They may not have the cachet of entrepreneurs, or the geek chic of developers, but data protection officers are suddenly the hottest properties in technology.

When Jen Brown got her first certification for information privacy in 2006, few companies were looking for people qualified to manage the legal and ethical issues related to handling customer data. But now it’s 2018, companies across the globe are scrambling to comply with a European law that represents the biggest shake-up of personal data privacy rules since the birth of the internet – and Brown’s inbox is being besieged by recruiters.

“I got into security before anyone cared about it, and I had a hard time finding a job,” said the data protection officer (DPO) of analytics start-up Sumo Logic, in Redwood City, near San Francisco. “Suddenly, people are sitting up and taking notice.”

Brown is among a hitherto rare breed of workers who are becoming sought-after commodities in the global technology industry ahead of the European Union’s General Data Protection Regulation (GDPR), which goes into effect in May.

The law is intended to give European citizens more control over their online information and applies to all firms that do business with Europeans. It requires that all companies whose core activities include substantial monitoring or processing of personal data to hire a DPO.

Many companies have already done so, but recruitment will increase rapidly, said Stephen Grant, a corporate solicitor with Scottish law firm Wright, Johnston & Mackenzie LLP.

“And the status of the DPO within a company or organisation is being transformed,” Grant added. “While it is a requirement that DPOs have access to the board, I believe it won’t be long before they are sitting on boards, alongside the other senior executives.”

But finding DPOs is not easy. More than 28,000 will be needed in Europe and US and as many as 75,000 around the globe as a result of GDPR, the International Association of Privacy Professionals (IAPP) estimates. The organisation said it did not previously track DPO figures because, prior to GDPR, Germany and the Philippines were the only countries it was aware of with mandatory DPO laws.

Reuters reported that DPO job listings in Britain on the Indeed job search site have increased by more than 700% over the past 18 months, from 12.7 listings per million in April 2016 to 102.7 listings per million in December.

The need for DPOs is expected to be particularly high in any data-rich industries, such as tech, digital marketing, finance, healthcare and retail. Uber, Twitter, Airbnb, Cloudflare and Experian are advertising for a DPO, online job advertisements show. Microsoft, Facebook, and Slack are also currently working to fill the position.

“I would say that I get between eight and 10 calls a week from recruiters about a role,” said Marc French, the data protection officer of Massachusetts-based email management company Mimecast. “Come January 1st, the phone calls increased exponentially because everybody realised, ‘Oh my god, GDPR is only five months away.’”

GDPR requires that DPOs assist their companies on data audits for compliance with privacy laws, train employees on data privacy and serve as the point of contact for European regulators. Other provisions of the law require that companies make personal information available to customers on request, or delete it entirely in some cases, and report any data breaches within 72 hours.

On a typical day, French said he monitors for any guidance updates for GDPR, meets Mimecast’s engineering teams to discuss privacy in new product features, reviews the marketing team’s data usage requests, works on privacy policy revisions, and conducts one or two calls with clients to discuss the company’s position on GDPR and privacy.

“Given that we’re trying to march to the deadline, I would say that 65% of my time is focused on GDPR right now,” said French, who is also a senior vice president of Mimecast.

The demand for DPOs has sparked renewed interest in data privacy training, said Sam Pfeifle, content director of the International Association of Privacy Professionals (IAPP), which introduced a ‘GDPR Ready’ programme last year for aspiring DPOs. “We already sold out all of our GDPR training through the first six months of 2018,” said Pfeifle, adding that the IAPP saw a surge in new memberships in 2017, from 24,000 to 36,000.

A DPO can become a champion for data protection, discussing where and how data is processed, looking to the future, addressing perceived risks that are yet to come to the fore, and anticipating new technologies that will have an impact – Stephen Grant, Wright, Johnston & Mackenzie LLP.

Those companies who have DPOs, meanwhile, are braced for poaching. Many of those firms reside in Germany, which has long required that most companies that process data designate DPOs. They include Simplaex, a Berlin ad-targeting startup. “Everyone is looking for a DPO,” said chief executive Jeffry van Ede. “I need to have some cash ready for when someone tries to take mine, so I can keep them.”

DPO responsibilities

“The European Union’s General Data Protection Regulation requires that all entities whose core activities include substantial monitoring of individuals, or the large-scale processing of special categories of data hire a data protection officer,” says Stephen Grant, of Wright, Johnston & Mackenzie LLP.

Grant said that the DPOs responsibilities include:

  • Training employees: DPOs will be tasked with teaching their company’s employees about how GDPR impacts them and training them on any procedures that are necessary for compliance.
  • Monitoring GDPR updates: member states regulatory bodies (the ICO in the UK) continue to issue guidance and clarity surrounding the regulation. DPOs will be responsible for keeping their companies informed.
  • Data protection impact: GDPR requires that DPOs assist their companies on audits of their systems for compliance with data privacy laws and carry out data protection impact assessments where necessary.
  • Serving as a liaison: GDPR requires that a company’s DPO serves as the point of contact for, and cooperates with, the relevant country’s regulatory body.

“But,” added Grant, “a DPO can go beyond these responsibilities, substantial though they are, to become a champion for data protection, discussing where and how data is processed, looking to the future, addressing perceived risks that are yet to come to the fore, and anticipating new technologies that will have an impact.”

The ‘checkout-less’ Amazon Go

“Look, for example, at something like Amazon Go, its new ‘checkout-less’ store concept. In order for that to work, Amazon is monitoring shoppers to an extraordinary extent, gathering huge amounts of data, and building this really quite detailed picture of its customers.

“It will get to a point where Amazon knows you are there, your shopping habits and preferences, and start serving you personalised ads depending on your position in the store. We’re getting used to seeing personalised ads on the web, through cookies, but to have them served in real life, as it were, that’s going to be a surreal experience. But that’s all possible with data.”

Business opportunities

Philip Bindley, managing director of The Bunker, said: “To date, the advent of GDPR has been clouded by concerns of hefty fines, but it’s important for businesses to recognise that compliance is often a facilitator for business growth.

“Rather than treating the compliance journey as a laborious, compulsory exercise, organisations should see this as an opportunity to gain better visibility of the data they hold, streamline internal processes, increase their security posture and, ultimately, improve efficiencies.

“A slight change in mind-set when it comes to compliance can mean the difference between sapping resources, and laying the foundations for sustainable, secure and productive working practices.”

The Bunker is a data centre and managed service provider, advising businesses on cyber security and protecting their mission-critical data. It runs two of the most physically secure data centres in the UK.

Purpose-built to protect people in the event of a nuclear attack, these former command and control bunkers – acquired from the Ministry of Defence and US Air Force – now protect data from every potential threat that could compromise availability and integrity, says the company, adding that they are armoured and nuclear bomb-proof.