Like many privacy professionals, Robert Gratchner got his start in the industry accidentally but not surreptitiously. His bachelor’s in economics, master’s in finance and work experience in corporate audits at large technology companies – namely Intel where he began his focus on privacy – made him visible and ripe for executives to pluck from the masses to assist with moving the organization into Europe as well as applying traditional financial audit tactics and techniques to privacy-specific audits and company agendas. Almost 20 years later, Gratchner is now the global DPO (data protection officer) for Siemens, the largest industrial manufacturing company in Europe, with over 83 million euros in revenue annually.
When Gratchner endeavored to execute his first privacy audit for Intel in the late 1990s, he quickly realized the organization would need a small team to successfully complete the project. “I was fascinated with the subject of privacy,” says Gratchner, “and saw an opportunity to join that team and learn and move into the privacy field before it was a field.” The opportunity to perform a privacy audit quickly ballooned into a variety of other complex and sometimes never-before-explored tasks and goals involving cross-organization privacy assessments, an awakening to how privacy awareness can help the business grow and flourish and, ultimately, a newfound responsibility to evangelize for the importance of privacy to internal stakeholders.
From this genesis in privacy, Gratchner quickly observed rapid changes in the definition of the role. At first, no one’s job was exclusively privacy oriented; instead, privacy became a component of someone’s responsibilities. “Initially, roles were defined as either very legal focused or very IT security focused,” says Gratchner. “In other words, ‘I am a lawyer and I need to know about privacy things in contracts’ or ‘I am in security and need to assist in clarifying what our products are doing to protect privacy,’ but specific privacy roles were not individual mandates until we needed people to oversee it all and become privacy cross-functional.” Gratchner recalls the clear beginning of privacy as a profession when chief privacy officer and DPO titles became standard in corporate human capital infrastructure.
“The first true privacy jobs were really CPO and DPO,” proclaims Gratchner, “and these roles had responsibilities to function as compliance/data experts.” The difference between the DPO and the CPO within an organization is often misunderstood. According to Gratchner, “The DPO is more a regulatory requirement. This is the person who makes sure we follow the law. The CPO is more a strategist, answering questions and creating solutions on how we can add value back into the business, how privacy can be a competitive advantage and how privacy can help build trust with our customers.” Gratchner has observed that as companies move toward digitalization, there is an intensified focus on building (or rebuilding) trust with customers.
As Gratchner looks to the future of privacy, he offers these perspectives on the challenges that await privacy pros based on his past experience. “The first challenge is the cost of change,” says Gratchner. With new regulations coming out rapidly, whether GDPR, the California privacy laws, HIPAA or unforeseen new state and federal mandates, trying to keep up with compliance while keeping costs down is going to be challenging. The second-biggest challenge is more about the perception of privacy to internal business stakeholders. “Trying to change the perception that privacy is purely a compliance function, a traffic cop, to instead demonstrating value and helping make changes that benefit the brand and build customer trust is going to be how leadership success is defined in the privacy community,” articulates Gratchner. The third and final challenge Gratchner sees for the privacy pros of tomorrow is defining the industry itself to non-privacy practitioners. “How do we define a career in privacy? What is it? How do you describe this to your parents? ‘I’m not a lawyer. I’m not in InfoSec. But I am in privacy,’” asks and answers Gratchner. Giving clarity not just to a job, but to an entire community may help privacy professionals worldwide get the buy-in needed to effectively change the way companies use privacy to drive or maintain revenue.
Gratchner offers the following advice for those looking to break into the space. “First and foremost, show incentive,” says Gratchner. “Do your research. Know what we do. Explore the IAPP website. Get basic information. Talk to people in the industry. Attend seminars. There are lots of venues for content ingestion out there, including university classes on data privacy.” The second bit of advice is one that has come up in every Coffee with Privacy Pros interview so far: Get IAPP certified! “Certification doesn’t make you a privacy professional, but it does provide you with the baseline education,” professes Gratchner. “A company may hire you with a minimal level of data privacy experience if you have your certification. This may get you into the field, but your job is to understand everything about your company’s data once you are hired – regardless of the limitations of your certification knowledge.” Gratchner is careful to add that “there are plenty of people without certs that are super knowledgeable, but certification gives you a basic credibility.”
Finally, if you are an attorney trying to find a path toward greater success and specialization, Gratchner, whose spouse is now a privacy attorney, encourages you to move your career toward this vertical. “More and more attorneys are getting into this field,” says Gratchner, “and the impact opportunity in the space is now.” Gratchner’s closing comment rings too true as 2018 comes to a close. In the last six months, TRU Staffing Partners has participated in dozens of newly minted searches with Am Law 200 firms which are building practice groups specifically dedicated to privacy and security legal work. The demand far outweighs the supply of experienced talent. In 2017 and the first half of 2018, there was an explosion of partner-level placements throughout law firm ranks. In 2019, there will be an abundance of jobs a tier below partnership as law firm practice groups, big and boutique, aim to bolster the middle ranks with privacy associates and counsel hires.