money while getting expert support and accuracy.
3 Paycor
Payroll can be a time-consuming, administrative task for HR teams. Paycor’s solution is an easy-to-use yet powerful tool that gives you time back in your day. Quickly and easily pay employees from wherever you are and never worry about tax compliance again. Key features like general ledger integration, earned wage access, AutoRun, employee self-service and detailed reporting simplify the process and help ensure you pay employees accurately and on time.
4 OnPay
Payroll and HR that move you in the right direction. We deliver you everything you need to navigate payroll, HR, and benefits — so you can keep running your business smoothly.
Get your first month free, or join a demo to see everything we can do!
5 Paychex
Paychex is a cloud-based payroll management system offering payroll, HR, and benefits management systems for small to large businesses. Paychex covers payroll and taxes, employee 401(k) retirement services, benefits, insurance, HR, accounting, finance and Professional Employer Organization (PEO).
In her role as Vice President and University Chief Compliance and Privacy Officer, Kim Gunter leads the Office of Compliance, Policy and Privacy Services, overseeing all ongoing activities related to the development, implementation, maintenance of, and adherence to Drexel's policies and procedures covering the privacy of and access to sensitive information, including student information and patient information, in compliance with federal and state laws. She also oversees the University's adherence to federal, state, and local regulatory requirements and the University's policies and procedures, including the Code of Conduct, Conflict of Interest Program and the Drexel Compliance Hotline program.
Kim has over 20 years of experience in health care compliance, privacy, and legal, regulatory and risk management. At TridentUSA Health Services, a national bedside diagnostics company, Kim served as the organization's first compliance and privacy officer and built the program there from the ground up, serving as the main point of contact for all compliance program activities, including health care, HIPAA privacy and security, elder justice, Medicare and state regulatory compliance concerns. Kim was also Trident's first Chief Diversity Officer, where she implemented institutional goals to address issues of equality for all employees and associates.
Prior to Trident, Kim served as a privacy director at Johnson & Johnson, as associate director of marketing compliance at Centocor Inc., as a compliance and privacy manager at PwC (where several academic medical institutions were among her clients), and as a risk management consultant for Princeton Insurance Company. Throughout these roles, Kim acquired significant experience implementing privacy and audit programs on a global scale. She excels in establishing methodologies and assessments, compliance standards, and educational training for the protection of personal information in a variety of industries and business operations.
Through her work with the International Association of Privacy Professionals (IAPP), Kim helped develop a Higher Education Privacy Section, and as a member of its faculty, she trains certification candidates on the key elements of higher education laws. Kim has served as an adjunct professor at Widener University School of Law. She continues to mentor and teach J.D. candidates as a guest lecturer and member of the Health Law Program's Board of Advisors at Drexel's Kline School of Law.
Kim obtained an undergraduate degree in business administration from Georgetown University, a law degree from Villanova University School of Law, and a master of laws from Widener University School of Law. She has earned an Associate in Risk Management from the Insurance Institute of America, Certified Information Privacy Professional and Manager designation from the IAPP, and a Certified Compliance and Ethics Professional designation from the Compliance Certification Board.
Jesse Redniss is CEO & Co-Founder of Qonsent, the first data privacy enablement and engagement platform built for consumers and brands.
Modern biometrics have been around for decades, but thanks to the rapid evolution of technology, they’ve found themselves at somewhat of a crossroads in the digital age. It’s not just that organizations keep personal biometric data on people out there; it’s how it’s collected, used and stored that quickly snowballs into a bigger issue.
Sure, we have a federal data privacy law in the works while states do their own thing, but rarely can anything keep up with how fast technology advances. What was discussed and debated a few years ago could be a completely different ball game today, so it requires no small amount of proactivity and pragmatism to adapt.
This is pretty much where we are with data privacy—and adding biometrics into the mix has created another layer of personal data that hasn’t really been a part of how we traditionally define PII, or personal identifiable information. Of course, it’s alluded to and even mentioned, but the fine print isn’t there, as these are relatively new waters we’re charting.
Smile, You’re On Camera (Forever)
Any new or advancing technology should come with a warning label, as there will always be genuine concerns as to how it will impact individuals, society and even the global stage—things that often can’t be foreseen or realized until they happen. When we look at biometrics—specifically, facial recognition software—a growing number of issues have cropped up as it becomes more sophisticated and ubiquitous. China is an extreme example, as the world’s most populous country is already using the technology to surveil and track its citizens.
But here in the U.S., there's little to no appetite for this. Perhaps ironically, places like San Francisco are trying to get ahead of the curve and mitigate any potential misuse of such a powerful technology. Back in 2019, the city became the first to outright ban the use of facial recognition technology by police and local government. Some might argue that although it’s a good first step, we need to do more—especially in the private sector.
Don’t Wait Around For Federal Legislation
Biometrics like facial recognition software have become hotly debated, as they require one crucial element to work: personal data. So, while the SFPD can’t use facial recognition software, what’s stopping other organizations and businesses across the country from using it? The answer is nothing, really.
We are, however, making some headway to protect and preserve the integrity of personal information at the federal level with the introduction of the American Data Privacy and Protection Act (ADPPA). According to the International Association of Privacy Professionals (IAPP), the ADPPA is the “closest U.S. Congress has ever been to passing comprehensive federal privacy legislation.” But we’re not there yet—it has yet to be approved by Congress, and nobody seems to know when, or if, that will happen.
Consent As A New Standard Of Data Privacy
Without any federal legislation to regulate facial recognition technology, it will continue to pose several challenges. To start, the technology is far from perfect and could easily misidentify individuals and lead to potentially unjust consequences such as incarceration. It's also been known to exhibit biases against specific demographics such as women and people of different races.
Surveillance of public—and even private—places is also a genuine concern, as individuals can be identified and tracked without their knowledge or consent. Mass surveillance of this kind screams Big Brother, but how businesses and other nongovernmental organizations use this technology also has far-reaching implications.
Consent is crucial and something I want to stress, as many people may not fully understand the implications and potential risks associated with sharing their biometric information. Individuals often have very little control over this type of data once it’s been collected—in fact, they often don’t even know it's been collected in the first place. Add in a lack of transparency of how that data is stored, used and shared, and you have a data privacy nightmare—for consumers, businesses and governments alike.
Five Steps To Address Biometric Data Privacy Concerns
Because there’s no hard and fast rule book, it’s important that organizations take the initiative when it comes to data privacy and protecting consumer data. When we’re looking at facial recognition (and even biometrics as a whole), I boil it down to five guiding points meant to deliver businesses and organizations a jump start.
1. Implement privacy by design. Whether you make the technology or simply touch the data, privacy should be an integral part of the system architecture, ensuring that data privacy principles are embedded at every stage of the technology's development—everything from access controls to security audits.
2. Obtain consent through transparency. It’s critical to be transparent with individuals about the collection, storage and use of their facial biometric data. Ensure consent is freely given, specific and informed.
3. Define specific parameters of use. Limiting the use of facial recognition data to specific, legitimate purposes that have been communicated to individuals is key. Only collect what you need, minimize the retention period and safely delete or anonymize data when it’s no longer needed.
4. deliver users access and control. deliver individuals access and granular control over their facial biometrics so they can correct, delete or restrict its use. They should also be able to easily withdraw their consent.
5. Keep up with the latest regulations. Regular privacy and security audits will help ensure compliance with relevant data protection regulations. GDPR is the most common framework, and perhaps, ADPPA will one day follow suit.
By implementing these measures, businesses and organizations can tackle data privacy concerns with facial recognition head-on. Terrible pun, I know, but doing so requires a multifaceted approach that involves robust data protection regulations, transparency, consent, accountability and ongoing dialogue between organizations, policymakers, privacy advocates and the public.
And although the ADPPA could be the oversight we need, the onus is on public and private organizations to proactively address data privacy now. We won’t get very far waiting for the government to wrap laws around technology that it doesn’t fully understand.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
