Since May 2016, the EU has been preparing for the implementation of the General Data Protection Regulation (GDPR) and, over the last six months, efforts to prepare and comply with GDPR have increased significantly.
In the London GDPR recruitment market, there are currently (and have been for about a year and a half) two parallel economies of privacy lawyers functioning in different echelons of the legal market:
Senior GDPR Experts
There are GDPR experts who have been practising privacy law throughout their careers and are typically found in either some of the best law firms in London or in-house in senior and very autonomous 'Data Privacy Officer’ or ‘Head of Privacy’ roles at big, global companies (typically ones that heavily utilise personal data as part of their main business). Unfortunately, there aren’t many of these lawyers in the London market at all—and even fewer who can be tempted to consider a career move within the next year or two. Over the last two years, there has been a flurry of movement in the permanent market and most people in this first category moved to new permanent jobs then.
The second fairly thriving and functioning economy of lawyers has started to work on privacy and GDPR over the last couple of years since demand for this skill set has multiplied exponentially. Whilst some of these lawyers are undoubtedly excellent in their own right, they are certainly not privacy or GDPR experts given their lack of previous experience in the field. However, more and more of these lawyers are classifying themselves as privacy ‘experts’ to meet the demand in the market for the latter—and probably because of the fear around GDPR compliance, organisations are hiring these lawyers as GDPR experts. In turn, a reactive cycle has ensued and even those organisations that only need a junior lawyer with ‘some exposure to data privacy’ are starting to advertise their roles as ‘GDPR expert’ roles.
Over the last 12–18 months, this market has been so laissez-faire that even lawyers with very little privacy and GDPR experience have been almost naming their price and driving rates artificially high. The difficulty that this alternative market has caused is down to the semantics – the fact that everyone is now termed a ‘privacy expert’ or ‘GDPR expert’, irrespective of the depth of experience lawyers actually have. Not only have many organisations struggled to decide what level of GDPR knowledge their team requires based on where they are within the cycle of GDPR compliance, they have also found it tough to navigate the two different types of data privacy lawyer.
That said, the emergence of this latter group hasn’t necessarily been such a negative development, in hindsight. Smaller companies that got carried away with the buzz and wanted to hire GDPR experts (but did not) perhaps didn’t actually need someone at that level of seniority—at least not on a full-time basis. Generally, for them, hiring more junior lawyers with privacy experience (or senior commercial lawyers new to GDPR and privacy) to work alongside external counsel has worked out efficiently on the whole. In fact, many organisations have spent a large part of the last 6–12 months exploring alternative solutions to hiring an experienced data privacy expert or outsourcing the work wholly to law firms. Solutions we see have typically fallen into a few broad categories:
Those legal teams that have been certain of their need for an internal data privacy expert for the longer term have found that they have had to be much more flexible in their search for a DPO/head of privacy than they have to be in almost any other, more typical legal hires. They also have had to be prepared to offer significantly higher packages to bring in those more senior privacy experts. Secondly, and perhaps somewhat surprisingly, flexibility in working from home as well as the opportunity to travel with work and be more involved with foreign operations have been almost equally compelling for candidates. For those companies able to offer these opportunities — and able to be more genuinely accepting and trusting of these lawyers working remotely for a chunk of their time — attracting and retaining senior privacy lawyers has been significantly easier. Generally, the companies that have managed to do this are the large ‘money is no object’ multinational corporations across all industry sectors, from banks to consumer goods and technology.
Whilst this obviously suited some, it is unlikely to be the ideal solution for smaller organisations looking to hire a head of privacy who can hit the ground running and manage company-wide GPDR-compliance from Day One.
Another innovative solution to the problem has come by way of interim hiring. As a number of companies have done, hiring an interim GDPR expert for 6–12 months has been an effective way of bringing in someone that would normally be significantly above budget on a permanent-headcount basis (at least in this artificially expensive market, whilst demand for the skill set significantly outweighs supply). It has also bought clients time to realise whether the need for someone of that seniority is immediate and will die down after the initial implementation of the GDPR, or whether the work justifies someone for the longer term. In some cases, organisations and candidates have agreed to transform this into a permanent relationship, whilst in others, legal teams have found that they are able to hire a more junior lawyer permanently to manage the privacy function after the initial peak of the GDPR program roll-out.
In order to secure the sort of expertise that often puts a full-time lawyer out of budget, part-time hiring has also worked well as an option. A number of senior privacy lawyers are only interested in part-time work, as this means they are able to obtain a variety of interesting work and are able to charge a slightly higher rate for each client. While some organisations may initially be quite reluctant to consider this at all, and even to ask the question internally as to how many hours they really need dedicated to their team, part-time and flexible hiring may become more accepted once the upcoming May deadline passes.
Candidates in the interim market are incentivised to choose a contract because of the daily rates that a company offers, the flexibility (such as working from home) and the access to the C-suite/non-EMEA business. Longer contracts also tend to be helpful in attracting more sophisticated talent. The consensus amongst clients seems to be that the need for GDPR support will not disappear after six months, so organisations need to consider whether they would be able to offer a 12-month commitment instead of a 6-month contract. The former opens up a wider candidate pool from which to hire.
Another innovative route some organisations are taking is to promote a senior commercial lawyer internally to fill the DPO position and then backfill the senior commercial lawyer role instead. Because of the tight state of the GDPR-expert market in London, some GCs are acknowledging that it may not be as effective to hire someone externally with years of privacy experience as GDPR point-of-contact, as it is to hire someone internally with years of experience in navigating that particular organisation. The logic being that GDPR success would come from knowing the business well, where the risks lie and the nuances of how to communicate with individual members of the business most effectively.
This approach has seemed to work very well for those that have adopted it. Not only is it effective in itself as a solution—it also reduces the significant costs and difficulties in hiring a GDPR expert in this market. It is generally significantly easier (faster and more cost-effective) for the legal team to backfill the internal candidate’s previous position than it is to hire a privacy lawyer. Moreover, there is a lot to be said for internally promoting in terms of keeping the team motivated with growth opportunities and variety of work and experience.
The use of non-legal support is an infrequently seen solution but has worked well in a few situations. Generally, this has been more popular in UK and EU-headquartered companies, as opposed to US-headquartered companies that prefer to hire qualified lawyers for the privacy function. Of course, there are exceptions to this, but this has been the trend. Non-legal privacy officers tend to work well as part of a wider privacy structure where the senior member of the privacy function is a senior lawyer supported by more junior privacy or information governance professionals. However, the reverse has also been an option we have seen, with the senior member being a non-lawyer supported by a team of mid-level/junior lawyers. This latter option would be a much easier hiring option, though not many legal teams are opting to take this route at all.
The above solutions are certainly not exhaustive but instead are ideas that have had success in the market. In a market that is constantly evolving, in which the needs of organisations are constantly evolving as May approaches, the solutions will continue to evolve as priorities change for legal teams. The key is to try to establish what day-to-day support is really necessary for every respective legal team in the immediate, mid and longer-term — and how best to support those needs in a cost-efficient and effective way.
This article was originally published in London Legal Business in May 2018.