Privacy as a profession is here to stay. Over the last year, privacy has been in the spotlight like never before for corporate decision-makers. This is due, in part, to the EU GDPR (General Data Protection Regulation). For companies conducting business in Europe, there is tremendous risk for failure to properly augment their human capital with experts who can address GDPR compliance prior to May 25, 2018.

Article 37 of the GDPR mandates that a company must appoint a Data Protection Officer (DPO) when it is a public authority or body, or its “core activities” consist of regular and systematic monitoring of data subjects on a large scale, or processing sensitive data on a large scale. The DPO “may be a staff member… or fulfill the tasks on the basis of a service contract.” While some corporations are assigning DPO responsibilities to existing staff, others are turning to a growing niche of consultants both independent and brand-backed to augment their organization, and in some cases, serve as the DPO. A new pathway is emerging for privacy professionals in the global job market—only the jobs might not be for full-time hires, but rather for contract consultants.

The fanaticism surrounding GDPR compliance has created some clear winners in the current job market. Perhaps the biggest is the profession of privacy, which is being evangelized most visibly by the International Association of Privacy Professionals. The IAPP's certification program has quickly become the gold standard for employers seeking instant validation of an individual's expertise in privacy. For the GDPR, the CIPP/E is the certification to get. Accreditations from this certifying body are one of the first things hiring managers ask about when soliciting and evaluating talent for privacy-related roles, specifically DPO positions. The IAPP has seen registration numbers in the last twelve months for the CIPP/E exceed its flagship offering, the CIPP/US, and new registrations could potentially double its certified membership base by 2019. That influx of certified privacy professionals into a job market hungry for GDPR expertise has allowed for organizations to augment their human capital with talent-on-demand.

Corporations are also leveraging contract consulting for GDPR and DPO requirements for the cost savings. The IAPP's 2017 salary survey clocks the average base compensation of a US data protection officer at $148,000/year in the U.S., €95,800/year in the EU and $72,400/year in Canada. For job seekers deeply proficient in privacy, this is abominably low. Yet for some corporations, this feels aggressively high, especially for those that have never had a DPO. As a result, organizations are exploring contract talent augmentation at a lower annual rate. These augmentations can be hourly (rates may vary from $150/hour to $400+/hour depending on scope, skill and time sensitivity), in the form of annual managed service contracts (DPOaaS) or more simply flat-fee pricing for allocated time commitments (six weeks to six months). All of these models share the same assumption that the contractor's services are not needed 40+ hours per week, 52 weeks a year. Ultimately, these contractors are required for significantly less time and can handle multiple contracts concurrently.

Most of the independent privacy consultants fit into one of two categories: moonlighters or missionaries. The moonlighters are typically former counsel who are picking up extra lucrative billings doing GDPR work for boutique clients and not the Fortune 100. The missionaries, on the other hand, are often information warriors skilled in vast discipline areas ranging from cybersecurity to risk analysis, compliance, privacy and more. These individuals have laundry lists of certifications and have found it challenging to find full-time positions at corporations that either compensate at the value desired or can craft a role expansive enough to satisfy their interests, capabilities and impact potential. Thus, they have turned to contract consulting, and the GDPR has been a ripe area to offer their expertise in hopes of deepening relationships and spawning additional work in tertiary disciplines.

For corporations less cost-conscious or wanting the cachet and credibility of an established global brand augmenting their privacy practices, there are two places to turn for talent: law firms and consulting firms. For outside counsel, the GDPR has become a fabulous niche to augment their current cybersecurity, data or information governance practice groups. It has led to hiring fresh talent. Large consulting firms have also rapidly augmented their staff with privacy talent with varying pedigrees. The higher the pedigree, the greater the expectation of driving revenue. For mid-market privacy professionals, the expectation is exclusively service delivery, and there is plenty of that to be had: so much that for some corporations, the bandwidth and availability of trusted consulting and law firm partners between now and June is thin or nonexistent. This has also pushed law firms and consulting firms, like their corporate clients, toward engaging contractors to help deliver service.

Finally, corporations are turning to consultants because their existing staff do not want the job. Organizations are delegating DPO responsibilities to current employees. In theory, this practice makes sense. An incumbent knows a company's culture, data map, and current policies, but many targets for DPO assignment internally do not want to reinvent, re-educate, and evolve nor do they want the burden of responsibility serving as DPO knowing the harsh penalties for failure to comply. Often an external expert is needed to function as the catalyst for change and innovation and consultants are aggressively being retained to complement existing personnel.

The GDPR buzz may be a fad or a forever, but there is no denying the current demand for consultants in the privacy space. Whether or not this trend subsides after May 25 will determine the sustainability of contract GDPR consulting for both buyers and sellers of the service.

Jared Coseglia is the founder and CEO of TRU Staffing Partners, an Inc 5000 Fastest Growing American Company 2016 & 2017 and National Law Journal's #1 Legal Staffing Agency, and has over 15 years of experience representing thousands of professionals in e-discovery and cybersecurity throughout the world.