France’s top universities are launching specialized programs to train data protection officers amid signs of shortage of such talent on the labor market.

Two new courses started in Paris in May and another will start this fall in the northern city of Lille. The Institut Mines-Telecoms in the capital recently recruited its first class of 20 students to its year-long masters’ program. Participants spend three weeks a month working in data protection roles at companies and one week in the classroom for a total of 355 hours of instruction.

Paris Dauphine University, a top business school, has created a shorter program, which will award participants the equivalent of a professional certificate at the end. These new programs come on top of several others that started last year, including a masters launched at one at the country’s top law schools University of Paris II, Panthéon-Assas.

The programs are getting up off the ground just as recruiters struggle to fill posts at companies, and wages for qualified DPOs are rising sharply, especially at large publicly-traded firms. 

“The new programs are all of high quality but even more are needed given the number of open jobs,” said Patrick Blum, the DPO of ESSEC Business School and vice-president of the AFCDP, France’s professional association for data privacy experts.

About 80,000 DPOs are needed in France, with only roughly 18,000 in place today, estimates the CNIL, the national data protection regulator. Yet only about 500 professionals with the necessary skills are being turned out per year, according to the AFCDP (French Association of Data Protection Correspondents). Experienced DPOs are in especially high demand and can command salaries of 80,000 to 100,000 euros at big companies (see IAPP-OneTrust Salary Survey for further details). Starting salaries for new graduates of DPO programs hover around 40,000 euros.  

Given the relative newness of the profession, the training courses themselves are works in progress, with little consensus of what makes a good one. They seek to be multi-disciplinary, incorporating legal, technological, and practical knowledge.

The oldest one is the masters at ISEP, which has been in operation since 2007. Since many of the privacy professionals working in France today learned on the job, a further debate brewing as to whether a certification process is needed for them to prove their own competences without having to go back to school.

At Paris Assas law school, it took nearly three years to design the curriculum and get the program off the ground, said Bénédicte Fauvarque-Cosson, a law professor at Panthéon-Assas. The school created the program in conjunction with law firm Hogan Lovells to inject real world practice and relevance into the courses. 

“A new profession is being created, and we wanted to play a role in this process,” said Fauvarque-Cosson, a law professor at Panthéon-Assas. “Our teachers and speakers are practitioners in the privacy field, including DPOs from major companies, tech specialists, and legal experts.”

The Assas program, which is now accepting applications for the next course, is aimed at professionals from the information technology, human resources, or legal field with at least two years of work experience. It consists of 120 hours of instruction from January to December, held on Fridays and Saturdays so the participants can still work full time.

The language of instruction is French. So far most of the students in each class of 30 are French professionals, said Fauvarque-Cosson, but a few participants work at data protection regulators in Monaco and French-speaking African countries.

Winston Maxwell, a partner at Hogan Lovells who helped create the program, said the course has three objectives. First, to show participants what the real daily work of a DPO consists of via lectures from people working in such roles. The second is to help the students build up their professional network of privacy experts so as to help them advance in their careers.

Lastly, Maxwell said, the program encourages participants to think critically about applying the GDPR law, not just parrot what data protection authorities say. “It can sometimes be difficult to get them to understand that this is an emerging area of law that will take time to become clear,” said Maxwell. “The data protection authorities are an important stakeholder, but they are not gods.”

For students in the programs, the cost of the Assas masters and the others is often paid by the companies that employ them, although some pay their own way. Some may be tech or HR professionals who are being considered for DPO roles within their companies, and others are career changers paying their own way.

The costs vary widely. The oldest masters at a continuing education school called ISEP charges $12,000 euros, and the new Mines-Telecom masters has set the same price. The new program, which is shorter than a masters, at business school Dauphine costs $9,900 euro, and Assas comes in at $4,800 euros.

For law professor Bénédicte Fauvarque-Cosson, the proliferation of courses means that the program she supervises at Assas must constantly be improving. “There are starting to be more and more training options for people, so ours must live up to the reputation of one of the country’s top law schools.”

photo credit: blavandmaster Centre via photopin (license)