How to break into the world of privacy law
Data protection and privacy law, once a geeky and niche area, has suddenly been thrust into the limelight.
A series of high-profile data hacks – Ashley Madison, TalkTalk, Wetherspoons and others – along with the European Court of Justice’s recent ruling on the ‘Safe Harbour’ data-sharing agreement between the EU and US – mean that more than ever before, companies’ privacy policies are under scrutiny. City sources say that an increasing number of firms are now attempting to build up data protection practices in order to cash in, while in-house teams are also on the hunt for specialist lawyers.
“There is a huge interest in the area – everyone is hiring, both in-house and private practice,” says Bird & Bird’s data protection head Ruth Boardman.
“It’s now recognised that any good firm will be trying to tap in to this area of law – it gives you credibility,” agrees another lawyer working in the field. “There are new hungry entrants: really good firms that were not in this space, suddenly trying to position themselves in this area.”
Ropes & Gray is one such entrant. The US-headquartered firm hired Rohan Massey from McDermott Will & Emery in August as its first privacy specialist in London. He now co-leads Ropes’ privacy and data security practice, along with Heather Egan Sussman who joined the firm’s Boston office in August – also from McDermott. Massey will be looking to bring more lawyers on board in an attempt to challenge the UK’s more established teams.
Ropes is by not means the only firm attempting to launch a data protection practice. “A lot of the US firms are starting to make a play,” says one market source. “Those with a lot of M&A activity tend to be especially interested in it.”
It’s not just the new entrants to the market who are looking to grow: already-large teams are still expanding.
“As the area grows, firms that already have a strong data protection practice are becoming very well known for it and are getting the majority of the work,” says Jago Verna of recruitment agency Shilton Sharpe Quarry. “That means they need to hire.”
Hogan Lovells’ Eduardo Ustaran already leads one of the City’s largest privacy and data protection teams but he too is looking to grow the practice. “My London team is already nine people, including myself, who are fully dedicated data protection lawyers, so it’s quite a chunky team – you won’t find many law firms that have nine people fully dedicated to data protection,” he says.
“Our aim is to grow, both organically through people within the firm, but we will also strategically look at the marketplace.”
Over at Bird & Bird, Boardman is looking to recruit “one or two lawyers at a junior to mid level”.
Likewise, Ustaran is primarily looking for juniors. “It’s the bracket of 1-4 PQE which is the holy grail for any law firm, and where we could do with people,” he says. “That is something we will be looking at.”
Who’s looking to hire data protection lawyers in 2016?
Bird & Bird: One or two lawyers at junior to mid level
Hogan Lovells: 1-4PQE lawyers with a strong data protection specialism
Fieldfisher: Lawyers at all levels with data protection experience
But finding lawyers with the right level of technical expertise is tough. Demand outstrips supply.
“Because our strategy is to be super-specialised, we really want people who know the law inside out without having to do the research. To find lawyers at any level who are at that stage is very difficult,” says Ustaran.
“I think our competitors diversify a bit more in the terms of the range of work their data protection lawyers deal with. For me, it’s quite important that people have that specialist level of knowledge,” he adds.
Senior lawyers are immensely sought after.
“I act for a Chinese bank that has been advertising for a data protection role function out in Singapore,” says DWF partner John Benjamin. “It’s still unfilled after a year.”
However Hazel Grant of Fieldfisher is seeing more dedicated privacy specialists starting to appear in the market.
“When I joined Fieldfisher in 2014 we did some recruitment and some of the candidates were very much 50 per cent IT and 50 per cent data protection,” she says. “Now, though, we are seeing more full-time data protection lawyers.
“Lots of junior lawyers are thinking that now is the time to swap into this area.”
Grant herself will be looking to fill out her team across all levels in 2016. “Principally I am looking for good lawyers and good team players,” she says. “Ideally I want someone who’s got 100 per cent data protection experience, but I’d rather have a good team player committed to becoming a data protection specialist than someone who has the experience but not those other qualities.”
What seats are useful for trainees wanting to work in data protection?
Commercial, employment, IP/IT, litigation, seats with some regulatory aspect to them
Typically, says Verna, firms are happy to take someone who hasn’t been completely dedicated to data protection.
“Trying to find a 3PQE who’s completely specialised in that is nigh-on impossible, so if 50 per cent of what they’ve done is data protection, firms are happy to take them on board and re-skill them.”
The growth in work is having an effect on training contracts, too. “The competition for NQ jobs has started to heat up a little bit,” says Verna. “Someone who’s done a much purer seat in a data protection team is naturally a little bit more desirable than someone who’s done a broader commercial seat with a bit of data protection.”
The in-house angle
In-house legal departments add another complicating factor to the mix. Many are seeking dedicated counsel specialising in data protection – meaning the already small pool of senior talent is even more in demand.
“2015 saw some of the biggest data hacks to date costing the global economy some $400bn, highlighting the inability of companies to properly guard valuable entrusted data,” says Howard Kennedy partner Dan Hyde. “Dedicated cyber security and data breach reporting officers will inevitably become the global norm for businesses that are vulnerable to attack.”
“I know from speaking to people that there are organisations out there that currently have no data protection lawyers that have suddenly decided into take on four in-house,” adds Grant.
Privacy lawyers that go in-house have better prospects of returning to practice than some others.
“If a corporate lawyer goes in-house, it can be tough to get them back in to private practice,” says Verna. “You lose the day-to-day experience on deals that you need. But with data protection firms actually quite like the idea of you having been in house: the job is not so different.”
Illustrating this point, a number of big-hitting lawyers actually moved into private practice from in-house last year. They included the Bank of England’s first chief information security officer, Don Randall, who joined boutique practice Bivonas Law.
Baker & McKenzie took on Dyann Heward-Mills, who was previously senior privacy counsel to GE Capital, as a partner, while Schillings’ capture of Magnus Boyd from Hill Dickinson halfway through last year showed the firm’s intent to reinvent itself as more than just a traditional reputation management boutique.
Meanwhile, DWF picked up Asda’s senior privacy manager Elaine Fletcher as well as John Benjamin. A former European general counsel of Samsung, Benjamin joined DWF after a stint at White & Case.
The two lateral hires at partner level were part of a deliberate plan to grow DWF’s data protection offering. When it comes to associates there is “a real drive to develop knowledge from within the business as well as bringing people from the outside,” says Fletcher.
“We have strengths across many complementary practice areas and sectors, so we have quite a rich vein of capability to mine, not to mention interest and enthusiasm. There has been a very conscious decision to develop our junior lawyers. It is a very steep learning curve, but investing time in them pays dividends.”
Currently listed on jobs.thelawyer.com
- International firm seeks 5/6 PQE with 2-3 years of data protection experience
- City law firm seeks data protection partner
- US firm in London seeks privacy partner with regulatory knowledge in financial services, pharma or tech
- Chief privacy counsel role available at multinational technology business in Amsterdam