Europe will need an estimated 28,000 privacy specialists under the newly-minted EU data protection regulation, according to industry group International Association of Privacy Professionals (IAPP.)
The European Parliament approved the new privacy rules only last week after gruelling four-year negotiations. While the regulation sharpens safeguards on consumers’ personal data, lawyers and privacy experts are set to benefit from the rules once they go into effect in 2018.
IAPP, an international association representing privacy workers, says specialists in the area are going to cash in as a result of the EU rules.
Companies and public authorities that process or handle sensitive personal data will be required to hire in-house privacy officers under the regulation. Those officers don’t have to be lawyers, but need to prove they are knowledgeable about the new privacy rules.
IAPP estimates that private companies will need to hire an additional 24,000 specialists, while government offices around the EU will need to beef up their staff by adding an estimated total of 4,000 legal counsellors working on privacy.
Trevor Hughes, IAPP’s CEO, called the figures an “incredibly conservative” estimate.
Hughes said a significant portion of those jobs may be filled by companies requiring current employees to take additional training on the data protection regulation.
The average salary for privacy workers in the EU was around €79,000 in 2015, according to the group’s statistics.
But the newly in-demand specialists are still paid significantly less than their counterparts in the United States, where the average salary was $126,992 last year, or around €112,000.
Data protection officers are around the same age, 43-44, in both the US and the EU.
Privacy specialists working in banking were the best paid, while the public sector paid the worst.
Hughes said government offices looking to hire data protection officers struggle to compete with those employers who have deeper pockets.
“That’s a very tough thing. You have to be find someone who is not only an expert but really passionate about public service to fill these jobs,” Hughes said.
But Hughes said he’s “fairly confident we’ll see an upward surge in salaries” in Europe too.
Privacy officers in US-based companies often earn more because they’re more likely to hold executive-level jobs.
In Europe, similar jobs are focused on complying with EU law but often don’t go beyond that, according to Hughes.
As tough as it is to fill jobs for data protection specialists, it could be worse in some other technical fields.
“We are going to see enormous marketplace pressures on data protection professionals. I think the one profession that outmatches what is to come for data protection is cybersecurity and information security,” Hughes said.
EurActiv.com previously reported on the EU cybersecurity agency ENISA’s struggles to recruit staff with technical knowledge. Part of the problem is that private companies, especially banks, offer much higher salaries than government offices.
Udo Helmbrecht, director of ENISA, said it’s hard to pinpoint how many cybersecurity jobs are currently open in Europe.
But he said there are clearly “not enough educated and skilled people in Europe right now”.
Within the last five or six years, many universities in Europe made cybersecurity courses a mandatory part of computer science degree programmes, which Helmbrecht described as progress towards filling the sector’s job gap.
But it will still take several years until that translates into a larger cybersecurity workforce.
“If these people are 20 years old now, it takes time for them to study, get experience and start working in a company somewhere,” Helmbrecht said.
He said there are generally more skilled workers from EU countries with longer established tech industries, like Finland, Germany, the UK, France, Estonia and the Netherlands.
“They’re historically more advanced,” Helmbrecht said.
Because companies in a broad range of sectors will have to comply with the new data protection rules if they handle personal data, there could be a hiring spree across the EU.
Hughes said London, Dublin, Amsterdam and Brussels would stand out as major spots where companies will hire data protection specialists because of the financial and tech industries and also because of government offices in the EU capital.
“But also in Berlin and Paris, Frankfurt. In all the major financial centres you’ll see concentrations,” Hughes said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.