How to Enter the Privacy Profession
The privacy profession is growing by leaps and bounds, but entering it is tricky. My law students and others frequently ask me how they can enter the privacy field. Most jobs seem to require a few years of experience, but the privacy profession is still relatively new, and getting this experience can be difficult because there are not many clear paths to entry.
Once in the field, the demand is high for privacy professionals with experience. But there is a bottleneck in getting into the club. I have written about this problem in a previous blog post.
Earlier this year, I asked several privacy professionals for their insights and advice about entering the profession. I would like to extend an enormous thank you to all who responded.
Here are some excerpts from some of the most helpful comments, which I tried my best to organize. I also edited a few slightly for smoother syntax. I decided not attributing comments to particular people because I’m not sure who would want to be mentioned by name. In addition to the comments by the professionals, I’m also including some of my own thoughts and advice too.
If you’re interested, please note that I also maintain the following relevant pages:
- Privacy Law Internships for Law Students
- Privacy Law Fellowships for Recent Law School Graduates
- Privacy Law Entry-Level and Junior Job Opportunities
I. Learning and Background
Learn the privacy and security field
Learn the field. There are a ton of great resources out there to learn about privacy law. Keep updated through blogs, LinkedIn, and Twitter. Read, read, read! The more familiar you are with what is going on, the better off you will be. Become an expert. It’s fairly easy to tell in a short conversation whether someone has a deep knowledge of the field or has just a cursory understanding. If you want to work in privacy for a living, demonstrate to people that you want it by knowing about it.
Acquire a background in technology
A number of professionals recommended acquiring a background in technology. For example, one person wrote: “I would say that anyone entering this field should have a decent background in general Information Security or at least understand the impact of Information Security in today’s rapidly evolving technological and ‘social sharing’ society.”
I have seen for myself that people with a background in technology have fared well in the marketplace for privacy positions.
A technology background does not require being a hardcore techie. Knowing enough to understand the lingo, speak to programmers, and understand where they are coming from can be a very valuable skill.
Acquire an interdisciplinary background
One professional observed: “It takes a broad understanding of several different fields – law, technology (including security), social psychology, general management.”
This comment strikes me as exactly right – privacy involves understanding law, human behavior, technology, and business. It is truly an interdisciplinary field. A privacy professional often needs to deal with other people — convincing upper management about the value of privacy and the importance of compliance and having adequate resources; training employees at all levels about privacy/security; and dealing horizontally with many different departments and personalities. Privacy professionals must understand the aims and needs of business in order to most effectively implement good privacy practices in business. Understanding technology is also key. A deep understanding of what privacy is and why it is valuable is essential — and that involves philosophy, psychology, sociology, and economics.
One person recommends that you should “take some business courses and then spend time in the trenches with different departments. Business owners and executives need someone that speak their language and have a understanding what business challenges they face with privacy challenges of collection and use.”
Attend privacy and security events
Attend privacy and security events to learn about the latest issues in the field as well as network with professionals in the field. For example, I co-organize two large events per year — the Privacy+Security Forum events. We have one event in the spring and one in the fall. Each event has about 80-100 concurrent sessions. These events are a great way to gain knowledge about cutting-edge issues and new laws and regulations.
2. Things to Do While in Law School
Do externships and internships while in school
Externships and internships provide valuable experience. I place many students in such positions, and they gain experience and connections. Sometimes these even develop into full-time employment.
In some cases, internships can be self-generated. One person recommends that people should “find a mentor and consider offering to intern to develop skills.”
Take privacy courses
One person recommends that you “look for course work in privacy to the extent available to demonstrate an interest early.”
As one who teaches an information privacy law course and has a casebook for this course, all I have to say is Amen!
Every law school should have an information privacy law course. By my rough estimate, only about 25% of law schools do. Hopefully more will start offering it soon. I don’t think many people outside the privacy universe really understand just large the field is or how dynamic its growth is.
If your school doesn’t have an information privacy law course, lobby your school to add one. You can use the information in this letter I and other academics and practitioners wrote to law deans about the need to develop more of a privacy law curriculum in law schools.
Finally, Professor Paul Schwartz and I offer a series of online courses in privacy law through our organization, the Privacy+Security Academy. We have 8 hour-long courses on various topics, including an introduction to the issues and themes in the field, privacy and the media, privacy and law enforcement, health privacy, consumer privacy, and GDPR. You can receive a certificate for taking them and passing the quiz in each.
Write and publish on privacy topics
Publishing about topics in the field is a great way to distinguish oneself. Of course, be sure to produce excellent work that reflects highly on your expertise and writing ability. One person says: “For law students, I would suggest that they try to publish their journal note on privacy or pair up with a professor at their school (or elsewhere) that is conducting research on privacy.” I have had students who wrote blog posts about privacy issues that received very favorable attention and interest from privacy professionals. Thus, writing can be a terrific way to stand out and demonstrate knowledge in the field — but the key is that quality, not quantity, counts.
Pursue a LLM
Several law schools offer LLMs in law and technology / intellectual property / privacy.
3. Where to Look for Jobs
You should “track job postings at IAPP and potentially other associations (e.g., American Health Lawyers Association).”
One person writes: “I recommend AHLA & HCCA job boards as career resources.”
Review government job postings
You can review job postings at USAJOBS, the federal government’s official job site.
Find a mentor to guide you. A mentor can help be on the lookout for job opportunities and can help steer you in productive directions.
Network with people, as many job opportunities come about through networking. Feel free to connect with me on LinkedIn — I’d be happy to connect. I don’t have the bandwidth to get to know everyone personally, but I have met some terrific people on LinkedIn, and I’m always open to meeting new folks if I have time. So feel free to reach out, but please don’t be upset if I can’t respond to you — it’s not personal and often just timing and bandwidth issues.
LinkedIn job postings
There are many privacy job postings on LinkedIn.
You can also find out about jobs in various LinkedIn privacy and security groups. You can search for these groups and join them. If you’re a connection of mine on LinkedIn, you can find many of these groups in the list of groups that I’m a member of — you can see them on my profile.
LinkedIn connections can be great even if people don’t regularly correspond. You can find out when someone switches to a new job. Or you might reach out to a connection in response to a comment, post, or publication if you have something in common.
I am a true believer in LinkedIn — and they’re not paying me to say any of this. LinkedIn is a wonderful tool for building relationships and discovering job opportunities. Learn how to use it well, and it will help you a lot.
Follow people in the privacy law field. Many people in privacy are active on Twitter, including myself (feel free to follow me — here’s my Twitter feed). Follow thought leaders, CPOs, people at NGOs, government regulators, and others. Twitter is a great way to keep up with the latest news from the field, and I often see tweets about privacy jobs.
At some conferences there are boards with job postings. For example, IAPP events often have a board with quite a few job postings.
4. Where to Get Started
Get started generally in a regulated industry
Several professionals recommended that people “first get experience in a regulated industry (e.g., healthcare) or country (anywhere in the EU) so that they can get firsthand exposure to how regulations and operations are balanced.”
Work in compliance
One person writes: “In today’s age when compliance departments are so often responsible for privacy, starting out in general corporate compliance to solidify understanding of the compliance framework is often more attainable than starting out in a privacy role.”
There are compliance positions everywhere these days. And a large and growing piece of the compliance pie is privacy. In essence, you can start out as a compliance generalist and then specialize in privacy later on.
Work in related fields that can readily transition to privacy
One person writes: “As far as different fields/roles that enable easy transition – database management, email marketing, compliance, regulatory work… each of the skills needed for those areas transfers easily (at least that has been my personal experience).”
Seek government employment opportunities
One person recommends that an “option is taking a position with a state AG office (though you may not get into privacy immediately) or other governmental entity (FTC, HHS).”
As another person observes, “a starting point for a young person might be government – FTC, OCR, a state AG. Again, fierce competition for few jobs. But that experience is valued afterwards.”
According to another person, you can “look for privacy opportunities at federal or state agencies (such as through USAJOBS).”
One person observes: “Qualifying for a spot at the FTC or FCC is also a possibility, particularly if a new lawyer can land one of the “honors” spots that is modeled after the very successful DOJ program. Again, a slot at the FTC won’t necessarily guarantee that a new lawyer will do privacy work for the agency, but you and I both know lawyers who went into the FTC in a non-privacy slot and have worked their way over to DPIP and had a great start on a privacy career.”
Seek out healthcare privacy opportunities
One person recommends: “Target health plans and providers, especially hospitals for areas of opportunity. Reach out to local health plans for intern opportunities may be another area of opportunity for your students to gain real-life exposure that will only aid in the pursuit of a career.”
Another recommends: “I see privacy specialist positions posted by health care organizations for in-house compliance departments. OCR also hires privacy specialists. Plus, health law firms look for this area of specialty.”
Another writes: “I also recommend that law students explore the American Health Information Management Associations’ [AHIMA] website and resources. Health Information Management is an information-rich area to explore.”
Look for privacy positions in industry groups or NGOs
People interested in privacy “can also look out for industry groups in the area that they are interested and see if they can join a committee as a stakeholder developing rules. (Ex. NAI, various cloud groups, ICANN, etc.).”
One person writes: “I know several young lawyers who have gotten a good start as privacy lawyers by starting with excellent NGOs such as CDT and FPF.”
Look for in-house positions
Another recommendation is “to look for roles on the in-house counsel team to handle privacy policies, contract provisions regarding consumer information or compliance.”
But several people note that many in-house positions require experience. As one person observes, “Virtually all companies look for in-house lawyers to come in with at least two-three years of firm experience (although I do know of a few exceptions).”
There are indeed exceptions, as I have seen them with my own eyes and know the people who got in-house positions without law firm experience. It takes active looking and good networking.
Work for consultants or accounting firms
A person describes “the consultant route.” The person writes: “Booz Allen and others (notably, the major accounting firms, but certainly others) hire privacy professionals. Some of these jobs are more suitable for recent graduates before law school, but I imagine that some consulting firms would be equally interested in recent law grads with privacy expertise.”
Look for fellowships in privacy
Fellowships are short-term positions after one has graduated that can provide valuable experience and serve as a launching pad to future career opportunities in the field.
A person writes: “Some that have fellowships in privacy are FPF, EPIC, CDT, CIS, and Microsoft. Sure there are others now as well.”
For example, IAPP hires “Westin Fellows.” FPF frequently hires fellows.
Look for part-time work
There may be some great part-time work in privacy that you can do in addition to employment in another field. This work can provide some experience in privacy and ultimately help you transition to a full-time privacy position.
For example, I often hire recent law school graduates to work part-time for me at my privacy and security training company, TeachPrivacy. A number of these people have moved on to full-time privacy positions. I don’t mind being a stepping stone, as I gain great assistance this way.
So the opportunities are out there, but it does take some hunting.
Join the IT team
As one person recommends, “join the IT team in the Information Security practice and help develop policies, audit compliance and look for opportunities to strengthen privacy protections. The individual needs to be conversant in technology but not an expert. I’ve hired InfoSec resources who came from legal or accounting audit backgrounds because of their domain knowledge and research skills; we taught them the technology. This is obviously a different career path but one that is open to law school grads.”
Offer Your Services for Free (or Very Low Pay)
If you see an opportunity to do interesting work, you might offer your services for free or low pay. Maybe it’s just helping out in a limited part-time way, but you can gain valuable experience this way and show people what you can do.
To use a rather crude analogy, push yourself like a drug. Get them hooked on you. Show them your value. You may be able to transition to something more permanent and with normal pay. Or, you can use the experience to get a job elsewhere later on — and if you’ve done good work, you will have a valuable reference.
5. Transitioning Into Privacy
Seek out privacy work where you are currently employed
As one person aptly recommends, “if you are currently employed in a non privacy-related position, seek out privacy work by speaking with the privacy officer or counsel involved in privacy matters.”
Try to enter sideways from a law firm
One person writes about a way to enter privacy sideways from a law firm: “One option is to work at a firm regardless of whether the firm work entails actual privacy work, and build up privacy credentials through other efforts ‘on the side.’ A new lawyer might write an article about privacy issues (there seems to be an insatiable demand for good written work in numerous channels in the legal world). The new lawyer might also obtain IAPP certification while practicing, even if she isn’t practicing privacy law. Then, she might gain law-firm training (which, after all, is pretty transferable regardless of subject matter) and gain privacy expertise on her own initiative. These efforts might be coupled with general networking in privacy circles, which tend to be quite open and welcoming in my experience. This strategy might even lead to the associate developing privacy work for the law firm, which certainly happens, but in the very least it could give a new lawyer a way to work for 2-3 years at a firm, develop privacy expertise whether the firm has it or not, and then market herself to companies. The good news is that privacy is a ‘hot’ area, and companies and associations really are looking to hire lawyers with privacy expertise — ours hear from headhunters on a disturbingly regular basis.”
6. Building a Privacy Career
Become an active member of the privacy professional community
A number of people recommended that it helps to be active in the privacy professional community, such as attending events, writing articles, speaking, networking, etc. As one person stated, you should “become active in IAPP. If interested in health care privacy, also consider HCCA and AHIMA.”
Another person writes: “Students should network – attend conferences and local knowledge nets, reach out to alumni in privacy, etc. – someone may have a privacy matter that they need help with to give the student a start. A lot of conferences and CLEs give a student rates that are really cheap – they should call the organization to see if it’s not published. It’s also good to find a mentor with whom to discuss privacy issues – helps while working through actual matters later.”
Forging your own path
As one professional noted: “I would also say that whilst there are lots of very experienced professionals working in the field, as a Profession in its own right (as opposed to being a branch of the legal and technology professions), it is still in its infancy. Therefore there are lots of opportunities to carve out your own pathway.”
The way I’ve seen this occur is that when a person gets into an organization, that person locates areas where there is a privacy need and then tries to get “buy in” from upper management to be the one to fill that need.
Get certifications such as the IAPP certifications — the primary one is called the Certified Information Privacy Professional (CIPP). There are also certifications in security as well as health privacy by various organizations in these areas.
One person says: “I would recommend researching and publishing articles on privacy. It is pretty easy to publish with the ABA and IAPP. There are also journals that take submissions.”
Consider teaching a privacy law class as an adjunct. It’s a great way to get to know the field. The best way to learn something is to teach it.
Develop a niche expertise within privacy and seek out speaking opportunities, such as CLE programs and others.
Use social media
Use social media such as blogging to demonstrate your expertise and publicize yourself. Provide valuable information to the community. See if you can post at other sites as a guest blogger. The more you put yourself out there, the more people you might get to know and the more opportunities might come your way. Of course, none of this will happen unless what you say is good. I’ve seen people crash and burn on social media, so be sure to do it well. As you’re starting, you might run your posts by a few friends and mentors before posting.
* * * *
Conclusion: Putting It All Together
One person nicely sums up the various things you can do to better position yourself: “I encourage students who are interested in becoming a part of the field earlier in their career to: take privacy-related courses during law school and consider investing in a 1-year LLM IT/privacy program; become certified as an IAPP member; attend relevant conferences/seminars (i.e. FTC workshops); keep abreast of what is happening in the privacy space (through for example LinkedIn groups and other dedicated online forums); apply for fellowship opportunities within privacy think tanks or non-profits (i.e. IAPP fellowship, FPF fellowship); research / apply to firms with strong Privacy Practices and consider writing / publishing an article o the topic. And, of course, network with privacy professionals and attend as many privacy-related events as possible!”