Opportunities for lawyers in Privacy and Data Protection
INTRODUCTION
Globally, niche and specialization is fast becoming the trend, and part of the future for professionals. The Legal profession is not in isolation and therefore not exempted from the sweeping wind of change. The advancement of technology and wave of emerging technologies is changing the traditional model of doing things and solving problems, thereby creating new challenges which often intersect with regulations and business interests. These challenges sometimes raise privacy questions and there is now the need to balance human rights and business interests. Consequently, these require the know-how of privacy professionals like lawyers in ensuring compliance, and providing a competitive advantage for companies. Cybersecurity, data protection and privacy is therefore a pivotal conduit for enabling business in the digital economy.
There has been an increased scrutiny on the practice of technology companies, as it relates to the right to privacy of users and commodification of users' data. In another breath, cyber-attacks and threats are getting more sophisticated, expensive and rampant, bringing a closer examination on balancing risks, business interests and the rights and freedoms of people. This in turn makes privacy and security risk a major concern for both public and private organisations.
The growing cybersecurity and privacy needs, requires a breed of professionals with technical and regulatory expertise. This is not completely a new direction in some parts of the world, but nascent in certain parts of the globe that recently adopted data protection laws. For instance, the European Union General Data Protection Regulation brought privacy to the forefront of conversations, spreading like a wave that made a number of countries legislate a GDPR-esque legislation. The enactment of these legislations births the requirement for new brand of professionals such as data protection officers, chief privacy officers, privacy attorneys, or those working with the regulators or whichever appellation is ascribed to the role to carry out data protection implementation, advisory or audit. Clearly, the growing privacy landscape is not a space unique to the expertise of lawyers, however, lawyers have a big role to play.
To practice law within the space will require more than the knowledge of law. While you might not need core technical skills like the ability to program and write code, you will need to have decent knowledge of how systems, networks, deployment of technology, business model of clients and fair knowledge of design. Lawyers need to be “equipped with a comprehensive understanding of how to identify and manage operational risk, litigation risk, and reputational risk.” Security is one of the principles of data protection recognised in many data protection laws. A fair understanding of cybersecurity will help a privacy professional to provide good advisory and interface seamlessly with the security team.
UNDERSTANDING PRIVACY AND DATA PROTECTION
First, privacy is not secrecy as it is erroneously touted. Privacy means control. Control over what you want people or organisations to know about you. Privacy is your right to control personal information about yourself. It is a fundamental right guaranteed under the Constitution of many countries.
Data protection deals with the integrity of data. It is the protection from corruption or errors, and its accessibility to only those that should have the access or privilege to it. The kind of data that concerns us, links us, associates us, reveals us and can potentially lead to our harm (huge and fluid) where it falls into the wrong hands. Data Protection is focused on the use and governance of personal data, things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in the appropriate ways.
While privacy as a right focuses on the right to be left alone and enjoy private life, data protection is the right to protection with respect to the processing of personal data. For a start, it is also important to avoid using the phrase ‘data privacy’ in place of ‘data protection’. The phrase presents a convoluted view that the data should be kept private or secret, which is not the essence of data protection.
PRIVACY COMBINATIONS
The privacy space is a very big one with different combinations and distinctions. It affords a potential entrant an opportunity to further specialise.
Privacy in IoT – No doubt, the proliferation of Internet of Things devices raises privacy concerns. Hence and privacy professionals will be needed to advice developers and the manufacturing team on embedding privacy at the design stage, by default and conducting an impact assessment if the invention is capable of occasioning risk to the freedoms and rights of individuals.
Privacy in Big Data – The increased use of Big Data by businesses requires privacy professionals to properly advise on; the responsible use of personal data, how to minimise risk and abuse, conduct impact assessment for use that could occasion risk to rights and freedoms of data subject.
Privacy in Healthcare – Growth in the use of technology in healthcare intersects with the privacy of patients. The rise of predictive medicine, electronic health records, genetic testing and biobanks, telemedicine and other inventions have privacy implications that should needs to be carefully managed. Professionals will need to advise healthcare providers on the status of health records as a sensitive personal data, retention period, and responsible use among other issues that may arise.
Privacy in Cloud Computing – There is also the continuous use of cloud as a platform and it holds large volume of personal data. Professionals will need to carefully review data processing agreements between controllers and processors in other to carefully delineate responsibilities and liabilities. Also, professionals will be in place to advise on appropriate use of such data and to prevent abuse.
Privacy and other emerging technologies – The growth of emerging technologies requires the need for privacy professionals to work with the developers and product design team on considering privacy at the designing stage before going to market in other to avoid it being an afterthought. Companies developing and deploying need privacy professionals to advise on possible intersection of the use case with privacy and how to stay complaint and possibly ethical.
Privacy and Data Ethics – The use of artificial intelligence, and other emerging technologies for example raises both legal and ethical questions. Privacy professionals whose background intersects with ethics can advise on how to draw lines between legitimate use of personal data, commercial interest, rights and freedoms of individuals and the consequence of automated processing. The field of data ethics is getting bigger and would need more professionals to help develop a legal and implementation framework.
Cyber insurance – With the frequency and size of data breach, coupled with the risk of sanctions from regulators and possible litigation liability, organisations are procuring cyber insurance to limit exposure and cover potential risk. There is a need for lawyers to review the scope of insurance cover, think like a data risk manager to ensure policy is risk and budgetary custom – especially for privacy liability, regulatory fines, and potential law suit.
Privacy and cybersecurity – Security is one of the principles of data protection and a distinct speciality. There is a role for lawyers in governance, as well as the risk and compliance aspect of cybersecurity. Also, lawyers with privacy background need to understand security for seamless interaction with the security team.
EMERGING SPECIALISATION AND ROLES
There are different roles which lawyers can take up in this fast-growing industry. I would highlight some. They include:
Policy advisor and analyst – Policies remains the driver of a regulatory framework. Technology growth and development need to be anchored on good policies and this can only be done when they are drafted and developed by a team with good expertise. Another way to be part of the conversation is to contribute to policy recommendations when a draft regulation is released for public consultation is issued or developing policy briefs to stir and ignite a conversation. Also, organisations deploying technology utilise policies to drive it and lawyers are in pole position to develop context-specific policies.
Privacy attorney – Data Protection laws provides a right to lodge complaint which allows data subjects to initiate lawsuit before a supervisory authority or a national courts in instances of infringement of their rights. Also, sanctions are imposed on organisations which are also challenged before national courts. There is an opportunity for collaboration between privacy lawyers with core litigation lawyers to navigate the slippery-slope. Outside the remit of litigation, there lawyers working in-house or in a law firm that provide advisory service on privacy and data protection.
Legal Consulting – Data protection laws creates a veritable opportunity for lawyers to consult and provide advisory to organisations on the appropriate implementation and compliance with privacy laws as a risk based strategy.
Legislative Tracking – Lawyers can provide latest legal opinions and update organisations with latest decisions and laws that can impact their business. This entails providing real-time update and guidance to companies, especially global ones on the development in privacy laws globally and how it could possibly impact their business in order to guide them to wider compliance.
Legal Compliance - Data protection laws requires organisations to appoint data protection officers and also appoint professionals in other capacity to assist with compliance. Lawyers can effectively function as data protection officers, chief privacy officers or any other designation, assisting organisations with compliance and transparency. The data protection officer is responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with extant data protection regulation.
Legal Researcher & Fellow – Lawyers in privacy can publish academic papers on privacy or earn a fellowship with a research institute and continue to contribute to the body of knowledge. There is also the opportunity to collaborate with research institutions.
Sector-specific role – There is a unique opportunity in different sectors of the economy that intersects with privacy and which professionals will be able to provide tailored services, like healthcare, start-up, financial institution, insurance etc.
PATH TO GROWTH
Read articles and books – There is a big body of research and literature on privacy by leading authors. There are also articles from notable websites that could help increase the body of knowledge. Strive to read something new every single day to understand how the landscape is evolving, this includes reading latest decisions from courts in other jurisdictions, opinions and guidelines from different data protection supervisory authorities.
Sign up for courses – There are a number of free and paid courses available online on different massive online open courses platforms. Some of the platforms issue certifications after concluding the courses. You might also consider obtaining certification from any of the privacy professional bodies.
Attend conferences and events – There are growing number of privacy summit and conferences globally. The IAPP host the biggest event. There are other regional and in-country events too either wholly privacy or has a session on privacy where thought leaders share their expertise. Ask questions at such events to have a better understanding of privacy.
Write about it – No doubt, writing a well-researched article or academic paper improves knowledge base. There is dearth of opinion in many national privacy framework, more privacy professionals need to write more well-researched opinions to help grow the understanding of the ecosystem. Writing could be articles, policy briefs, academic papers exploring one or combinations of any subject under privacy.
Contribute to policies and conversations – It is in common place for regulators or supervisory authorities to issue draft guideline or framework for public consultation. You can share your researched thought on how the framework can be better in implementation.
Ask questions – This sure helps clarifies clarify doubts and help to better understand the subject. This could be from asking questions during events, a LinkedIn post, and author of an article. It is important to ask questions.
Follow leaders of thought – The internet and social media has provided a veritable platform for interaction. The thoughts and knowledge shared by thought leaders and industry experts on these platforms are invaluable.
However, you need to be mindful of what you take in, ask questions and you are allowed to disagree constructively if you have a superior a well-informed dissenting view.
Speak – Speaking helps to builds confidence and knowledge and the message is shared too.
CONCLUSION
The above is barely scratching the surface towards building a good career in privacy and data protection. However, in a little way, it highlights the opportunities available for exploration and basic path to starting a career in privacy and data protection.
Finally, if you are looking at starting a career in privacy and data protection, I have prepared a starter kit that could serve as a pointer. I hope you find it a beneficial read. You can access it here.
"Niche is critical. Focus is key. Consistency is everything." Senator Ihenyen
About the Author Ridwan Oloyede leads the data protection team at the Tech Hive Advisory. Ridwan is also a policy advisor and analyst who has made recommendations to legislative process, reviewed legislations and published policy briefs. He is a Research Fellow at the African Academic Network on Internet Policy (AANOIP). He was recognised by Lexology as the Legal influencer for TMT (Technology, Media and Telecommunication) in Africa and Middle-East for Q4 2018. Ridwan speaks and writes both locally and internationally and advises clients on the intersection of law, technology, cybersecurity and privacy.