Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HELP WANTED: Growing a Workforce for Managing Privacy Risk

Help Wanted Image

It’s a very different world that we’re living in from the one in which we published the NIST Privacy Framework this past January. These changes have demonstrated that the need for effective privacy programs that can adapt to new risks has never been more important. 

A skilled workforce is a key pillar of an effective privacy program. As the framework roadmap stated, “Further development of a knowledgeable and skilled privacy workforce (to include privacy practitioners and other personnel whose duties require an understanding of privacy risks) is necessary to support organizations in better protecting individuals’ privacy while optimizing beneficial uses of data.” Unfortunately, we’ve heard consistently that recruitment and development is a challenge. Now is the time to make headway on this challenge by creating a workforce taxonomy aligned with the Privacy Framework.

What is a Privacy Workforce Taxonomy?

Maybe we should first ask: what is a privacy workforce? Personnel in all parts of the organization such as IT, cybersecurity, legal, product development, human resources, and marketing may not consider themselves to be “privacy professionals,” but can still have a role to play in managing privacy risk. Perhaps then we should not talk about a privacy workforce so much as a workforce capable of managing privacy risk. If that’s the case, we believe that developing a taxonomy that is aligned with the Privacy Framework will enable us to categorize and describe a workforce capable of managing privacy risk, and in turn, help organizations to better achieve their desired privacy objectives. In addition, it could support recruitment with more consistent position descriptions and inform the education and training of professionals to produce a more skilled and knowledgeable workforce.

We’re coordinating with our National Initiative for Cybersecurity Education colleagues so that this effort will align with the new, streamlined structure of the Workforce Framework for Cybersecurity, introduced in July 2020 as Draft NIST Special Publication 800-181, Revision 1. Since NIST’s approach to privacy and cybersecurity is to recognize their independence as disciplines as well as their overlap, the end result of both initiatives is intended to be listings of tasks, knowledge, and skills and examples of organizing them into work roles and competencies that organizations can use in a modular fashion to address their workforce needs for privacy and cybersecurity.

Help Us

Building these modular resources will be as “easy” as it is for a privacy professional to answer the proverbial question, “So what is it that you do?” We need your help to understand the many nuanced aspects of your work, operational insights, and workforce challenges. To start, please attend the virtual workshop Help Wanted: Growing a Workforce for Managing Privacy Risk that the International Association of Privacy Professionals (IAPP) will host on September 22-24, 2020. This workshop is free, open to the public, and designed to fit into your busy schedules and maximize the opportunity for participation from around the world. We’ll be facilitating working sessions where you can share your feedback and ideas about what you think is needed to achieve the Privacy Framework’s outcomes and activities. The working sessions will have limited capacity, so don’t wait to register.

The Road Ahead

Following the workshop, we will take your feedback and use it to inform the development of a draft taxonomy that can include sets of roles, tasks, knowledge, and skills that we will share with you for your input. We see this process unfolding over the next several months, with the goal of releasing these resources in 2021.

With that, we’re hanging up a virtual “help wanted” sign: we need input from a wide range of roles (e.g., technical, business, policy, legal). If you want the job, here are your first tasks:

  • Register now for the workshop
  • Share your perspective about:
    • Challenges, needs, and opportunities for developing a skilled and knowledgeable workforce
    • The work roles, tasks, knowledge, and skills necessary to align with the Privacy Framework
    • Your organizational priorities for workforce resources (e.g., listings of tasks, knowledge, and skills and where those fit in work roles and competencies)
    • Other issues that we should consider as we develop these resources
  • If you haven’t already, join the Privacy Framework mailing list to periodically receive updates about this effort.

We hope to “see” you on September 22, but if not, there will be more opportunities to collaborate with us in the coming months to support the growth of a workforce better able to produce systems, products, and services that provide equitable benefits while minimizing the risks to our privacy.

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work...

Dylan Gilbert

Dylan Gilbert is a Privacy Policy Advisor with the Privacy Engineering Program at the National Institute of Standards and Technology, U.S. Department of Commerce. In this role, he advances the...


No comment, but I would be happy to be aboard.

Admirable Position
I shall apply🙋‍♀️

Looking forward to learning

I have recently seen the request from NIST to support the “Growing a Workforce for Managing Privacy Risk”. This is a great initiative bring together the backing of your two organisations to address part of the risk puzzle. So many organisations I work with are confused over the boundaries, functions and responsibilities that link these two business critical risk domains; Security and Privacy, even before addressing the link to ERM.
Many organisation I work with feel they have been protected having taken legal advice on privacy and DP, yet when we (as Security SMEs) review threat and vulnerability scenarios we find core failures to address some of the most basic CIA risk controls needed to keep critical client data secure! The Security and Privacy domains need to work together hand in hand, and a functional RACI needs to be crystal clear to support both clients and practitioners.
Given my role in client advisory on the Cyber and IS side of this conversation (I dont mean technical) I would be very interested in participating in this activity as the confusion between these two critical domains has needed ironing out and aligning for some time. It is a little unclear if this exercise is focused on just DP professionals or both DP and IS&C professionals, and if its going to be a US focused discussion, or a more macro ERM to global Privacy discussion.

Please could you let me know your thoughts.

Many thanks,


Thank you for your comment. The workforce workshop is open to both data protection and information security/cybersecurity professionals, and we hope that you’ll participate and share your insights on the importance of collaboration between privacy and cybersecurity teams.

Regarding your question about geographic scope, the taxonomy will be developed to align with the NIST Privacy Framework, which is designed to be an enterprise risk management tool usable by any organization around the world. With that goal in mind, we encourage broad participation. We look forward to virtually meeting you next week.


The NIST Privacy Engineering Team

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.