Into the Breach: Law School’s Innovative Data Practicum Offers a Pathway Into the Privacy Profession

With massive data breaches routinely in the news and the advent of sweeping regulatory changes such as the General Data Privacy Regulation (GDPR), the once obscure niche of data privacy law has suddenly gone from nerdy to sexy.

The Law School was an early entrant into this fast-growing field, expanding its traditional course offerings to include Data Privacy Law, Cyber-Security, and Regulating Personal Health Information. Three years ago, the Law School added an innovative Data Compliance Practicum to help students learn about privacy careers and gain a competitive advantage in entering this emerging field.

The practicum is run under the auspices of Professor William McGeveran, an early adopter in the data privacy area. Once one of a few “voices in the wilderness” on data security, McGeveran is now a frequent media commentator on such cutting-edge issues as social media privacy policy and liability for hacks.

With businesses scrambling to get into and stay in compliance with the GDPR, McGeveran is convinced that the privacy profession is about to go through yet another explosive growth spurt—and that this time Law School students can be the beneficiaries.

Veena Tripathi '19

The practicum provides opportunities to engage in experiential learning, hear from marquee players in the industry, attend networking events, and take the Certified Information Privacy Professional (CIPP) exam to gain a key credential.

“It’s all a package—you have guest speakers, a shadowing experience, and the CIPP exam,” McGeveran said. “It’s a way of learning about this profession, how it works, and what you might do to launch yourself in it.”

The Structure
In order to participate, students must take a privacy-related class before or simultaneously with the practicum. Within the practicum itself, the focus is primarily on learning about the privacy profession rather than on substantive issues of privacy law.

Once a week, practicum participants hear from a guest speaker with a privacy-related job. Speakers are often high-level privacy officers in such major companies as Target, Best Buy, Optum, U.S. Bank, 3M, Cargill, and Medtronic. Each speaker is asked to trace his or her career path to help provide a road map for students interested in the privacy profession.

Practicum participants also have the opportunity to shadow privacy professionals to get a flavor for their work. Many of the shadowing opportunities are in the same top-shelf companies where the guest speakers work.

Staff from the Career Center offer students instruction on networking and assistance in updating their LinkedIn profiles and resumes to highlight their privacy credentials.

Through a partnership with the International Association of Privacy Professionals (IAPP), the world’s largest information privacy organization, students benefit from the opportunity to purchase preparatory materials and take the CIPP exam at steeply discounted rates.

The added credential puts students seeking a career in data privacy at a distinct competitive advantage by tangibly demonstrating their bona fides in the field.

“With CIPP certification, you are setting yourself apart from a large group of people who may claim an interest in this area, because you have the letters after your name to really demonstrate your knowledge and commitment,” McGeveran explains. “And these are not the kind of jobs where companies show up for on-campus interviews looking for traditional legal hires. These jobs are often posted seeking three to five years of experience—but because it’s such a new field, there are not nearly enough people to fill them. Companies must look to candidates who can demonstrate their expertise in other ways.”

Deeply Diving Into Data Privacy
Mitch Noordyke ’18 was a natural for the Data Compliance Practicum. Before going to law school, he obtained a master’s degree in business analytics from the University’s Carlson School of Management. He also had a deep interest in data-related issues and a natural affinity for the data privacy field.

“I wanted to take full advantage of every opportunity the Law School had to pursue privacy as a practice area,” Noordyke said. “I knew I wanted to practice in privacy after graduation, so access to the CIPP exam and IAPP resources was another benefit of the practicum. I also saw it as a good opportunity to be exposed to real-life privacy concerns and see career paths privacy may offer that I had not yet considered.”

Through an email that McGeveran sent to current and former practicum participants, Noordyke learned of a highly selective postgraduate employment opportunity with the IAPP called a Westin Fellowship. Every year, the organization awards these fellowships to two aspiring privacy professionals, who get to work in the organization’s Portsmouth, N.H., headquarters for a year, engaging in policy research and advocacy work on issues with real-world implications. Noordyke applied for one of the coveted slots and got it.

“I think Professor McGeveran's relationship with the IAPP and prominence in the privacy field played a significant role in my success during the application and interview process for the fellowship,” he said. “Through the practicum, I got to know Professor McGeveran better and confirm for myself that privacy was the career path I wanted to pursue. He wrote me a strong recommendation letter, and I had a unique background that aligned well with the skills required for the fellowship.”

Rita Heimes, research director at the IAPP, said that Noordyke’s highly impressive academic credentials, his technical background, and McGeveran’s strong endorsement of his application all played a part in his procuring the prestigious fellowship.

“We look for people who have done well in law school because that indicates the ability to please an otherwise difficult law professor, and there is a lot of writing in this job,” Heimes said. “Beyond that, we look at what kind of interest they have shown in privacy, what have they done in law school to show that they are serious about this field. If the recommendation comes in from someone we know well, like Professor McGeveran, that also carries a great deal of weight. Someone who says, 'This person has taken my classes and was really serious about this area of law'—that is super important because it is a subject that you have to love to do it full time.”

Former fellows have been highly successful in snagging highly sought-after privacy positions at major law firms, global enterprises, and privacy advocacy groups. “The fellowship is a chance for people who are very, very serious about making a career in privacy and data protection to deep dive in this space for a blissful 12 months and to set themselves up for a job opportunity that they probably could not get without it,” Heimes said.

Heimes also echoed McGeveran’s assessment that data privacy law will continue growing at an exponential rate into the foreseeable future. She noted that earlier this year the American Bar Association made certification available for data privacy practitioners who meet IAPP’s rigorous requirements.

“For the first time in the history of lawyering, privacy has been recognized as a legal specialty field,” she said. “I think that just kind of reminds the bar that we’re not just this tiny little group of crazies who talk about e-commerce and computers and hacking and things that nobody really wants to think about or deal with. It’s part of the fabric of every enterprise, whether you are a school, a hospital, a tech company, a mom-and-pop restaurant. Everybody handles data, so you have to have someone in your firm or company that appreciates what to do with data. And lawyers are ideally positioned to help companies make those decisions, whether as in-house counsel or outside counsel.”

Veena Tripathi’s Path To Privacy
Veena Tripathi ’19 represents another type of student who takes the practicum—someone who is not necessarily looking for a full-time career in privacy, but believes that being proficient in this burgeoning legal area of law is a smart idea.

Tripathi’s trajectory so far has been toward a more traditional legal career in intellectual property law. She is spending her second-year summer working at the IP powerhouse firm Fish & Richardson.

However, she also recognizes that in a world driven by data, literacy in data privacy and a working knowledge of what drives those in the field are huge assets. “Even if you are not sure that privacy is the ultimate career for you, you should take the opportunity to learn about what the field offers,” she said. “Privacy law is growing. It touches every sector: health, education, even what you watch on YouTube.”

Tripathi appreciated the way in which her shadowing opportunity at Thomson Reuters during the practicum supplemented her substantive training in data privacy law. “I shadowed both the head of the privacy department and a younger associate on the privacy team,” she said. “I was able to see not only some of the doctrinal lessons I learned in class applied in practice, but also how lawyers can help with all areas of product design, development, and marketing.”

Participation in the practicum also inspired her decision to sign up for a semester abroad in Dublin to witness firsthand the impact of the GDPR on data privacy in the European Union.

Heimes believes that students like Tripathi who delve into privacy law without a firm intention to make it their career are making a very wise choice.

“I think every law student should take privacy law, expose themselves to thinking about the way the internet works and how data is collected, shared, and processed,” she said. “It will come up whether you are doing mergers and acquisitions or litigation and you need to do litigation discovery. Employment law has privacy issues, as does health law. It really, truly cuts across every practice area. So even if it’s not your core focus, even if you need to bring a specialist in for the hard call, you will always benefit from understanding your client’s use of personal information in their business.”

For more information about the Law School’s Data Compliance Practicum, visit its website.

—By Mark A. Cohen