More than anything, the GDPR has exposed the limited number of pathways into becoming a privacy professional

The Closed Club Since starting my career in Data Protection I have always noted that it is relatively lacking in youth and a bit of closed club. I once put the question to a relatively senior member of the ICO at a conference, asking if there were any initiatives to draw in graduates over a mediocre sandwich.

I was told that the ICO simply wanted the right people for the job and that university degrees did not preclude an individual from having the necessary ability. I nodded in polite agreement but privately I thought that I had been fobbed off with a nothing answer.
Nowadays on my LinkedIn, which was once a useful source of knowledge, information, feedback and advice provided by a network of savvy and experienced individuals and thus an incredible tool for my professional development, there is an overwhelming collective moan (from a bubble of proud “professionals but don’t call them experts”) directed at perceived “snake oil salesmen”, who seem to have only jumped on the bandwagon to make a quick buck. Recently this has been accompanied by a general sneer at the array of new courses which have sprung up offering to make you a DPO or star, whichever takes your fancy, overnight.
My only issue with this (besides that at this point the moaning is just beating a dead horse so to speak) is that the path to entering this sector is almost non-existent. People want these courses as currently there is no clear path to entering this industry and they want training and a respected qualification; in my mind that is a noble goal. On the flip side of this are those who operate without such courses, or any real desire to learn, who seem to be trying to make a quick buck as there is no real regulation or proper certification to stop them. Both problems arise from the same fundamental issue.
This has all been exacerbated by the creation of the mandatory DPO role in certain circumstances. It has been estimated that this will create a minimum 28,000 DPO jobs around Europe . As far as I am aware this analysis did not take into account all the other roles which are being created as Data Protection becomes more mature as a discipline (a study has stated that approximately two-thirds of UK firms are hiring permanent employees relating to this area, I personally think such a figure is a little too high to be realistic ). Therefore a whole host of positions are being offered by organisations.
And to make things even worse, the ICO is struggling for people too! To cope with the GDPR, the ICO will need to hire an estimated 200 new employees , but also face challenges as they cannot afford to retain their current employees who would much rather turn to the private sector and earn more . Despite this, as far as I am aware there is still very little in the way of outreach to notify young people of this sector. It also seems as if the ICO is falling into that very British problem of wanting experienced staff but not wanting to develop said staff (a situation which has been exposed nationwide by Brexit, but I won’t go into that…)
Simply put, the market demands more people now.

My experience and the difficulties of everybody hiring a lawyer as DPO
So, naturally the question arises as to where are all these people going to come from and how will they get informed of the merits of a career in data protection?
To begin with, I have seen some commentators state that the role of a DPO may only be carried out by lawyers. This is something I want to quash, as in my mind that is a nonsense, as if that is the case then firms will face massive recruitment difficulties. There are not many firms who have practices dealing with data protection and the route to becoming a trained solicitor who specialises in data protection has been limited. This is because traditionally data protection has just not been an earner. The path to becoming a qualified solicitor is competitive, expensive and takes a number of years. Most legal teams I have spoken to have had only a fleeting interest in GDPR.
My personal experience of joining the sector serves as an indication of how haphazard it can be to become a privacy professional. As a law student I was only made aware of the exciting potential of the sector by chance after browsing my university job site and seeing an internship asking for law students during the summer of my second year of university. I am still thankful that I had the chance to speak to professionals during this internship who spoke of the merits of joining the sector.
This internship was offered only to law students, despite the fact that at no point during my undergraduate degree was data protection covered in any of our modules or even mentioned (Cue me reading the DPA 1998 about fifty times over to make sure I could actually perform my internship properly!). Nor were we offered any insight whatsoever into the area as a career path (something which will be changing at my old university). Instead most law students were attending career events where they wined and dined with commercial lawyers and dreamed of going to London. If you search for the number of universities offering undergraduate or master’s degrees in privacy law or the likes, you will find very few results emanating from the UK.
In the end I was also lucky that head of sales at Data Protection People managed to headhunt me and offered me professional development as a graduate in a graduate role, allowing me to shady some of our more experienced consultants and putting me toward training such as the PDP qualification where necessary (And I am not done yet!) This all helped take a fleeting interest in data protection developed over an internship and turn it into a career. All of my old classmates have instead gone on to become solicitors/paralegals having competed for training contracts.
So when I see firms advertising for experienced lawyers to join them as DPOs, with fifty billion years experience in the role required as minimum, I simply put into google “Training Contract Data Protection” and laugh at how few firms will be training these lawyers to fill this role (Hint: the number was zero when I last looked).

Informing the masses
So if not lawyers, then who? (Please note, I am not ruling out lawyers, they are great, and fantastic lawyers in this sector do exist and for some firms may be absolutely necessary. However until we get cloning technology perfected then we cannot rely on them to fill all these new roles and who would want to clone a lawyer anyway?). Will it be trained Auditors, ex-IT professionals etc?
Well the answer is simply that there are a multitude of skills involved in the role and as other commentators have already stated, experience and knowledge relative to the role can be gleaned from a variety of backgrounds who could all make good DPO’s.
But the question is: how do these people with these skills and useful experience know about this all? Who recruits them and trains them to fill in their knowledge gaps so that they can deliver properly in such a role?
Will this come from all the scaremongering of £17 million and 4% of your global annual turnover? Will it come from an IT vendor calling them up trying to sell you his incredible new software that means with their software they somehow become GDPR compliant AND somehow devilishly handsome AND it cleans all of their dishes! Or will it come from a recruiter glancing at a CV, seeing data and trying to set them up as DPO to a large multi-national bank.
My answer in all honesty is that I do not know. However this incessant moaning is becoming a bit tiresome. It is good to be proud of one’s work, and for humans there is always a value in being ahead of the curve (Having experience working under the DPA 1998 is almost akin to liking a band before they got big and “sold out, man”). But in my experience as a young, recent law graduate I had to practically stumble my way into the sector and for this I am thankful for the organisations who gave me an opportunity, training and guidance and I am glad that at Data Protection People that we are continuing to train younger more inexperienced employees as well as hire experienced heads (and not just because it means I have someone to talk to about things besides bake off and “the kids”!)
But besides these organisations (and another consultancy who contacted me to gain insight into my experience as a law student, I wish you the best of luck in recruitment!) I can see very few young faces being offered such an opportunity or any clear route into joining the industry from elsewhere (especially when all training courses are lauded). And if that is the case then we will still have to put up with the snake oil salespeople forever, or perhaps become more accepting of these courses and programmes. Or, maybe (shock horror) the industry could make strides to actually inform younger people of how exciting data protection is with GDPR (and the privacy regulations) on the horizon and all the emerging technology and business practices out there! I know I appreciated it when the information was given to me.
Speaking of which, Data Protection People is looking to hire keen Legal graduates and those with experience working in privacy roles and develop them into consultants or trained auditors. If you are interested, please do not hesitate to get in touch.

  1. https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/
  2. http://www.decisionmarketing.co.uk/news/gdpr-fuels-major-recruitment-drive-at-uk-businesses
  3. https://iapp.org/news/a/uk-ico-to-expand-by-an-estimated-200-new-employees/
  4. http://www.decisionmarketing.co.uk/news/ico-recruitment-drive-hit-by-scramble-for-gdpr-experts