Road to Data Privacy Capability: Integrated Data Privacy Capability Model – Webinar Summary

On 2 Dec 2022, Straits Interactive and DPEX Network held a webinar on the new Integrated Data Privacy Capability Model (IDPM) – a capability model that offers a detailed step-by-step guide to designing, running and evaluating a strong data privacy programme for any organisation – and the associated certification for Integrated Data Privacy Professional (IDPP).

The model, co-authored by Straits Interactive and first introduced in October 2022, is an exciting new development in data governance and privacy, and provides a roadmap for both GRC and privacy professionals, to look at privacy from an integrated governance, risk management and compliance perspective. Achieving the IDPP certification demonstrates your knowledge of how to build, run and assess an effective and agile data privacy programme.

The panel of speakers were:
• Kevin Shepherdson, CEO and Founder of Straits Interactive
• Carole Switzer, Co-Founder and President of OCEG
• Lyn Boxall, Privacy Lawyer at Lyn Boxall LLC
• William Hioe, Regional Head, Consultancy, Straits Interactive

To learn more about data governance and data protection certification programmes, including local and international advanced diploma programmes, please visit our Courses page on the DPEX Network portal. You can also find out more about the IDPP Hands-on course there.

To watch the webinar in full, please sign up to be a DPEX Network community member, log in and visit the Events section on dpexnetwork.org, where the on-demand recording will be made available in two weeks following the webinar.

What is the Integrated Data Privacy Capability Model and why is it needed now?

Prior to the Covid-19 pandemic, awareness about data privacy principles and data protection regulations had been rising, as hacks and data leaks were becoming a growing trend.

Three of the panellists, Shepherdson, Boxall and Hioe, who are co-authors of the IDPM, had also co-authored the book, 99 Privacy Breaches to Beware of, which offered practical data protection tips from real-life data breaches, and was endorsed and used as a reference for operational practices by regulators around the world.

From their experience writing the book and observing that more countries and regions are introducing data protection regulations, and as data protection practitioners and consultants, the trio saw the need for a new standard.

“We hear lots of stories, we see lots of headlines in the papers about state-sponsored, sophisticated cyber attacks [causing the rise in breaches], but more often than not, it’s really just something that’s been done carelessly by a staff or even a disgruntled employee,” said Boxall.

This new standard, the IDPM, would empower data privacy and governance professionals with an integrated skill set that builds data protection capabilities on top of the body of knowledge developed by OCEG and known as GRC (Governance, Risk and Compliance).

“What really compelled us to write this book [and later the IDPM] was the fact that we ourselves as consumers have been at the receiving end of companies that don’t treat our personal data in the proper manner,” said Hioe.

“We’ve also found that many DPOs tend to focus on complying with the law from a legal rather than operational point of view. Different functional groups and people on the ground do not know how to operationalise the law and principles into their day-to-day operations. We hope this model [IDPM] can address this gap.”

Shepherdson added that, globally, the “reset button is being pressed on privacy.”

“We have new data protection laws in many countries, and existing laws are also being amended,” he said. “As we see this happening, there will be more demand for data protection expertise and especially a demand for data protection officers, or DPOs.”

The trend of digital transformation, and shifting from data protection to data governance

Shepherdson also noted that in the post-pandemic era, with the current bleak economic outlook, many businesses are struggling to survive and may be focused on digital transformation, not data protection.

“We think that data protection will move towards data governance, where organisations’ efforts should not just be in reducing the risk of data, but also in increasing the value of data because it will be used more for decision-making.”

Switzer shared that when OCEG first developed its GRC Capability Model, it became clear that bringing together, standardising, and integrating compliance efforts was not sufficient. What was really needed was something that would drive “principled performance”, which is the ability to reliably achieve business objectives while addressing uncertainty and acting with integrity.

The new IDPM builds upon the GRC model and its emphasis on using a clear set of processes, a model to monitor the internal and external environment, to learn stakeholders’ concerns and use this knowledge to define goals and align them to business objectives.

“Taking the procedures and thought processes that you develop when you understand the GRC model and applying it in the data privacy or data governance context is really a critical step in having success… and in gaining the support of business executives at every level in the organisation. This is why we call it an integrated approach.”

How does the IDPP complement existing certifications?

Addressing the privacy professionals in the audience, who may have internationally recognised data protection certifications such as CIPP, CIPM or CIPT, Shepherdson highlighted the difference between legal and operational compliance.

“When you look at everyday privacy practices, you’re actually governing personal data. If you’re looking at managing risk as it relates to personal data, to comply with laws, the GRC aspect is actually missing,” said Shepherdson.

“So you may carry the ‘DPO’ title in name, but you might not necessarily have the practical knowledge to put together and enhance a data privacy or data protection management programme.”

Meanwhile, for GRC professionals, such as those in audit, human resource, legal or risk and compliance roles, who may have the GRC Professional (GRCP) or GRC Auditor (GRCA) certifications, the Integrated Data Privacy Professional or IDPP certification would be ideal, in the sense that it would set them on a roadmap to go into the privacy domain.

Hioe added that organisations run into trouble when DPOs cannot convince their business colleagues that policies and practices to safeguard data are a priority.

“They think that data protection is a compliance or risk management person’s job and say, ‘Don’t disturb our sales or business people,’ because they don’t have the GRC perspective to explain to colleagues that this is important. When you marry the two [perspectives, data privacy and GRC], you are actually working towards enhancing business objectives,” he said.

Shepherdson stressed that the IDPM was developed to help professionals demonstrate accountability, when it comes to complying with data privacy laws, as well as support the GRC perspective so as to achieve business goals in the modern data-driven context.

“We actually put down a step-by-step guide which is missing in other certifications. They may give you the broad framework, but they don't give you the flesh and the meat. You could literally go to the appendix of the Integrated Data Privacy Capability Model and follow each step and adapt them for your organisation!”

A hands-on programme with a capstone project on the way to IDPP certification

Switzer said that the IDPM, like the GRC model, was an open-source model that could be downloaded, free of charge, from the OCEG website’s Resources section.

She also added that those interested in attaining the IDPP certification could simply sign up as an OCEG member for free, before getting an All Access Pass (with an annual subscription of US$399) in order to take the certification exam.

While anyone can take the online exam via OCEG’s website by studying the model, and armed with their own experience in their respective domains, the panel also shared about a new preparatory course offered exclusively by Straits Interactive, OCEG’s global training partner for the IDPP Exam.

The hybrid IDPP Hands-on course launching in 2023 has a duration of three weeks, with e-learning modules and regular “live” training sessions included. It would also offer continuing professional education, or CPE, points that would count towards maintaining one’s professional certifications.

“The hybrid course is very hands-on and it gives you knowledge not just to pass the exam, but allows you to apply [the principles] in your organisation,” said Switzer.

Shepherdson added that all course participants would be asked to do a capstone project with instructor feedback “so that by the time you have completed the course, you would have already started on something that can be adapted by your organisation.”

Questions about the new IDPM and the associated IDPP certification

The panel ended the webinar with some final words of advice for the audience on the steps they can take to adapt the IDPM for their organisation and to themselves attain the IDPP certification.

The questions included:

• Is the IDPP suitable for someone who just has basic knowledge of data privacy?
• How is the GRC approach in the IDPM different from the ISO 31000:2018 standard?
• If someone has existing data protection certifications, how might this add value?
• How can we implement customised training according to roles within the organisation?
• In which jurisdictions are dedicated DPOs needed?

*Disclaimer: Not all Q&As can be reviewed in the webinar recording as some were answered LIVE in the chat box during the session.