Whether you are a recent law school graduate or have decades of in-house experience, consider becoming a privacy expert or adding privacy expertise to your satchel of skills. Experienced attorneys often ask me how to move into privacy. And with good reason — the privacy field is growing fast. In 2017, the International Association of Privacy Professionals (IAPP) estimated that Europe’s new data protection law would generate 75,000 new privacy roles for data protection officers (DPOs). In 2019, the IAPP posted that over 500,000 companies had registered a DPO with the regulators. That does not take into account the new privacy officers for companies that were not required to appoint DPOs.
The concept of privacy overlaps with any business that uses personal data, even personal data not associated with names. To successfully transition into the privacy field, every aspiring privacy attorney needs to have three attributes:
- Flexibility in thinking;
- Ability to leverage communication, technology, and problem-solving knowledge and skills; and
- A passion to help people.
Flexibility in thinking is required because privacy law is not a settled or long-established field. There is a lot of gray area in how to approach business endeavors, maximize the use of personal data, and yet stay within the legal boundaries. Penalties are not just monetary (or criminal in some cases), but also pose risks to the business. Regulators can prohibit a company from doing business in a particular region or in particular activities.
Leveraging communication, technology, and problem-solving means bringing your business expertise to the law. As in-house counsel, you are already required to be business-savvy, but functioning in a role that few of your colleagues understand or desire to engage is incredibly challenging. Your ability to influence, negotiate, and transform the conversation from a zero-sum game into mutual benefits is mandatory for success.
Helping people is a desire perhaps not absolutely necessary for a privacy role, but it is to succeed in a privacy role. Perhaps more so than any other counsel role inside a company, privacy focuses on helping the general public and individuals. You do advocate for the company and protect the company, but you do so by advocating for — and protecting — individuals.
Most other needed skills have already been attained by becoming an attorney. Notably, this includes the ability to understand complex laws, how regulations, guidance, and judicial decisions impact statutory laws, and the intent behind the law.
Being a privacy officer for a company does not necessarily require one to be an attorney. However, the sheer number of privacy laws that have arisen in just the past three or four years seem to be driving corporations toward seeking an attorney even in non-attorney roles, such as privacy officer or data protection officer.
Tips for transitioning into privacy
Engaging in social media conversation. LinkedIn is probably the best forum given its professional focus. Post news stories that are pertinent or comment on others’ posts. However, do not just respond with fluff or argumentatively. Post something thoughtful about the topic and being open about being new to the field may provide connections.
Speaking. Identify opportunities to speak on a panel with more experienced individuals. Often, organizations (including ACC) will solicit volunteer speakers and then assist in placing volunteers on a panel or open to pool up to organizers to review applicants. You may also be able to speak on company webinars for services or products your company uses, such as data discovery providers or contract management software companies. In addition, your local or state bar may have less competition for speaking opportunities.
Writing. Similar to speaking, many organizations welcome new writers. But come prepared with a topic and be educated on the subject matter. You do not need to be highly experienced in a topic to write on it, but you do need to be accurate. Given the wide range of undefined practices and law in privacy, accuracy typically rests in the black letter of the law and regulatory actions, such as investigations, opinions, or enforcement.
Get certified. With the number of privacy laws being passed, our communities need some way to identify knowledgeable individuals. Certifications are one way of gauging knowledge. The IAPP offers various certifications as do other industry groups.
Make connections and network. LinkedIn is recommended here as well, but it doesn’t have to be restricted to online connections. The virtual events that are currently prevalent are a good route to make connections, and then once in-person events return, take advantage of those to connect to privacy professionals — both attorneys and non-attorneys.
Join and be active in professional associations. ACC has networks dedicated to privacy, such as the IT, Privacy, and E-commerce Network or the Data Governance Network. Join and be active. Also look at the IAPP, sections of your state bar or local bar, and national legal associations.
Take privacy law classes. Often, law schools will allow practicing attorneys to join law classes for no credit. Check if the one near you offers classes, or if there is an online course you can join. These tend to bring in real-world examples and practical experience.
Leverage your experience. As mentioned above, almost all legal fields involve personal data at some level. That can serve as your entry point to the field. For example, if you are a litigator, search for jobs that involve both privacy and litigation, such as insurance defense. If you are an IP attorney, look for a company whose products process personal data extensively, especially sensitive personal data such as medical devices, fitness trackers, or contact management systems.
Hopefully, these tips will help. Please feel free to reach out to me directly or connect through social media (listed with my bio below) if you have any questions or want insight into a specific role. Recently, one of my former law students contacted me about a job he wanted to apply for, but as a new attorney, he felt he did not have the qualifications. As he read the job requirements, he absolutely met them other than hands-on experience. Frankly, having a law degree and having taken privacy law courses made him more qualified than many of the privacy officers being hired. Understanding the law is critical. Understanding the world of privacy is vital.