Over the last nine months, the number of Data Protection Lawyer roles we have worked on has risen significantly and as such there has been a drop in Data Protection Practitioner roles.
In the last month, 80% of the roles I have worked on have been Data Protection Lawyers and only 20% Data Protection Manager positions. This is a significant shift from this time last year and it begs the question; why?
Looking at most of the job specification calls I have received over the last six months, the roles have been screaming out for someone who has practical, hands-on experience of embedding a privacy programme. However, companies seem set on hiring qualified lawyers into these positions and are missing out on exceptional talent by narrowing their search to just “a qualified lawyer only”, when in fact their job specification states that they are looking for operational application combined with legal understanding.
It seems that we are seeing an increasing stigma around firms needing a qualified lawyer to be able to interpret the DPA, GDPR and CCPA laws. Along with this, hiring managers seem determined to combine both the legal and operational aspects, asking for lawyers to draft policies and procedures, negotiate and re-write contracts and clauses, as well as manage Data Privacy Impact Assessments and erroneous Data Subject Access Requests.
This isn’t to say that there are not lawyers out there with this blended skillset who can and want to do this role but as we have discovered, they are few and far between. When you have the resources available to lean on a wider legal team to provide support with contracts, why would you cut out a large proportion of highly capable Data Protection talent?
Alongside this, we are seeing a shift in the market with Data Protection teams ‘re-branding’ and moving into legal teams. This is having a knock-on effect and is perpetuating the notion that Data Privacy professionals must be lawyers.
There is no “perfect fit” as to where the Data Protection function should sit within a business. For example, in a large Insurance Broker we recently worked with the function was sat within Compliance and yet in multinational retailer, the function sits within the Risk department.
We questioned a number of Privacy professionals, both legally qualified and not, and all concluded that if the interpretation of the law is made clear and value can be added to the business, the job could be done either way. Most importantly, our contacts stressed the need to work in partnership, with lawyers and practitioners working together to understand the law and apply it in a pragmatic and logical way.
As the ICO states “the GDPR says that you should appoint a DPO on the basis of their professional qualities and in particular, experience and expert knowledge of data protection law".
Researched, Written and Edited by Lauren Webber and Sofia Moura Da Luz