FourthLine have taken a look at Data Privacy hiring activity 6 months on from GDPR-implementation.
In the build-up to the introduction of the General Data Protection Regulation (GDPR), we saw an unprecedented level of data privacy related hires as organisations prepared for the new regulation and rolled out their GDPR programmes. For many organisations this meant new roles were created in the form of Data Protection Officers.
Whilst we continue to see some organisations bringing in a dedicated DPO for the first time, many are now able to build out their privacy functions. DPOs have been in the role for 6 months plus and the change team’s contracts have finished, so there is a requirement for extra permanent team members to help run business-as-usual operations. A standard team set-up we’re seeing is that of a three-tier function; with one member (typically the DPO) focused on strategy, another (data privacy/protection manager) implementing the strategy across the business and a third (business analyst) dealing with risk assessments, subject access requests and other BAU procedures. As such, we’ve seen an increased demand for these manager and business analyst level roles.
Beyond that the market has settled, with many happy to stay in their current positions unless an outstanding opportunity presents itself. This was very much to be expected, with many DPOs only a short time in the role and just starting to receive extra budget to work with. Plus, many will want to see out the successful implementation of projects they have started. Some organisations have struggled to bring in a full time DPO, in which case many have created a dual-titled role such as Privacy and Compliance Manager.
One area we’ve seen an increase in demand for is privacy lawyers, with organisations requiring someone with experience of reviewing contracts alongside other privacy-based duties. This has come about due to the actual commercial requirements that companies face whilst implementing and abiding by the regulation.
We’ve also been engaged to resource on behalf of several US-based companies who are looking for a UK or EU based presence so that they can more closely align their data protection strategies. Although scheduled to leave the EU in 2019, the UK has been chosen as the location for these roles over mainland Europe as it will be in a good position to sit between the US and the EU.
Across all sectors in which we recruit, we’re seeing a distinction between whether organisations want somebody with B2B or B2C experience depending on the type of business they conduct. This is due to the different ways in which consumer data is understood and the requirements of personal data vs that of a business. Multi-jurisdictional experience is also highly desirable for organisations, particularly exposure to privacy laws in places such as Japan and Singapore.
With so many new data privacy roles created, we’re increasingly seeing experts moving from other sectors to take up positions. Those who hold records management compliance roles within the public sector are commonly moving into data privacy roles, where they are trained on the job by the DPO or Data Privacy Manager. Likewise, we’re seeing people move from the legal sector into in-house privacy roles, with paralegals or newly qualified lawyers being pulled across.
Next year we expect see more business-as-usual activity with the hiring of managers and analysts. Organisations will continue to build out their privacy functions, and firmly establish them as part of the overriding Information Risk structure with privacy teams sitting alongside and working effectively with compliance, information governance and information security teams.
