Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background to adequately assess whether such an individual has the right expertise, and later on how they are performing in the position. While there is no “one size fits all” checklist, the following are some factors to consider:

  1. Certification: Various certifications are available to privacy and data security experts. In evaluating whether a privacy or data security expert candidate has the necessary and appropriate knowledge and skills for such a position, companies should consider whether the candidate has received any relevant certifications. For example, professionals in these areas may have one or more certifications through the International Association of Privacy Professionals and/or the Information Systems Security Certifications Consortium, Inc. While not necessarily dispositive as to whether a candidate is qualified for a position, a certification in the areas of privacy and/or data security may evidence a candidate’s interest in, experience with, and maintenance of current knowledge about issues in these areas.
  2. Technical Knowledge and Practical Experience: A candidate with strong technical knowledge may be better positioned to identify potential threats to privacy and data security and to determine how best to prevent and address any such threats. Perhaps even more compelling than a candidate’s technical knowledge is his or her demonstrated practical experience in the application of such knowledge.
  3. Legal and Regulatory Knowledge: Another factor to consider is a candidate’s familiarity with and understanding of laws and regulations applicable to privacy and data security issues. A candidate who is well-versed in these areas may be more qualified to ensure compliance with pertinent laws and regulations in both domestic and international contexts.
  4. Policy: In addition to understanding applicable laws and regulations, privacy and data security experts should be able to understand, interpret, and prepare policies to best ensure compliance with such laws and regulations. Among other things, a strong candidate should possess knowledge about whether the company is legally permitted to use employees’ or customers’ personal information; whether specific information is subject to specific to more stringent rules based on the type of data involved; and whether personal information, if used, might lead to public relations issues or other business-related concerns.
  5. Networking: Expert candidates who engage in networking and attend conferences or similar events could be more up-to-date on relevant issues and laws in the areas of privacy and data security. Candidates who have presented at conferences or written articles about relevant issues may have a heightened commitment to their field, knowledge of pertinent subject matter, and understanding of the nuances of issues that can or may arise, as well as how to address any such issues if they do in fact occur.
  6. Independence and Analytical Skills: An expert who does not demonstrate independence and analytical skills may not be a good fit for an organization. Companies should look to an expert candidate’s ability to work independently and thoroughly analyze issues pertaining to overall privacy and data security issues and to particular incidents.

While these examples are not an exhaustive list of factors organizations should consider, they provide some important considerations for companies when interviewing and hiring privacy and data security experts.