By Eloïse Gratton, Partner and National Co-leader, Privacy and Data Protection, BLG
If you are in the privacy field in Canada, you may recognize my name — but I didn’t start out as the national co-leader of the privacy and data protection group at Canada’s largest law firm. Instead, my career began as a technology lawyer at a Montréal start-up.
Over the last few years, I have led BLG’s recruiting blitz for this exploding area of law and I’m often asked for advice on how to become a privacy lawyer. These 10 tips will help get you in the door — and on the path to success — whether you’re looking to join a large privacy team at a big-name firm, become the go-to at a boutique office or take an in-house privacy role.
Tip #1: Go deep on technology and tech trends
As a privacy lawyer, the greater your knowledge and skills with technology, the greater value you offer your clients, particularly their technology and business teams.
To put things in context, technological innovation has created radical disruption in our economy over the last two decades. More than half of the Fortune 500 companies from 2000 no longer exist, mainly because of digital transformation. While it used to take Fortune 500 companies 20 years to reach the $1 billion valuation mark, today’s digital startups are getting there in four years.
We are fortunate that most of BLG’s Montréal team (plus Brad Freedman in Vancouver) have a technology law background. For instance, BLG’s Max Jarvie previously worked as a project manager for a technology company. Today, he can have in-depth conversations with clients’ technical teams and is developing niche expertise in fintech and AI. Andy Nagy would have been a software developer if he didn’t become a lawyer.
Tip #2: Eat, drink, breathe and sleep privacy
What separates great privacy lawyers from the rest is their passion for privacy. You need an unquenchable thirst for the practice area to manage the early learning curve, conduct benchmarking, dig into the nuances of specific client scenarios and stay on top of the latest developments, including what’s on the radar of privacy regulators. Only true passion for this topic will motivate you to grapple with context-dependent consent, determining when a business practice is reasonable, identifying the type of information that is truly necessary in a given context, and defining adequacy when it comes to security measures.
Tip #3: Cultivate creativity
Everyone is creative, but sometimes a rigid definition of creativity prompts us to say we’re not. For good privacy lawyers, creativity is about a never-ending search for new: new technologies and business practices, new ways of communicating risks and options to clients, new tools to help clients achieve privacy compliance, new ways to think about problems no one has tackled yet, and new solutions to mitigate privacy risks.
Tip #4: Find your sweet spot
Finding your niche within privacy can take you many places. A few of us have worked in academia. Others have worked in-house. Then there’s specialization within privacy law.
At BLG, the Montréal team mostly focuses on privacy advisory and compliance work for private sector businesses. Dan Michaluk has developed expertise in employment privacy, particularly the needs of education and public sector organizations. Eric Charleston has unique expertise in cyber insurance, making him the go-to after a security breach. Both Dan and Eric have litigation backgrounds, giving them valuable insight into how to manage a cybersecurity event, including maintaining legal privilege and preserving evidence.
Commercial law experience is helpful for dealing with complex technology agreements and the privacy and cyber aspects of M&A deals, including conducting privacy due diligence, preparing reps and warranties, and knowing what issues to manage once the transaction has closed. Brad Freedman is developing a client offering for this type of work.
Tip #5: Be a bookworm
Reading is routine for all lawyers. With privacy law, where new is old in a matter of months, it needs to be an obsession. Voracious readers stay on top of new technologies, business tools, trends, risks and legal developments, including the overwhelming number of decisions and guides published by privacy regulators around the globe.
Great privacy lawyers also share their knowledge for others to read. Some of us have blogs on privacy, information and cyber law (see Dan’s blog, Brad’s blog and my blog) and several of us have published books. I published my first internet privacy book back in 2003, while Julie Gauthier recently published a book on biometric information, Simon Du Perron wrote a book on big data, AI and privacy, and the whole BLG privacy team contributed to a recent LexisNexis book, Managing Privacy in a Connected World.
Tip #6: Stay in school
When it comes to learning how to become a privacy lawyer, post-graduate studies are a great teacher. They train us to stay curious, question everything, write well and power read.
A quick survey of the BLG team shows that many of us have an academic background. I have a master’s in IT law and a PhD in privacy. My co-leader, Elisa Henry, has two master’s degrees. Max Jarvie, our resident thinker, has a PhD in philosophy. Many of us (including Julie Gauthier, Anthony Hémond, François Joli-Coeur and Simon Du Perron) have master’s degrees in IT law or privacy and Daniel-Nicolas El Khoury has a master’s degree in business administration.
Privacy and cyber risks are increasingly on the radar of executive officers and board members looking to incorporate privacy and data management into their environmental, social and governance (ESG) reporting framework. To understand their role, challenges, decision-making process and new reality, I took the corporate governance certification with the Institute of Corporate Directors last year.
Tip #7: Build your people skills
Relationships are at the core of a privacy lawyer’s practice. Because privacy touches so many areas of law, we collaborate within the firm with colleagues in commercial law, labour and employment, financial services, litigation, real estate, and more. We work closely with our clients’ legal and compliance departments and their business teams, such as risk, marketing, digital, HR, procurement, IT and security. Needless to say, we often have to adjust our approach to make sure that we properly understand their needs and communicate well (see tips 8 and 9).
Tip #8: Practice client-focused communication
Clients today aren’t interested in simply being told what the law says. Good privacy lawyers translate their knowledge into tailor-made recommendations that have clear objectives and are succinct, easy-to-understand, actionable and based on an understanding of the risk-reward relationship. We provide roadmaps, timetables and success metrics, and offer advice that is useful to business teams and can be easily shared with the board. We offer training on what’s around the corner, help with privacy impact assessments and run tabletop exercises to test breach response plans. We’re also whizzes at PowerPoint.
Tip #9: Sharpen your business acumen
Privacy law is often less about “the law” and more about how to apply it to specific business practices. Good privacy lawyers avoid making unrealistic recommendations, particularly when it comes to risk management and compliance. They have a strategic mindset and offer clients advice on new projects, products, practices, technologies and how to strategically and efficiently manage a security breach. A number of our privacy lawyers have spent time working for media companies, airlines, airports, cloud service providers, cyber forensic firms and tech start-ups — in-house experience that gives a deep understanding of the impacts of privacy on the day-to-day operations of a business.
Tip #10: Take a global perspective
Businesses have global operations, so privacy lawyers need a basic understanding of foreign laws to review global privacy policies and procedures related to the processing of personal information. International experience and credentials have become table stakes.
At BLG, Elisa Henry, who is a member of the Paris Bar, and Anthony Hémond, can advise clients on the EU GDPR and global risks. Eric Charleston, who has practiced in the U.S., and François Joli-Coeur, a member of the California Bar, can offer nuanced advice to clients with operations south of the border.
In closing, I wouldn’t expect an associate with three years of experience to tick all these boxes from the get-go. Use these tips to evaluate your next step. Look for opportunities that will give you business experience, make you more tech savvy, train your academic mind, expose you to other practice areas, cultivate your passion for privacy, make you a more creative problem solver, strengthen your communication skills and give you global experience.
You’ll be in good company. After all, very few privacy leaders in Canada have walked a straight path, including myself. Of course, if you already have what it takes to be a great privacy lawyer, keep an eye out for our next privacy associate posting on blg.com! We are always looking for talented lawyers to join BLG’s growing, national privacy team.