The IAPP Privacy List recently lit up a bit when a member posed this question to the group: Should I go back to school and get a law degree if I want to succeed in this field?
It was a legit question. After all, the IAPP 2015 Salary Survey found that after C-suite or VP-level positions, lead counsel had the highest median salaries among privacy pros at $150,000.
But getting a law degree isn’t a small feat. There’s studying for the LSATs; praying to some god you get in; three years of nail-biting through papers and exams, and then, and THEN, the bar. Oh, and thousands of dollars of debt, save for the independently wealthy.
So is all that worth it? Will it mean a straight line to success in the privacy profession? The privacy pros interviewed for this story are a bit torn on that. Sure, a JD looks good after a name, and it might pull some weight on an application, but in terms of its practical application for the needs of today’s privacy pro, it might not be all it’s cracked up to be.
That’s according to Ellen Giblin, CIPP/C, CIPP/G, CIPP/US, privacy lead at Boston Children's Hospital, for one, who says a law degree just isn’t necessary to succeed in privacy. Unless, that is, you’re doing privacy litigation, of course. But the bulk of the work done by a privacy professional at any organization is in risk management and information governance. If you think of a privacy professional’s work in terms of a pie, the pie is made up of privacy, data security and compliance. There is a particular slice of that pie that includes work on data breaches, and for that, yes, it’s necessary to involve a lawyer to ensure compliance with data breach laws and regulation.
However, “outside of a breach, a law degree is not necessary as long as you have the correct governance skills,” she said. “And there are lots of certifications that require the necessary skills.”
But Bob Siegel, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, a consultant who runs Privacy Ref, said he’s found differently. Clients he’s worked with have been frustrated at times with the way lawyers approach data breaches.
“The answer always seem to be, 'Well you have to do this.' For example, on data breaches, the conversation we frequently get into is when do you put in some breach response protocol or notification? Outside or in-house counsel will say, ‘You need to do A, B and C when something occurs, but if you lose this type of data, then you shouldn’t do anything.'”
In contrast, he said, a privacy practitioner, looking at something broader than the legal technicalities, might say, “If you look at it from a brand reputation or a consumer perspective, even if you lose something that isn’t a breach under the law, you might want to inform consumers.”
A lawyer herself, Giblin said something she didn’t learn in law school is the science of risk. That’s something she learned on the job during her time at Iron Mountain, and it’s an important part of the information-governance scheme.
In the end, Giblin said, it’s smartest to go for certifications specific to the job you’re in or to the jurisdiction in which you practice, and then use partners and colleagues to seek the advice you need in the skill sets you may not have.
“You need to go for each slice of the pie,” she said. “Seek expert advice from your partners that have those skills. It’s rare for people to have all the skills.”
Kirk Nahra, CIPP/US, a longtime attorney in the privacy space at Wiley Rein, said while there’s not any requirement to have a law degree, it’s often easier when you do.
“There are really good people in this field who don’t have a law degree,” he said. “But most of the higher-up people tend to have law degrees. It’s just like a college degree. Do you have to have a college degree to be a successful person in life? No. Does it help? Sure.”
Nahra said he spends very little of his time as a lawyer actually interpreting law for clients. He spends more time telling clients what they can or cannot do—which is something consultants can essentially do also. That is, consultants without law degrees.
“I think to be good at privacy, you need a variety of things, one of which is the abilities of a lawyer,” he said. “The main thing you get out of law school is the ability to think like a lawyer. If you have someone who’s smart and thoughtful and knows how the world works, they can succeed without a law degree.”
But, he said, going to law school won’t teach a person how to communicate well with people, which is a really important skill in privacy.
Siegel agrees with Nahra: Communication is key.
“What I’ve seen with clients, and experienced myself, is that an attorney will tell you what you have to do, but an operational practitioner will know how to do it and what the limits are to implementation,” he said. “One of the things I’ve always been told and I tell people working for me now is we have to be multilingual. We have to be able to talk to lawyers, IT, business people and marketing people to be able to communicate what the requirements and responses should be between each group.”
While Siegel isn’t a lawyer, he says he’s spent a lot of time understanding the law in the name of facilitating the collaborative process.
“Getting everyone to a unified language is something I always work on,” he said. “I’ve spent a lot of time on contracts and working with legal throughout my career, so I’ve tried to learn the language to take some of the burden off of the legal team."
The privacy profession itself is shifting, Siegel said. It’s more than just legal compliance.
“It’s become more of a holistic business operational concern,” he said. Recently, he was talking to clients about where, within the company, to position the privacy office. Should it sit in compliance? Legal?
“We came to the conclusion that putting it in legal didn’t make sense because it provided too narrow a focus for the organization needs,” he said.
Sagi Leizerov, CIPP/US, executive director of the privacy practice at EY, agrees with Siegel that the profession is shifting.
“If you look at the numbers, you see a lot of the privacy officers have law degrees,” he said. “But I don’t know that that necessarily reflects how things are changing as much as it does how things have emerged.”
When the field was nascent, it was largely an exercise in compliance—pros ticked the boxes and made sure their client or company complied with the regulations. And that kind of work attracted a lot of lawyers.
While a law degree is one of the components that could be helpful, there’s been an evolution in the field that perhaps makes that designation less essential to a privacy officer, says Leizerov. Structurally, things are shifting.
“I would go so far as to say … there is a separation between managing privacy and providing legal opinions on what the right answer is from a regulatory perspective,” he said.
That is, the roles of privacy counsel and privacy officer are no longer housed in one suite. More and more, the legal opinion is becoming one factor in the privacy officer’s decision-making process; IT, security and business-growth must also be considered.
“And the privacy officer has to take all of these inputs to make the appropriate choice for the organization,” he said. “If the privacy officer is also a lawyer, the best privacy officer would put aside their lawyer role and not rely on the privacy counsel, who is independent of the final decision, to give the recommendation.”
Someone who perhaps could use a law degree to advance a career in privacy might be someone working in financial services or healthcare—a more regulated industry in which the role would likely sit within a company’s legal department, Leizerov said.
The way these privacy pros are talking, it sounds like the LSATs might not be necessary. Maybe you can afford that trip to the Virgin Islands this year after all?
photo credit: DSC_0962 via photopin (license)