Follow ACC Docket Online:  

How to Transition into a Legal Privacy Role

Privacy seems to be the hottest new field opening up for both lawyers and non-lawyers, and one that is an equal playing field between genders. Studies show that the job growth in this market ranges from needing 28,000 to 75,000 new privacy professionals in 2018, mainly in response to increasing privacy regulations in Europe. But where does a company find a skilled privacy officer? Three current career fields are showing a transition trend into privacy: law, compliance, and information security.

Each field has similarities and key differences in skill sets, and all have areas that need to be developed to make a good privacy officer. Each field contains industries or markets that may assist someone in changing roles. In addition, as an individual, how do you pitch yourself (or someone for whom you are advocating) for a new role?

[Related: CPO and CISO: The Evolving Roles of Privacy and Security Professionals]


Often, lawyers who are interested in moving to a privacy role may come from a legal, compliance, or, in rare cases, an information security role. But even if you are not interested in a new focus, how do you help guide your company in considering a person who is looking to transition? As in-house counsel, you may be in a key position to influence the job expectations and description and perhaps even the hiring. Let’s look at each of these three fields.

Legal

With the right resources and background, a traditional legal role can be a natural shift into privacy. To start, seek companies where your experience would lead to a privacy role. A litigator, for example, may work at an insurance company in a litigation role, and work with privacy issues. This then strengthens your experience with privacy law.

The same can be found for nearly any specific legal field: Begin by finding a company with privacy issues. In the United States, this would involve healthcare, education, and finance. It can also be a global company with business in privacy-intense regions, such as Canada, Europe, Asia, and Australia — especially Europe, considering the current regulatory environment. Once you are in a company where data is a daily matter, you will start learning privacy issues.

Compliance

The compliance area already overlaps and encompasses privacy to a large degree. Controls required under Sarbanes-Oxley Act (SOX), human resources, medical device, clinical research, healthcare, education, worker safety, workers’ comp — all involve privacy at some point. Often privacy sits within the compliance department, so this may naturally foster an environment open to changing to a more privacy-centric role.

[Related: This Week in Privacy: Is Security or Privacy More Important to Protect?]

Many companies have a privacy and compliance officer, as opposed to assigning one person to each role. It is not uncommon to see lawyers working in a non-legal compliance role and evaluating someone with compliance experience is relatively simple. The individual may need to learn more privacy-specific rules and range, but compliance is compliance. However, not all compliance lawyers can transition into privacy. Some are so focused on specific compliance laws that they cannot see the bigger picture of personal data privacy compliance.

Information security

This field is critical to bridging the gap between technical controls and privacy concepts. For example, a key concept in the information security field is the triad that we aim to protect: confidentiality, integrity, and availability (CIA). The technical requirements that apply to privacy also apply across industries and countries with disparate privacy laws. For example, several critical security controls and policies easily shift into more a privacy role, such as understanding encryption, data classification, data loss prevention, and risk assessment.

[Related: Law Firm Security Breaches: Minimizing Impact]

To move into privacy or to absorb privacy into security, partner with internal privacy professionals. If there aren’t any, this is an excellent opportunity to identify the necessity, present the risks to management, and recommend a solution. Many companies are progressing toward having a more comprehensive position for privacy and security or data protection officer role. However, your technician should not think in binary terms. Though concepts overlap, privacy is rarely a concrete consideration. Security does not outweigh privacy, but neither does privacy outweigh security. This person needs to understand and value both.

Certificates

For each of these fields, certifications indicate an individual’s willingness to learn new information and showcase their diligence through continuous education. While they do not provide practical experience, these certificates do offer a broad understanding of the various areas.

Some common certifications focus on privacy, CIPP in specific regional privacy laws, privacy program management, and privacy technology — all of which are from the International Association of Privacy Professionals (IAPP). There are also those specializing in information security from the CISSP or CISM (from ISC2 and ISACA respectively), as well as Healthcare Privacy and Security from AHIMA.

In compliance there are several through the Society for Corporate Compliance and Ethics. Lastly, there are a multitude of industry certifications privacy, records management, and compliance particular to those industries.

Approach

If you are in one of these positions and want to transition into a privacy role, make the case to your employer. Learn the materials and identify the need. Build the business position and how the role contributes to the overall goal of the business — whether it is satisfying customers, complying with law, or becoming a market differentiator. If there is a position available that you want, show how your experience translates into privacy, and explain how it adds value to the company that might otherwise be overlooked in the job description.

And if you are on the inside evaluating candidates or writing the job description, consider the skills you need the person to have, the skills that you want them to have (whether they gained them in the privacy world or not), and what skills can easily be learned. Do not be afraid to search outside the current privacy practitioners, as it appears the demand is much higher than the supply.

About the Authors

K Royal is a technology columnist for ACCDocket.com, and director at TrustArc. @heartofprivacykroyal

Kristy WestphalKristy Westphal is senior manager of Security Tools at Charles Schwab.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.