Does it make sense to make a career move from law to data privacy?
What exactly is data privacy? According to the Free Dictionary, the word “privacy” is defined as “The state of being free from public attention or unsanctioned intrusion.” In other words, data privacy in a nutshell is keeping our information free from “unsanctioned intrusion” or, simply stated, unauthorized access.
How do we define what an “unsanctioned intrusion” truly is? For this we need a standard or government law that applies a specific definition. In view of this, data privacy and the law are intrinsically related. In order to have one, you must have the other.
An attorney has the great advantage of not only having a deep understanding of the law but being able to speak to its application in different circumstances. This is highly valuable, since there is no shortage of unprecedented ways of accessing information in today’s day and age. Adding various other factors to the mix — the internet, foreign countries, governmental legislation (local and abroad), cultures, social media and so on — all point to the need to examine different scenarios from a legal standpoint.
In connection with this thought, examples of governmental legislation shown below demonstrate the need for legal comprehension:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Homeland Security Act
- Federal Information Security Management Act (FISMA)
- Consumer Data Security Notification Act
- Gramm-Leach-Bliley Act
- Sarbanes-Oxley Act
Some legislation even enforces certain items, such as having company policies that define the expected behavior of employees and business practices. When creating these policies, an information security professional may draft an initial version, but once created, they need to be vetted by the company’s general counsel’s office. This is another example in which a legal background is helpful.
In the case of GDPR, this legislation mandates the appointment of a data privacy officer (DPO) if the company in question meets certain criteria. According to Section 4, Article 37 of the regulation, a DPO must be appointed if the organization:
- Is a “public authority”
- “Monitors data subjects systematically” (such as forms of tracking and profiling EU citizens in connection with targeted marketing)
- “The activities of the […] processor consist of processing on a large scale sensitive personal data of EU citizens revealing race, ethnicity, politics, religion, genetic data, biometric data, sexual orientation and personal data relating to criminal convictions and offences.”
In describing the required credentials of the DPO, the regulation goes on to state, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices […]”.
Commenting on this, an article by PricewaterhouseCoopers stated, “Data protection has historically been a legal function in Europe. Because […] legal knowledge will be a critical success factor for DPOs, many companies headquartered in Europe are placing the DPO in the legal department.”
In the case of American multinationals, the article mentions that these have a different approach for this responsibility and lean towards placing this role in departments such as Internal Audit, Ethics and Compliance or Enterprise Risk Management. Although this is the case, the article also states that “If companies place their DPO in internal audit or other independent function, the DPO should have appropriate legal knowledge.” This creates certain opportunities for attorneys looking to make a change into the data privacy realm, as their legal expertise would position them for potential success in this role.
What type of opportunities exist?
Regarding the potential demand for this role, The International Association of Privacy Professionals estimated that 28,000 new DPOs would be needed in Europe and the US once the regulation took effect and 75,000 worldwide. Since that estimate was published back in 2017, the IAPP has revised this number in a new study which shows that an “estimated 500,000 organizations have registered DPO’s across Europe” alone.
This information clearly shows the explosive growth in this type of role as well as the needed requirements. Any attorney considering a move into this type of role would do well to take training in information security. This would help the individual be effective and thoroughly understand the diverse ways that technology enables data dissemination.
According to PrivSec Report, there is a discrepancy seen between the salaries being paid to U.S.-based DPOs over their European counterparts. Additionally, the Chief Privacy Officer title was more common in the U.S.
The PrivSec Report goes on to pose an interesting question: “Might the GDPR’s requirement that the ‘data protection officer shall directly report to the highest management level’ eventually help more EU privacy professionals rise to the C-suite over time?”
The question above is interesting because it shows that the position is still in a state of development. Worldwide organizations are becoming familiar with this regulation and adjusting accordingly. Whether or not someone is considering this change, the point was neatly summarized in the PrivSec Report article: “The importance of the DPO cannot be overestimated.”
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), EUR-Lex
- 10 considerations to help position the GDPR data protection officer for success, PricewaterhouseCoopers
- Study: GDPR’s global reach to require at least 75,000 DPOs worldwide, IAPP
- An estimated half a million organisations have registered DPOs across Europe, study reveals, PrivSec Report