IAPP-GDPR Web Banners-300x250-FINAL
Why I Became A Privacy Professional—And What Privacy Means

Long before I became a privacy professional, I first graduated with a degree in computer science. At the time, like many graduates, I had little real notion of what it was I wanted to do with my life, so I took a couple of internships working as a database programmer. That was my first introduction to the world of data.

I quickly realized that I had little ambition to remain a career programmer, so I began to look at other professions. In my early twenties, and having the kind of idealistic tendencies commonplace in many young graduates, I decided I wanted to do something that mattered, something that would—in some way—benefit the world: I chose to become a lawyer.

Not, you might think, the most obvious choice given the (unfair) reputation that the legal profession tends to suffer. Nevertheless, I was attracted to a profession bound by an ethical code, that believed in principles like “innocent until proven guilty” and acting in the best interests of the client and that took the time to explore and understand both sides to every argument. And, if I’m completely honest, I was also attracted by the unlimited access to truly wonderful stationery that a legal career would afford.

After brief stints as a trainee in real estate law, litigation and environmental law, I decided to pursue a career as a technology lawyer. After all, given my background, it seemed a natural fit, and having a technical understanding of the difference between things like megabytes and megabits, RAM and ROM and synchronous and asynchronous broadband gave me a head start over some of my peers.

On qualifying, I began picking up the odd bit of data protection work (Read: drafting privacy policies). Over time, I became a privacy “go to” person in the firms I worked at, not so much through any great talent on my part but simply because, at the time, I was among the small number of lawyers who knew anything about privacy and, for reasons I still don’t really understand, my colleagues considered data protection work a bewilderingly complex area of law, best left to those who “get” it—much like the way I felt about tax and antitrust law.

It’s not a career path I regret. I love advising on privacy issues because privacy speaks to all the idealized ethical notions I had when I first graduated. With privacy, I get to advise on matters that affect people, that concern right or wrong, that are guided by lofty ethical principles about respecting people’s fundamental rights. I run projects across scores of different countries, each with different legal regimes, regulators and cultural sensitivities. Intellectually, it is very challenging and satisfying.

Yet, at the same time, I have grown increasingly concerned about the dichotomy between the protections law and regulation see fit to mandate and what, in practice, actually delivers the best protection for people’s personal information. To my mind, far too much time is spent on filing registrations and carefully designing legal terms that satisfy legal obligations and create the impression of good compliance; far too little time is spent on privacy impact analyses, careful system design, robust vendor procurement processes and training and audit.

Lawyers, naturally enough, often think of privacy in terms of legal compliance, but any professional experienced in privacy will tell you that many legal obligations are counterintuitive or do little, in real terms, to protect people’s information. Take the EU’s binary controller/ processor regime, for example. Why do controllers bear all the compliance risk? Surely everyone who handles data has a role to play in its protection. Similarly, what good do local controller registrations do anyone?  They’re a costly, burdensome paperwork exercise that is seldom completed efficiently, accurately or—in many cases—even at all. And all those intra-group data sharing agreements—how much time do you spend negotiating their language with regional counsel rather than implementing measures to actually protect data?

Questions like these trouble me.  While the upcoming EU legal reform attempts to address several of these issues, many of its proposed changes to me seem likely to further exacerbate the problem. But for every critic of the reforms, there is an equally vocal proponent of them. So much so that reaching an agreed position between the European Council and Parliament—or even just within the Parliament—seems a near-insurmountable task.

Why is this reform so polarizing? It would be easy to characterize the division of opinions simply as being a split between regulators and industry, privacy advocates and industry lobbyists—indeed, many do. However, the answer is, I suspect, something more fundamental: namely, that we lack a common understanding of what “privacy” is and why it deserves protection.

As privacy professionals, we take for granted that “privacy” is something important and in need of protection. Yet privacy means different things to different people. To some, it means having the ability to sanction uses of our information before they happen; to others, it means being able to stop uses to which we object. Some focus on the inputs—should this data be collected?—others focus on the outputs: How is the data used? Some believe privacy is an absolute right that must not be compromised; others see privacy as a right that must be balanced against other considerations, such as national security, crime prevention and free speech.

If we’re going to protect privacy effectively, we need to better understand what it is we’re trying to protect and why it deserves protection. Further, we need to advocate this understanding and educate—and listen to—the very subjects of the data we’re trying to protect. Only if we have this shared societal understanding can we lay the foundations for a meaningful and enduring privacy regime. Without it, we’ll chase harms that do not exist and miss those that do.

My point is this: As a profession, we should debate and encourage an informed consensus about what privacy really is, and what it should be, in this digital age. That way, we stand a better chance of creating balanced and effective legal and regulatory frameworks that guard against the real risks to our data subjects. We’ll also better educate the next generation of eager young graduates entering our profession to understand what it is they are protecting and why. And this will benefit us all.

Editor’s Note: Privacy jobs are proliferating, with privacy professionals fast becoming the go-to people for solid legal guidance within their organizations. To hear how three privacy pros got started in the field and for a high-level review of basic privacy laws, register for the IAPP’s web conference,  Legal Privacy Primer—First Steps in a Career, to be held July 11.

Written By

Phil Lee, CIPM, CIPP/E


If you want to comment on this post, you need to login.
  • Lee Ann Apilan Dec 10, 2013

    I learned lots of information here...I'm so curious before and now I am knowledgeable...


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»