Data protection, a once-obscure field of compliance, is having a moment. Next month, a sweeping set of rules called the General Data Protection Regulation (GDPR) go into effect in the European Union. They’re being called the “gold standard” for laws of their kind in the internet age.
With the GDPR, European regulators gain a potent weapon. Under the new rules, privacy regulators can levy fines of up to 4% of a company’s revenue if it falls foul of the law. Christopher Graham, a former British information commissioner, called it “the big stick in the cupboard” when he spoke to an audience of corporate compliance pros at a conference in London a few years ago. They were the ones tasked with helping their employers avoid the stick. “This is slap-bang on the risk register of any organization,” Graham told his potential targets from the lectern.
Graham was replaced by Elizabeth Denham, a Canadian with a reputation for seriousness, in 2016. Denham has been busy since she took the helm at the UK’s Information Commissioner’s Office (ICO), including levying the largest-ever fine for a data breach—£400,000 ($569,000) against mobile carrier TalkTalk—and uncovering that Google’s DeepMind AI unit had wrongly held millions of confidential patient data records from the UK’s National Health Service.
Now, Denham arguably has the highest profile data-protection case of them all on her desk. It’s her job to investigate Cambridge Analytica, the political consulting firm alleged to have improperly harvested millions of Facebook users’ personal data to influence the US presidential election in favor of Donald Trump, and of the Brexit campaign.
For Denham, there should be no finer moment to demonstrate the ICO’s new powers. There’s just one problem: GDPR has made data-protection pros so sought after that they’re all getting snapped up by the private sector with fat paychecks. This means the ICO must compete for the already small pool of experienced talent with the very companies it’s supposed to be policing: big tech groups, big banks, and big business in general.
Here’s an example of how badly the ICO is outgunned. A case officer, the sort of rank-and-file job that will be needed to handle the influx of cases under GDPR, is being advertised with a salary of £21,001, less than half what such work would attract in the private sector, according to seasoned data-protection pros. “That is absolutely pathetic,” says Rowenna Fielding, a senior data protection lead at consultancy Protecture. “For the level of responsibility and knowledge required for that job, I just don’t know anyone in this industry who could even afford to live on that.”
The ICO is also advertising for a director of investigations and intelligence, a role that will be critical in untangling the complex cases like Cambridge Analytica. It’s offering between £66,000 and £85,000 for the job—a good amount compared with the median for professionals in the UK. But the private sector would offer easily twice as much for such complex work, Fielding says. One attendee at a data-protection conference in London last year summed it up: “You’re paying people peanuts to do a very important job.”
Denham, who was privacy commissioner of British Columbia before coming to the UK, took the ICO job in May 2016. The following month, British voters opted for Brexit.
When the UK leaves the EU, it will no longer be bound by the GDPR, although British businesses are enmeshed in data flows with Europe. This means the UK’s data protection laws must satisfy GDPR requirements if the country wants to maintain the free flow of data between the UK and the EU.
Denham says in the ICO’s latest annual report (pdf) that her agency’s data protection budget must be 70% bigger to account for the heavier burden it faces this year and next. “We’d like our numbers to be protected,” Denham told the Financial Times (paywall) last September. She says she needs to hire 200 more people to take on work generated by the GDPR. But it’s fishing for talent in a very small pond, and the companies the ICO regulates are using far more attractive lures.
Experienced data-protection professionals are few and far between, because of the field’s long-time backwater status in compliance, says Paul Jordan, European managing director of the International Association of Privacy Professionals (IAPP), a global trade body. “The data-protection authorities simply don’t have the necessary funds to compete with the private sector,” Jordan says. “They will struggle not only with retention, but with recruitment of new staff.”
The IAPP has estimated that 75,000 additional data-protection pros are needed, in both the private sector and government, to handle the requirements of GDPR. The group’s ranks have swelled in recent years, growing by 40% in just one quarter last year. The average annual salary for the ICO’s 435 staff last year was around £25,000, or $35,000. In the IAPP’s annual salary survey, the average salary was $85,000 higher during the same period.
Although the IAPP data can’t be directly compared to the ICO numbers, the gap is large even when referencing the IAPP’s own estimates of government versus private-sector salaries. Its data shows that the average member who works for government earned $80,400 in 2017, well below with the top earners in the corporate world, who work in hardware and took home nearly twice as much last year.
At a conference for data-protection officers in London last autumn, one speaker, employed by the National Health Service, said he was being offered corporate jobs paying £800 a day for a 12-month contract. Another attendee, who runs a consultancy, told me how she was being pursued with phone calls—five at last count—from recruiters all day. A particular headhunter, representing a financial institution, was particularly persistent: “One was calling me repeatedly from a mobile phone number,” she said. “Obviously desperate.”