A new master in privacy and cybersecurity
Six months after its introduction, companies and other organisations are still grappling with the new EU privacy law. And they’re beginning to feel the need for a new type of manager to steer the process within their organisation. Enter the European Centre on Privacy and Cybersecurity. As of next year, ECPC will be training tomorrow’s data protection and cybersecurity leaders as part of a new master’s programme at Maastricht University, the Advanced Master in Privacy, Cybersecurity and Data Management.
“Protecting privacy doesn’t happen overnight, it really requires a cultural change within the entire organisation,” says Cosimo Monda, director of the Maastricht European Centre on Privacy and Cybersecurity. “People manage personal data at different levels within organisations, but they’re often blissfully unaware of the rules.”
For this reason, ECPC caters its professional training, workshops and certification courses to individuals in a variety of different positions within organisations, starting from general staff to middle management all the way up to the top management. The key message: “privacy and cybersecurity rely on experts that possess a broad skill set and are able to effectively communicate beyond disciplines and with stakeholders within and outside of their organisation.”
Monda has observed that companies and organisations are slowly coming round to the idea that protecting privacy and data is a lengthy and ongoing process; that cybersecurity is part of the equation. And that having a specially assigned data protection officer is simply not enough.
A new breed of privacy and cybersecurity managers
Privacy protection is not just the DPO’s task, Monda reiterates. “It’s really a team approach, covering all layers within organisations.” This has created the need for a new professional figure: a new breed of privacy and cybersecurity manager who can remodel the organisation, bridging both privacy and cybersecurity and viewing this task through an interdisciplinary lens. “Because when we talk about cybersecurity, it’s not only about protecting individual data, but also business information, which is a related issue.”
With the advent of new technologies such as artificial intelligence and interconnected devices, this new type of manager will play a key role in managing both people and machines. Monda: “For us, such an individual is the person primarily responsible for processes within the organisation. They’ll decide on questions such as: do I need more people or do I need more machines, should I automate certain processes using algorithms, what will be the impact of those algorithms on the private lives of individuals? Don’t forget that more and more crucial decisions are now taken by automated means and that your life can be decided by a machine. Mortgages and insurances are normally decided by an algorithm which determines your economical credibility, based on your personal information. This may include your genetic data, which could affect your relatives as well.”
The Data Protection Officer
The DPO is appointed by public authorities or bodies and private organisations carrying out certain types of data processing activities. It was one of the provisions of the General Data Protection Regulation (GDPR), which came into effect on 25 May. Some other organisations have appointed a DPO voluntarily.
The data protection officer must be independent, adequately resourced and an expert in data protection. Tasks include:
- monitoring internal compliance with privacy rules;
- acting as a contact point for data subjects (a fancy term for citizens or consumers) and the supervisory authority
- reporting to the highest management level
Since it started two years ago, ECPC has certified over 500 DPOs through its specialised training courses.
All this goes far beyond the scope of the current Data Protection Officer, whose primary task is checking compliance with privacy protection rules like the GDPR. The new breed of privacy and cybersecurity managers will cover more ground, oversee processes within the entire organisation. They will bridge the divide between hard skills such as legal, IT and management, but they must also be equipped with the necessary soft skills. These individuals should act as agents of change in the organisation, aiming to ensure that the growing digitisation is marked by ethical use of data. In this context, data protection should also be viewed as a Corporate Social Responsibility.
“The common perception within companies and institutions is that data protection is essentially a legal matter,” says Monda. “But if you talk with IT, they’ll say it’s a matter for IT staff. In the end, the manager has to decide because the DPO is not responsible for the processing operation, he’s simply monitoring compliance, and the manager can overrule the advice of the DPO.”
New Executive Master in Privacy, Cybersecurity and Data Management
The new master’s programme will start as of next year (2019-20). The programme is called the Executive Master in Privacy, Cybersecurity and Data Management and requires a bachelor degree to be admitted, says ECPC Project Manager Joyce Groneschild. Reflecting its interdisciplinary curriculum, the master is given in partnership with the Department of Data Science and Knowledge Engineering and includes elements of the leadership programme of UMIO, the executive branch of Maastricht University School of Business and Economics.
Groneschild: “The new master’s programme is designed for people in leadership positions. Those with a legal background must follow two weeks of computer science before they start the programme. Conversely, IT staff must follow two weeks of European law and legal training, because this new type of manager will need to have knowledge of both worlds in order to be able to connect them.”
Massive skills gap
The ECPC believes that its new master’s programme may help fill a huge gap in the European market. A recent report says the EU faces a projected cybersecurity skills gap of 350,000 workers by 2022.
This is a massive number and it’s a big issue,” says Cosimo Monda. “And the question is: what is the skill set required of a cybersecurity expert? Nobody knows. The European Commission is currently formulating the scope of such a profile, however, there is still no final consensus. This is where a centre like ours comes in, because we are the frontrunner in the sense that we serve the immediate needs of the market by providing knowledge, a strong methodological approach, and by certifying people.”
The ECPC team hopes to obtain the accreditation soon. “We’ll start marketing the programme at the start of next year, January, February. The pre-courses for lawyers and IT staff will start next July, before the new programme starts in earnest in September 2019.”
Lately, they’ve become more aware of the urgency of bridging the cybersecurity divide between legal and IT staff, Balboni says. “We’re not expecting to be fully booked from the start, but the potential demand is immense. I’m a business lawyer by profession and we basically have multinational companies as clients and more and more you find yourself in this discussion about legal and IT. In many cases, I think it’s only a matter of time before the board or the CEO oblige these two parties to try to communicate better, simply because there’s a lot of money at stake.”
The programme will be given by the same teachers as the ECPC certification courses and also by people from outside. One of the teachers will be UM Professor Paolo Balboni, a top-level ICT, privacy & data protection lawyer and founding partner of international law firm ICT Legal Consulting. He says the new programme will offer a “kind of disruptive approach” as organisations need to change their culture and “become more mature with respect to comprehensive data management”.