Before the General Data Protection Regulation (GDPR) became official in May 2018, I heard a similar story from many CISOs. Data privacy programs were legal exercises focused on data classification and governance. Yes, there were security angles around compliance, DLP, and incident response, but legal had oversight around which data was considered as private and what could and could not be done with sensitive data.GDPR changed everything. Data privacy was no longer a background legal project but rather a set of business-critical processes, and this impacted the cybersecurity team.\u00a0 CISOs were asked to utilize their operational expertise to help operationalize data privacy programs.\u00a0Not surprisingly, CISOs dragged the cybersecurity team along for the data privacy ride.\u00a0 According to a recent research report from ESG and ISSA, 40% of cybersecurity professionals surveyed say the cybersecurity team has taken a significantly more active role around data privacy over the past 12 months, while another 44% claim that the cybersecurity team is somewhat more active around data privacy during this timeframe. (Note: I am an employee of ESG.)Now, it\u2019s important to remember that cybersecurity pros are not exactly waiting around for things to do. In fact, the research indicates that 74% of organizations have been impacted by the global cybersecurity skills shortage, resulting in an increasing workload for the infosec team. Add data privacy responsibilities to the list.\u00a0Piling data privacy responsibilities onto an already-overwhelmed cybersecurity staff comes with some risk. To mitigate this risk, cybersecurity professionals should receive appropriate data privacy training, roles and responsibilities should be well defined, all data privacy processes should be documented, and the cybersecurity team should have the proper data analytics tools to monitor program successes.Cybersecurity staff aren't getting needed data privacy trainingUnfortunately, the cybersecurity team isn't getting those things. The research indicates:23% of survey respondents don\u2019t believe they have received the right level of training for their tasks related to data privacy.21% of survey respondents don\u2019t believe that the cybersecurity team has been given clear direction around their responsibilities for data privacy.17% of survey respondents believe that the cybersecurity team is generally uncomfortable with this new data privacy responsibility.Too often, privacy and security are thrown in the same bucket. That is a mistake. Data privacy is all about data classification and life cycle management of sensitive data (i.e. who can access it, where it should be stored, how it should be destroyed, etc.).\u00a0 Alternatively, security teams are responsible for building, maintaining, and monitoring walls around sensitive data.\u00a0Yes, GDPR and the impending California Consumer Privacy Act (CCPR) will bring security and data privacy closer together, but this merger should be done carefully, not haphazardly. The ESG\/ISSA data demonstrates that there\u2019s a lot of work ahead to bring data privacy and security together in a way that mitigates risk and doesn\u2019t disrupt ongoing processes.\u00a0The ESG\/ISSA research report, The Life and Times of Cybersecurity Professionals, is available for free download here.