Privacy by design – the answer to the privacy skills gap?

Privacy - but by design. Welcome to your Utopia...
2 June 2023

Can you crack the code to unlock privacy by design?

• Privacy by design delivers more safety.
• Helps modernize an organization by evolution.
• Prioritizing data privacy tackles the privacy skills gap.

Increasingly, companies are finding themselves caught in a data privacy skills gap. New research from ISACA, (the organization formerly known as the Information Systems Audit and Control Association) has revealed that across Europe, that privacy skills gap affects 94% of businesses, with 59% of privacy teams reporting as understaffed, and one in five saying it takes more than six months to fill a technical vacancy – leaving unacceptable gaps in their privacy profile.

In Part 1 of this article, we sat down with Chris Dimitriadis, ISACA’s global chief strategy officer, to see where this privacy skills gap was coming from, what was exacerbating it, and what ISACA thought the solution could be – before every privacy team in every company was distinctly unfit for purpose.

Chris’ prescription largely revolved around educating and training people on an ongoing basis (rather than, for instance, as a one-off cost item – which would be not only a longer-term solution, but a canny piece of accounting to get boards to approve of the training burden). People, he believed, would then inculcate privacy culture into their organization from the ground up.

But he also had an idea for a better way that businesses could deliver privacy on an ongoing basis if they were starting out, rather than patching around the problem as it grew. That was the idea of “privacy by design.”

While we had Chris in the chair, we asked him what “privacy by design” looked like, what it meant, and how organizations could implement it.

The impact of an idea.


Privacy by design. What fundamental difference does that make to the whole privacy premise of a company? Would it address some of these issues of the privacy skills gap? Entirely? Partially? What’s the scale of difference it would mean if adopted?


It makes a very big difference. First of all, from a capability point of view, because with this idea, privacy’s embedded and aligned with the way that, for example, companies develop new products.

To develop new products involves technology. If privacy is embedded and aligned with the way that this product is being developed, and we follow an agile approach in sprints in order to develop the code, or there are privacy-specific sprints that are planned within the lifecycle of the development process, then it’s much more effective, because the issue with every technology solution is that is that it’s changing very rapidly.

Patching, updating, new features, new customer requests – they all involve changes coming rapidly into the process, and if your privacy project is separate, it can struggle to meet the demands of all those changes. Privacy by design makes the whole process much, much more effective than patching around privacy or having a separate privacy project.

In fact, having separate privacy projects doesn’t really make sense nowadays, due to the rapid adoption of new technologies.

Add to that the fact that if you adopt privacy by design, you can budget for privacy better, because when you embed privacy within the technology project, the maximum expenditure of that project will not negatively impact the profitability of the end solution – but it will have privacy included.

Whereas if you cut those privacy requirements into pieces, checking that this is adequate from a profit and loss point of view, it likely will affect that bottom line at several points.

And of course if you check whether pieces of the privacy project are adequate from a profit and loss perspective, and it turns out they’re not, you may need to identify a different privacy solution, because there are many different technologies that you can use in order to satisfy the same privacy control.

But of course, privacy is also about the processes, so embedding privacy within the operation of an organization is much more effective than continuing with normal operation, and then having a privacy department saying that, by the way, you need to complete this form as well. It doesn’t really work.

So it’s cost effectiveness, it’s increased effectiveness in terms of the capability of the organization, and it’s the continuous improvement and maturation of the organization as well. That’s what privacy by design brings to an organization if you adopt it and embed it.

How to deliver on budget.


So that’s the shiny brand new Maserati approach to the privacy skills gap – privacy by design: it’ll bring you cost efficiencies, improve your efficiency overall, and improve the whole organization. Actually, it’s the shiny new electric Maserati approach. But what about companies that are facing a deeply uncertain economy?

The tech industry is already laying off jobs like it’s throwing confetti at a wedding fayre. How are we telling companies in this economy, which are doing everything they can just to survive, to take on this issue and the associated cost burdens it brings? How do companies keep the lights on while tackling the privacy skills gap and potentially implementing privacy by design where possible?


To me, it’s all about prioritization. And by prioritization, I mean deciding how to allocate the capital that you have. However small that capital is, privacy in what matters most.

That depends on the nature of the organization, too, because when organizations operate through a supply chain, especially the small to medium ones, their decisions may have to do with improving due diligence of their supply chain and picking the right partners in order to reduce their risk.

In other cases, it may have to do with very targeted change in the processes of an organization, because privacy’s all about protecting the data, similarly to cybersecurity.

So, changing the processes in order to respect the rights of your end customers according to regulation shouldn’t be that expensive to implement.

Again, it depends on spending the time doing a first analysis about what matters most.

Link privacy to your core revenue streams, and your core offerings and products. And then try to create a roadmap in order to increase your maturity versus, for instance, starting the project in which you need to bring everything to a conclusion within a few months, and then stopping every single privacy initiative because your budget is gone.

And because you’re trying to survive, it’s better to follow a gradual evolution and increase maturity gradually than to pretend that you have implemented privacy by an investment and then forget about privacy for the rest of the year.

Priorities can be set in order to come to a conclusion that is financially viable, because this all has to do with the profit and loss profile of the company, and the profile and loss profile of the product, so you have to have the right people that will show you what the right amount to spend is, depending on your capability, and which priorities to foreground over a specific timeframe.

Privacy by design – for when you really, really prioritize your privacy.