I have been working in a data privacy or security role for over 20 years, but got my start as a data privacy professional by accident. I was in the right place at the right time.

At the time, there were no privacy frameworks, no formal training and no preference that one hold a legal degree to assume privacy work — I am not a legal professional today. Data privacy was not a main driver in organizations and was often separated from information technology. It was seen more as a legal or compliance function, rather than as adding value to the organization's brand.

California passed its first data breach notification law, the California Civil Code 1798.29 and 1798.82, in 2003, setting the groundwork for companies to inform impacted individuals that their information may be subject to "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency." I was tasked with implementing a nuanced program to ensure compliance with the code and hold companies accountable.

While the latter may be true, throughout the past 20 years, privacy professionals have continued to be front and center in maintaining a balance between innovation and trust.

Admittedly, I have taken my understanding of data privacy for granted as I have worked in and seen the industry change from its inception. Much of my knowledge comes from firsthand struggles in aligning privacy with information technology, cybersecurity and physical security. I have sat in meeting rooms, working on data mapping and supporting information governance roles, where I had to explain, more than once, "what does privacy mean, anyway?"

As I took on roles with increased responsibilities, I had the opportunity to interact with thoughtful and passionate people who want to move into data privacy roles but cannot as companies prefer skilled workers. Most junior roles require at least two years of experience, making it challenging for professionals or recent graduates to move into the data privacy field.

Some have reached out to ask where they can start. I recommend:  

  • Assessing how your current experience or education matches to entry level data privacy roles. I am a firm believer that understanding basic compliance control frameworks, being effective at navigating ambiguity and recommending balanced solutions can get your foot in the door. Teaching prospective hires privacy rules is easier than teaching critical thinking or soft skills.
  • Networking with professionals who are responsible for a privacy function. If you are employed, seek out the leader responsible for this function within your current organization, inform them of your skills and ask for opportunities to learn or for mentorship. If you are a new or soon-to-be graduate, begin networking with professionals in the area, attend privacy or cybersecurity events, and leverage your professors' network.
  • Seeking out job shadowing or internship opportunities. Companies are generally open to job shadowing or cross training for employees who meet performance standards. This not only improves the employee's experience but increases abilities for internal mobility. Ask your manager, human resources or privacy employees about those options. Recent graduates or those in their final two years of school should consider an internship to assess a future career while gaining experience.
  • Assessing the benefits of professional membership and certifications and pursuing opportunities to connect with professionals in your area. Professional certifications and connections can help with your education in and appreciation of this fascinating field.
  • Staying up to date with regulations and trends. Regulatory data privacy updates, evolving court cases and more are found almost daily in blogs and news articles. I like to ask any potential privacy candidate what resources they use to keep current on privacy regulations and developments.

Data privacy is growing and there is a need for diverse candidates. Invest a few hours each week to make connections, find learning resources or attend local conferences. Much of my professional success has been due to networking and building a coalition of professionals who can discuss common industry problems. It also makes for a good therapy session.

As my general counsel stated when I was given the responsibility of implementing controls to comply with California's 2003 data breach notification law, "proactively get out there and meet people. Don't let people first meet you when there is a privacy incident."