TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Would a Law Degree Take Your Privacy Career to the Next Level? Related reading: Kenya's ODPC issues KES9.375M in data protection fines


The IAPP Privacy List recently lit up a bit when a member posed this question to the group: Should I go back to school and get a law degree if I want to succeed in this field?

It was a legit question. After all, the IAPP 2015 Salary Survey found that after C-suite or VP-level positions, lead counsel had the highest median salaries among privacy pros at $150,000.

But getting a law degree isn’t a small feat. There’s studying for the LSATs; praying to some god you get in; three years of nail-biting through papers and exams, and then, and THEN, the bar. Oh, and thousands of dollars of debt, save for the independently wealthy.

So is all that worth it? Will it mean a straight line to success in the privacy profession? The privacy pros interviewed for this story are a bit torn on that. Sure, a JD looks good after a name, and it might pull some weight on an application, but in terms of its practical application for the needs of today’s privacy pro, it might not be all it’s cracked up to be.

That’s according to Ellen Giblin, CIPP/C, CIPP/G, CIPP/US, privacy lead at Boston Children's Hospital, for one, who says a law degree just isn’t necessary to succeed in privacy. Unless, that is, you’re doing privacy litigation, of course. But the bulk of the work done by a privacy professional at any organization is in risk management and information governance. If you think of a privacy professional’s work in terms of a pie, the pie is made up of privacy, data security and compliance. There is a particular slice of that pie that includes work on data breaches, and for that, yes, it’s necessary to involve a lawyer to ensure compliance with data breach laws and regulation.

However, “outside of a breach, a law degree is not necessary as long as you have the correct governance skills,” she said. “And there are lots of certifications that require the necessary skills.”

But Bob Siegel, CIPP/C, CIPP/E, CIPP/US, CIPM, CIPT, a consultant who runs Privacy Ref, said he’s found differently. Clients he’s worked with have been frustrated at times with the way lawyers approach data breaches. 

“The answer always seem to be, 'Well you have to do this.' For example, on data breaches, the conversation we frequently get into is when do you put in some breach response protocol or notification? Outside or in-house counsel will say, ‘You need to do A, B and C when something occurs, but if you lose this type of data, then you shouldn’t do anything.'”

In contrast, he said, a privacy practitioner, looking at something broader than the legal technicalities, might say, “If you look at it from a brand reputation or a consumer perspective, even if you lose something that isn’t a breach under the law, you might want to inform consumers.”

A lawyer herself, Giblin said something she didn’t learn in law school is the science of risk. That’s something she learned on the job during her time at Iron Mountain, and it’s an important part of the information-governance scheme. 

In the end, Giblin said, it’s smartest to go for certifications specific to the job you’re in or to the jurisdiction in which you practice, and then use partners and colleagues to seek the advice you need in the skill sets you may not have.

“You need to go for each slice of the pie,” she said. “Seek expert advice from your partners that have those skills. It’s rare for people to have all the skills.”

Kirk Nahra, CIPP/US, a longtime attorney in the privacy space at Wiley Rein, said while there’s not any requirement to have a law degree, it’s often easier when you do.

“There are really good people in this field who don’t have a law degree,” he said. “But most of the higher-up people tend to have law degrees. It’s just like a college degree. Do you have to have a college degree to be a successful person in life? No. Does it help? Sure.” 

Nahra said he spends very little of his time as a lawyer actually interpreting law for clients. He spends more time telling clients what they can or cannot do—which is something consultants can essentially do also. That is, consultants without law degrees.

“I think to be good at privacy, you need a variety of things, one of which is the abilities of a lawyer,” he said. “The main thing you get out of law school is the ability to think like a lawyer. If you have someone who’s smart and thoughtful and knows how the world works, they can succeed without a law degree.”

But, he said, going to law school won’t teach a person how to communicate well with people, which is a really important skill in privacy.

Siegel agrees with Nahra: Communication is key. 

“What I’ve seen with clients, and experienced myself, is that an attorney will tell you what you have to do, but an operational practitioner will know how to do it and what the limits are to implementation,” he said. “One of the things I’ve always been told and I tell people working for me now is we have to be multilingual. We have to be able to talk to lawyers, IT, business people and marketing people to be able to communicate what the requirements and responses should be between each group.”

While Siegel isn’t a lawyer, he says he’s spent a lot of time understanding the law in the name of facilitating the collaborative process.

“Getting everyone to a unified language is something I always work on,” he said. “I’ve spent a lot of time on contracts and working with legal throughout my career, so I’ve tried to learn the language to take some of the burden off of the legal team."

The privacy profession itself is shifting, Siegel said. It’s more than just legal compliance.

“It’s become more of a holistic business operational concern,” he said. Recently, he was talking to clients about where, within the company, to position the privacy office. Should it sit in compliance? Legal?

“We came to the conclusion that putting it in legal didn’t make sense because it provided too narrow a focus for the organization needs,” he said.

Sagi Leizerov, CIPP/US, executive director of the privacy practice at EY, agrees with Siegel that the profession is shifting.

“If you look at the numbers, you see a lot of the privacy officers have law degrees,” he said. “But I don’t know that that necessarily reflects how things are changing as much as it does how things have emerged.”

When the field was nascent, it was largely an exercise in compliance—pros ticked the boxes and made sure their client or company complied with the regulations. And that kind of work attracted a lot of lawyers.

While a law degree is one of the components that could be helpful, there’s been an evolution in the field that perhaps makes that designation less essential to a privacy officer, says Leizerov. Structurally, things are shifting.

“I would go so far as to say … there is a separation between managing privacy and providing legal opinions on what the right answer is from a regulatory perspective,” he said. 

That is, the roles of privacy counsel and privacy officer are no longer housed in one suite. More and more, the legal opinion is becoming one factor in the privacy officer’s decision-making process; IT, security and business-growth must also be considered.

“And the privacy officer has to take all of these inputs to make the appropriate choice for the organization,” he said. “If the privacy officer is also a lawyer, the best privacy officer would put aside their lawyer role and not rely on the privacy counsel, who is independent of the final decision, to give the recommendation.”

Someone who perhaps could use a law degree to advance a career in privacy might be someone working in financial services or healthcare—a more regulated industry in which the role would likely sit within a company’s legal department, Leizerov said.

The way these privacy pros are talking, it sounds like the LSATs might not be necessary. Maybe you can afford that trip to the Virgin Islands this year after all?

photo credit: DSC_0962 via photopin (license)


If you want to comment on this post, you need to login.

  • comment Daisy • Aug 26, 2015
    As an attorney and Privacy professional, I would highly recommend that people only go to law school if they want to practice and/or study law. Law school trains people to be lawyers, not privacy professionals. You can definitely do both (as I do), but law school did not "train" me to be a Privacy professional. As I tell my law student mentees, you should go to law school if you have a passion to be a lawyer or to study of law, not a as tool to generally advance your career - there are other much less expensive paths to meaningful career growth, especially in the Privacy profession.
  • comment Heather • Aug 26, 2015
    Excellent article. I have a JD and LLM, but I am not a lawyer. I have over 10 years of work experience, working for corporations, where a law license has not been required, but my legal background has definitely helpful. My next step is to get to get the CIPP/US certification. Some students don't realize that there are other opportunities out there that don't necessary require a license. The legal education will never go to waste. Law school is a huge investment (time/money/effort, & are the student loans really worth it?). I agree with Daisy's comment below.
  • comment Richard • Aug 26, 2015
    Law has a tendency to self-aggrandize its reach into related fields, so I immodestly predict that the value of legal training will increase in the privacy field quickly. The trick is how to get the law degree cost-effectively, because the reward probably will not reflect immediately in compensation or job opportunities. But even in today's difficult market for JDs, the students I see succeed most readily are the ones who are in established careers for which the JD will enhance their long-term advancement potential, rather than students who are trying to make a big career change with law school. The former often are night students. I urge potential applicants to look hard at the financial commitment of law school, considering costs and scholarship offers, and the program options, such as part-time, and the impact, positive and negative, on career. When I went to law school 20 years ago, it was just about where the school was ranked; it's a lot more complicated an analysis now, including the question of whether to go at all. (Full disclosure: I teach at UMass Law, where access to legal education is a key part of the mission.  We offer a legal education at half the price it's available from Boston private schools, and we have a night program.  Still, I am the first to counsel a would-be pre-law candidate against law school if it's not the smart option.  I don't get paid for recruitment, and my aim is successful and contented graduates.)
  • comment Alex • Aug 27, 2015
    Personally agree with the points the article made around risk & governance - in terms of application in privacy, I've found studying for internal audit qualifications has been of greater value to me in my function than my law degree has, though that doesn't mean I didn't enjoy it! Relate to what Daisy said: I studied law because I enjoyed it, I studied internal audit as I felt it gave me key skills required in my privacy role.
  • comment Will • Aug 27, 2015
    This is a fascinating article -- thanks!
    In my opinion, over the last five years or so we've seen a shift away from a Chief Privacy Officer to a host of various Privacy Officer/Analyst/Manager roles that operate tactically and often struggle to have much influence through the organization.  I think some of that is driven by the desire to consolidate corporate counsel and privacy functions, which can push privacy in the direction of triage and clean-up and away from privacy-by-design and proactive policy.
    (Clearly?) I am <i>not</i> a lawyer, and I feel my effectiveness as a privacy operator would be diminished if I were.  I sense a trend to designate Privacy as a <i>legal</i> function rather than a <i>strategic</i> one, with opportunities for the non-lawyer correspondingly diminished.
    My experience.  Please agree/disagree with your own...
  • comment Casey • Aug 27, 2015
    I can't speak to whether a law degree will take a person's pre-existing privacy career to the next level. As someone who realized while in law school that they wanted to have a privacy career, I can say going to law school without any previous privacy experience is probably not worth it. Of course, the answer really depends on a series of other variables including whether a person has professional contacts in the privacy realm despite having never worked there themselves; if the local job market has a fair amount of privacy job prospects; and, mostly importantly, whether the law school(s) partnered with local privacy companies to put in place any sort of internship/externship program for future privacy professionals. 
    Many privacy positions require 2-5 years of privacy experience. Some companies will permit slightly less work experience or will substitute similar work experience; privacy companies in the Minneapolis-St. Paul area are pretty strict about their minimum requirements. As a result of not having the initial 2-5 years of privacy work experience (and despite 10 years of experience as a private investigator), I've fallen through the cracks of not being able to get privacy work while my law school loan grace period evaporates. Not a fun space to be caught in.
  • comment Matt • Aug 27, 2015
    I went to law school 2006-2010 as a part-time evening student. When I decided to go to law school I had spent 8 years as an information security practitioner. My goal was to become a data security and privacy attorney, not entirely shift careers. I left law school with $100k+ debt and entered a terrible legal hiring market (2010).  I do not recommend getting a law degree for the sole purpose of becoming a "better, more qualified CPO." All the points in the article above are spot on. If you would like to gain skills that are indeed useful as a CPO, and diversify your career opportunities with a legal degree, can withstand a lot of pain and study, and can find an affordable way to do it, then go for it. I don't regret it, but it was a horrible financial decision for me. In the course of a thirty year career I will look back and not regret it. However, it was a very expensive, rather painful (albeit satisfying) way to take your career to another level. You can certainly do it without a JD.  Many law firms are still stuck on hiring one kind of person: High LSAT, high ranked school, moot court, law review. The big firm summer intern hiring manager isn't going to care what your work history is, what know about privacy, and it's a gamble whether the firm's data privacy practice chair will care either.  The latter will simply want the brightest mind he/she can get to bill out.  Another thing to think about: although the lines are fluid, if you don't work for a law firm, and the CPO you are selling to doesn't have a JD, they may not really value that you have one. In fact, sometimes it can be a detriment. In summary: don't get a JD unless it's been a life-long dream or you can't reach your goals without one. Get the certs, gain competency in the skills described in the article, and kick tail.
  • comment Mark • Aug 27, 2015
    This article has opened my eyes. When I have looked at some of the privacy roles (read: DPO), companies ask for a law degree and we get fed the story that a law degree is almost compulsory. It is interesting to see that lawyers and also non-lawyers with law related qualifications say the same thing - a law degree isn't necessary. Thanks.
  • comment Michael • Aug 27, 2015
    As a 20 year lawyer (top 20 law school) who is trying to leverage his CIPP/US and CIPM certifications to move into privacy, for the love of yourself DO NOT GO TO LAW SCHOOL in order to help your privacy career. It has been my experience that privacy functions are almost entirely separate from legal, i.e. once the framework of the privacy function is outlined by Legal, and then until a breach situation is packaged up and handed to the General Counsel's office for a confirmation of notification requirements and any other risk management post-event, the Legal Department has no direct involvement in data privacy issues at large organizations. The problem with thinking a law degree/license might help your privacy career is that (incomprehensively and incorrectly) non-lawyers have no clue as the skill set that underlies what a lawyer does. Consequently, they cannot see how being a lawyer could assist you in being a privacy professional. On the flip side, once you are a lawyer, no one will hire you for a non-lawyer position. On top of them not understating the fantastic skillset you can bring (anticipate and/or ID issues, research issues, creatively solve issues, all while in a regulated environment, then monitor the result), they think that as soon as you get a "real lawyer job" you will leave so they do not want to invest in you (ask an unemployed lawyer who has given up and applied for a Paralegal position or a Contract Manager position about this phenomenon). Ultimately, although having the skills of a lawyer WOULD help you be a better privacy professional (it would help you be better at anything except for maybe salesmenship), the real World does not think this way. Meanwhile, my long-term girlfriend who never attended college, has a fantastic privacy-related career at a Fortune 50 company. Experience is what matters, not training.
  • comment James • Aug 27, 2015
    I would be VERY careful about going to law school. First, read Benjamin Barton's new book "Glass Half Full". It is an entertaining account of the dismal prospects for law graduates. Second, consider the costs. Law schools is expensive both in time and money. 30-65k per year tuition, plus three years of your life. It is a fairly heavy course load, and if you are taking 3 years off your career, the opportunity costs are high. Third, you don't really need it for this field. Law school (and I teach at one of the best law schools in the world) does not tend to teach risk management, project management, IT, communications or a host of other skills relevant to privacy. It is, in fact, difficult to articulate what law schools DO teach. Analysis of case lines is handy if you are a constitutional lawyer, but we know from empirical studies that most practicing lawyers spend the bulk of their time on process based tasks. I think a person with a general education would be better served by augmenting their skills with IT or communications training. As with other posters, unless you have highly advanced specialist training (e.g., engineering, medicine), do NOT go to law school unless you really want to be a lawyer.
  • comment Suzanne • Aug 27, 2015
    I am a non-practising lawyer and a privacy officer. I received my law degree before starting my privacy career. I would never tell anyone not to go to law school  if they were interested in law - in fact, I encourage people to do so. There is no guarantee that anyone can make a career in any particular specialization - and privacy is no exception. I believe the skills I received from my legal training help me immensely - the ability to read, interpret and explain (in non-legalese) legislation, principles and policies is a great asset and appreciated by the people that I work with and provide education sessions to. Perhaps some lawyers get caught up in "litigation" but I was educated to consider all sides - and practical application. I think it all depends on which area of privacy you want to pursue when you considering a career in privacy.
  • comment David • Aug 28, 2015
    Excellent article. As a regional programme leader I have always tried to "protect" my scarce and highly valuable legal support resources by putting in place processes to manage the access . This is particularly important when you don't have (Can't afford?) a dedicated Privacy Legal Counsel or use external counsel and so you are either competing for time &amp; effort with other demands or paying for advice. 
    Things to think about are regulatory impact assessments, PIAs and prioritization of agreed actions. The trick is to front end load your PIAs with business process/IT information before it gets to legal review and make sure the quality controls are in place. The privacy professionals should ask the question "is there sufficient accurate information?" to enable an efficient &amp; effective PIA or regulatory review. That's not only good for rapid response to the business but also for the legal support so we don't waste their time sitting through the information "collection" phase with project teams and business process change leaders.
     If privacy leaders manage the legal demand/communication channel they also stay in touch with all the issues &amp; questions coming from the business. Tracking these formally and investigating the background can again assist in focusing your 1-2-1 discussions with your legal team.
    Finally, a privacy professional may understand and even be able to analyse the legal impact but we need to know our limitations/boundaries! Personally I always "draft" sensitive responses with legal before communicating on key subjects dealing with responses to business, employees, customers or regulators to get their OK. This works well if managed properly.
  • comment Gabriel • Aug 28, 2015
    Hello! We are Anna and Gabe, and we are the new Westin Fellows at IAPP. We thought it would be useful for us to weigh in, as recent law school grads, beginning our careers in privacy law, but both having very different experiences that brought us here.
    I went into law school with the intention of working at the intersection of technology and law after working as a technical writer for a software company for three years. I knew that this meant I may not end up practicing law in the traditional sense. For me the values in attending law school were the skills you develop that are applicable to many career paths as well as my desire to go back to school. I echo sentiments that law school is an expensive place to spend time trying to advance your career or to figure out your next step. However, there are scholarships available from many top schools so if your goal is to attend law school, get a great LSAT score and seek those out. At this point in my career I think I made the right decision in attending law school because it helped me narrow and define my passion for privacy. 
    A lot can change over the course of three years in law school. It’s a huge commitment, of time and of resources, but it’s also a great way to develop your skillset and to find what you’re passionate about. Initially, I thought I would be an environmental lawyer. I would not have come to privacy had it not been for the practical and academic experiences I had in law school, and the mentoring I got from professors. It helped me understand what I liked and also what I didn’t like. It allowed me to rigorously explore ideas, advance my writing and speaking skills, and to develop a better sense of what I wanted from my career. If you’re open-minded about your career path, relentlessly curious about the way law structures our relationships with government, business and one another, and prepared for the long hours, I would say that law school is worth the risks!
  • comment Jennifer • Aug 28, 2015
    A quick glance at the open positons on the IAPP site shows that most want a lawyer.  While some of the best privacy people that I know are not lawyers, a law degree is starting to become a differentiator in just being considered or hired.  Which is sad, because the approach taken by non-lawyers is much different and often more helpful for the business.
  • comment Akos • Aug 31, 2015
    I first worked as an IT Specialist, then finished a law school and became a Privacy professional after it, and completed my Master in Law in IT&amp;Telecommunications Law. The best thing in the law background was to be able interpret rules and regulations far better, and the law course taught me this. The Privacy Law part is an important addition, but that's not worth a 3 years (4.5 years actually in my country) of University. The other important factor is, that being a Privacy professional AND a lawyer is a rather unique combination in Europe, which many multinational company are looking for. To start a law school after starting a Privacy Professional career - is a risky decision - but on the other hand, planning a PP career by finishing a law school first is a huge advantage indeed.
  • comment Domenic DiLullo, Jr • Oct 11, 2015
    It has been good to have read the various comments that came from this article.  For this article is similar to a question that I posed out to the IAPP Community in May of this year. When I sent out my question to the IAPP,  my approach was to get a sense of people's personnel experiences (good or bad)  who obtained their JD: "What was the journey like? Where there moments of Why did I do this?.  Where there regrets or not? The feedback that I received was more than I could ever ask for.  I've made the choice to go for my law degree in the area of Health law and Health Policy. I am in the process of writing up my story on what I chose to go for a law degree for a future privacy advisor.
    For me, I've over 13 years of Public/Private Sector experience. I’ve been an Auditor for many years, presently working in CyberSecurity &amp; Privacy and in those 13 years, have obtained an undergrad degree, and a masters in information assurance. For me,  I see having that law degree combined with my understanding of IT systems providing me with a well-rounded background of law and technology.
  • comment Domenic DiLullo, Jr • Oct 11, 2015
    It has been good to have read the various comments that came from this article.  For this article is similar to a question that I posed out to the IAPP Community in May of this year. When I sent out my question to the IAPP,  my approach was to get a sense of people's personnel experiences (good or bad)  who obtained their JD: "What was the journey like? Where there moments of Why did I do this?.  Where there regrets or not? The feedback that I received was more than I could ever ask for.  I've made the choice to go for my law degree in the area of Health law and Health Policy. I am in the process of writing up my experiences for a future privacy advisor
    For me, I've over 13 years of Public/Private Sector experience. I’ve been an Auditor for many years, worked in CyberSecurity &amp; Privacy and in those 13 years, have obtained an undergrad degree, and a masters in information assurance. For me,  Having that law degree combined with my understanding of IT systems provides me with a well-rounded background of law and technology.
  • comment Domenic DiLullo, Jr • Oct 15, 2015
    I was very pleased to have seen this article. As one who has worked in both CyberSecurity and Privacy, It has been good to have read the various comments that came from this article.  Although I am not a lawyer, I've over 13 years of Public/Private Sector experience and in those 13 years, have obtained an undergrad degree, and a masters in information assurance. I have major aspirations to go for my Law degree. 
    This article was similar to a question that I posed to the IAPP Community back in early May of this year. When I sent out my question to the IAPP, my hope was to get a sense of people's personnel experiences (good or bad) from those who had obtained their JD:  I wanted to learn from the community about "What was the journey like? Where there moments of Why did I do this?’ “ Where there regrets or not? Was a law degree needed? 
    The feedback that I received was more than I could ever ask for. I've made the choice to go for my law degree and studying for my LSAT. I am in the process of writing up my experiences and reasons why I chose to go for a law degree for a future privacy advisor. For me,  Having that law degree combined with my understanding of IT systems I feel would provide me with a well-rounded background.