Seçil Bilgiç^[1]♦

As data sovereignty laws continue to rise, under what rules should a global company conduct the cross-border data transfers that are essential for its day-to-day operations?

While annual recurring revenue is still the most important metric in IPO processes for software companies, how should we interpret the reference to termination under the EU Data Act?

In countries like Costa Rica, where the personal data protection law does not recognize legitimate interest as a legal basis, could relying on employee consent as the basis for processing create an issue regarding the lawfulness of such data processing activities?

How should the specific thresholds for different data types be tracked and recorded for the categories of data listed in the U.S. Executive Order on Bulk Sensitive Data?

These are the types of questions you may encounter, sometimes all in the same day, when you are a data privacy lawyer working for a global tech company. With data and AI at the center of nearly all business strategies, in today’s world, data privacy is an important area, not just for tech companies, but for all types of businesses. Accordingly, it is also a promising career path for both lawyers and non-lawyers.

Being in this evergrowing and everchanging field, I regularly receive questions from within and outside my network on how to break into the data privacy world. While I am sure I am not the only privacy professional receiving these questions, I suspect one additional reason why I receive more questions in this area is that my career reflects an interesting paradox: I have both experience in the privacy field long enough to have witnessed how it has evolved over time and firsthand experience transitioning into it from other legal roles.

I transitioned to a full-time privacy role as an in-house tech transactions lawyer and I first broke into an in-house tech transactions role from a M&A/Corporate private practice background. While I have always worked on data privacy in all my roles (either as part of a M&A due-diligence or corporate compliance projects or negotiation of data processing addendums or business associate addendums as part of transactions) data privacy was also not my first job after law school. I was also recently hiring a privacy professional in Europe where my inbox filled with dozens of messages on people from very different backgrounds aiming to break into the privacy world.

After finding myself repeating the same tips to a non-lawyer friend in in-house legal operations, a lawyer friend doing Big Law litigation, and a newly graduated law student a friend put in touch with me (all within 48 hours) I realized there was a real need to aggregate the (real) guidance and insights I can offer to candidates aspiring to break into the data privacy world. So, in this piece, I will go through the frequently asked questions I receive and the common questions that I ask people who want to build a career in privacy.

So, why do you want to practice data privacy?

When someone—whether a lawyer, law student, or non-legal professional—asks me how to break into privacy, the first thing I ask in return is simple: Why privacy?

While listening to their answer, I often find myself thinking about David Riesman’s classic sociology book The Lonely Crowd, where he describes three character types in societies: tradition-directed, inner-directed, and other-directed individuals. In this book, Riesman says, while making big life decisions, such as building a career, “tradition-directed” individuals rely on customs (e.g. choosing law as a career because law is a reputable profession in the society) , “other-directed” individuals look to their peers (e.g. being a lawyer because every other classmate became a lawyer after law school), and “inner-directed” individuals follow their internal compass (e.g. being a lawyer because you love drafting and negotiating contracts). I think of this framework because though I talked to nearly a hundred people who wanted to have a career in privacy, I realized many of them struggled to explain their motivation beyond saying “it looks exciting”. This made me suspect that maybe their interest in the privacy world is an inner-directed endeavor.

And privacy is exciting. High-profile headline-grabbing privacy fines, expanding regulations, working at the forefront of technology, data, and AI and the novelty of the work is incredibly stimulating. When I was in law school, few imagined a career in data privacy; today, it’s a recognized option across multiple disciplines.

But, what you don’t see in privacy conferences, LinkedIn posts, or even a quick networking event is that, in many respects, privacy work is challenging and often thankless. Much of what makes a privacy function successful, such as risk mitigation, responsible design, careful documentation, and preventing future harms, happens quietly and without fanfare. Unlike a commercial transactions lawyer who can proudly point to a signed MSA or a litigation lawyer celebrating a successful case as a tangible win receiving praises from across their organization, privacy successes often remain invisible precisely because the risks never materialize.

This is why I describe privacy as an adventure. It is full of discovery, complexity, and real impact. But, like any adventure, it also comes with obstacles, uncertainty, and the occasional dragon, excuse me, draconian laws. You need more than curiosity to navigate it; you need conviction.

So ask yourself: Why do you want to pursue this path? Is it because others around you are heading in this direction? Because it’s become an acceptable transition from Big Law? Or because you genuinely enjoy digging into a 200-page regulation and translating it into clear, practical guidance for a business?

If your motivation aligns with that third category—if the challenge itself energizes you—then privacy may truly be your adventure. And once you’re confident this is the right path, the next step is understanding which type of privacy role best matches your strengths and interests.

Which data privacy role would be right for you?

Although privacy continues to expand through new regulations, as mentioned above, it is no longer a new field. To the extent that nowadays certain privacy career tracks exist in our profession. In her piece titled From CIPP to career: Mapping the next chapter of privacy work, Teresa Troester-Falk outlines these tracks by focusing on the primary outcome of certain privacy work. She says the outcome for a ‘privacy legal’ career path is to ‘make [privacy] defensible’, while the outcome of a ‘privacy operations’ career path is to ‘make [privacy] durable’. and lastly the outcome of the ‘privacy technology’ roles is to ‘make [privacy] work in systems’. Her framework is helpful, although I would add that there is a great variation within each track as well. Given my legal background, I will dive into the variation within privacy legal roles.

First, as in all legal career paths, your experience will differ considerably depending on whether you join private practice, an SME as their first privacy counsel, or a large enterprise as one of many privacy specialists. While two companies may be advertising the same role with same titles, they may be different like night and day.

While every privacy professional will be managing competing demands and complex work streams, complexity and competition will vary depending on the privacy team and the company. If you want a career in privacy, you will first need to understand which type of privacy role would be the best for your character and skill set as there is a wide variability of modern privacy roles based on the magnitude of the privacy team and the company’s business. Here I will list some exemplary differences to give you an idea. 

Big vs Small Team: Privacy counsels in large enterprises, consultancies, or law firms will often focus on specific functional areas (such as ad-tech privacy), workstreams (DPIAs or ROPAs), or jurisdictions (such as the UK). If you join an international company as their first or only privacy counsel, by contrast, you will advise globally. You will work with every stakeholder in the company, ranging from engineering to marketing to HR. For example, I remember I asked a lawyer working in the London branch of a global law firm a question about an EU country and she simply said “I only advise on the UK GDPR”. Similarly, I was talking to a lawyer in a global consultancy if she sees a specific type of DPA redline and she said her role only involves Documentation under GDPR, and not contract negotiations. If you join a very small team, there is less likelihood of such specialization as most likely you will not only cover all privacy laws but also all aspects, such as policy drafting/update, DPA negotiations, record of processing activities (ROPA) and data protection impact assessment (DPIA) preparation and update, and data breach response.

Guided learning vs self-learning: Similarly, if you join a very large enterprise or a consultancy, you will have more structure, more guidance, and more stability. The most important advantage of joining a well-structured and big privacy team is to get guidance and training from your managers, who have done your task at that organization, know stakeholders, and know the industry. If you join a global consultancy firm as a data privacy analyst, you will most likely start learning the practice from scratch and will have a manager or peer to ask your questions when you stumble on a new area. If you join a very small team or become a solo in-house privacy practitioner, it will be more difficult if not impossible to seek guidance on novel topics, such as guidance when you’re doing your very first ROPA or guidance on how to implement a brand new regulation. You will need to compensate for this by spending more time on training, reading, and creating your own community where you can ask your privacy questions.

Stability vs Self-Navigation: Another important distinction concerns role stability. In a large team with a defined specialty, your responsibilities often remain stable. If you are the only privacy counsel or part of a very small team, your role and responsibility evolves constantly. You learn fast, often on the job. Internal clients will bring you questions on new legislation or court decisions before you have fully processed them. These moments will offer a chance to deepen your expertise while supporting your business partners in real time, but will require ruthless prioritization and benefit from eternal curiosity. It may force/enable you to progress in your career a lot faster by having the opportunity to lead bigger privacy projects, but you will also spend more time on project management and juggling different internal stakeholders. While this is true in many areas, the tumultuous nature of data privacy and all the new or incoming regulations on data, tech, and cybersecurity, makes privacy more prone to change as it is a newer area.

Scope of work: Privacy counsels in small teams or solo privacy counsels will also need to be comfortable balancing breadth and depth. While a specialist in a big enterprise or large consultancy may only follow developments in a certain area (such as children privacy) or in one jurisdiction (such as, just UK GDPR), a sole privacy counsel must track multiple regulators, courts, and legislatures. Despite the assumptions of our clients, knowing each country’s data protection law by heart is simply not possible. Instead, you will need a methodical approach, strong organizational skills, and comfort with the 80-20 rule in learning new areas. If you want to become a specialist in a given domain, then you might want to join a bigger team whereas if you're comfortable with 80-20 and you like switching gears, you might like a small team.

Ruthless prioritization: Ruthless prioritization is a key skill in the privacy realm since every stakeholder in the company will have a privacy component to their work streams. That’s why in each role, you must align closely with your leadership on priorities. For example, if you’re doing employment law, your number one internal client is HR, or if you’re doing commercial law, your number one internal client is sales, while if you’re doing privacy, everyone is your number one client. There is an opportunity cost in choosing which regulation to study or which client to advise first. Effective prioritization ensures you invest your energy where it matters most for your company’s strategic goals. This will often be more difficult for a solo privacy counsel as you need to work on prioritization between equally important goals of different functions or jurisdictions whereas you'll adopt ready-made prioritization in larger teams.

For some, this dynamic environment is energizing. For others, it can feel chaotic. The gap between localized and global privacy roles is significant. This is why, after understanding why you want a privacy role, the next step is choosing the type of role that suits your character, your appetite for ambiguity, and your preferred depth of work and learning. Of course by taking into account the company’s experience requirements, and responsibility and compensation associated with the role.

After the soul searching and the market research, you will need to land your first privacy role. Below are the top five questions I receive from people who want to break into the privacy world to help them prepare for this goal, and my humble responses.

Do I need to get a privacy certification?

A privacy certification is a helpful heuristic for your expertise in the area, but it is not the only way to master privacy laws or signal expertise. There are certain undeniable advantages of having privacy certifications. It can help recruiters identify you as they’ll often use certifications as a key search word in their candidate research. It also provides hiring managers with a sense of your baseline knowledge, they most likely also have done a certification and can assume you know the requirements.

However, certifications remain theoretical and do not demonstrate day-to-day practical capability. Even if you aced the certification exam, you will still learn the job on the job. I’ve also realized most people asking whether a certification is really necessary is asking because of the insignificant costs associated with such certifications and exams. I even talked to someone who frankly said the training and exam costs as much as her current rent, and she would really struggle paying them as she was in between jobs. A certification is helpful, but it is not a must-have, and I realized this was the first time she heard someone say this.

Since training and exam costs can be significant, you should weigh the investment carefully. If it is manageable, it can be beneficial. If it is prohibitive, focus on other signals such as academic work, prior experience, or targeted courses. Your existing experience in negotiating DPAs is more important than your certification. Similarly, there are many free courses online and law firms have amazing public sources that you can use. In the age of AI, it is really not that difficult getting a high level understanding of a regulation and if you choose this as your learning path, you will also signal self-learning which is a must-have skill for privacy.

Here are a few resources that I would recommend with starting: data privacy sections of Bird & Bird, White & Case, Norton Rose Fulbright, Taylor Wessing, newsletters from Frost Brown Todd, nyob, Openli, Lexology, events by OneTrust, and of course any resource or event by the Centre for Information Policy Leadership.

If I need to get a certification, which one should I start with?

Most professionals begin with a GDPR-focused certification since GDPR is still considered the global reference point. Most privacy roles incorporate GDPR elements, so it is usually the most strategic choice unless you have a country-specific focus. Of course, if you’re looking into more specialized roles, such as US privacy law or Brazil privacy law, start with learning those areas first.

Before you do other certifications, reach out to people who have already done them and ask them the key benefits they saw while doing the certifications. That will give you an idea whether the other certification deserves to be your learning priority, because there will always be an area you need to learn. To give you an idea, I have a DPO friend in the UK and a DPO friend in Italy. They both did an AI certification within the same month, one thought that it was absolutely amazing while the other one said it was too disorganized and basic. So, beauty and benefit of certifications are in the eye of the beholder.

How can I build my network in the privacy world?

Paid privacy communities exist and can be useful if cost is not a concern. For free options, sign up for law firm and privacy company newsletters. These often lead you to free webinars, panels, and training opportunities. There is no shortage of privacy events if you are willing to sift through marketing communications. Check data privacy pages of the biggest global law firms and sign up to their newsletters and business development updates.

Personally, I also meet with many people via LinkedIn. Either through engagement on a piece of writing or a direct message to meet is not often used in the legal world, but is still highly effective!

Which privacy role is right for me?

Please refer to Which data privacy role would be right for you? section. As explained there, no two privacy roles are the same. Some roles center on negotiating DPAs while others focus on operationalizing frameworks or covering AI. Review job descriptions and evaluate whether your transferable skills align with the role. A transactional lawyer may transition easily into DPA negotiations. Someone with an operations background may find privacy program management intuitive. However, a person without negotiation experience may struggle in a role focused primarily on contractual work. Make sure you understand the role’s requirements and show how your transferable skills will help you in this role.

I see many different titles, from regulatory counsel to privacy counsel to data responsibility counsel. How do they differ?

Titles often reflect company-specific naming conventions rather than clear industry standards. A privacy counsel role in one company may include more AI responsibilities than a privacy and AI role in another. Always read the job requirements closely and ask questions in interviews about day-to-day tasks and team structure. Not asking questions in an interview is rarely a positive signal and given the wide variety of privacy roles, there is always an area to learn more about the position.

Here are the questions you must ask in an interview if you’re not sure:

1. How big is the privacy team?
2. Which department is the privacy function in (compliance, legal, or information security)?
3. Does the role involve contract negotiations, if yes, which contracts?
4. Is there any operations team that would be helping the privacy function?
5. Which countries does the company operate in?
6. How would they describe the maturity of the company’s privacy programme?
7. Does the role cover AI governance?
8. Does the role cover other data regulations, such as the Data Act, or resiliency regulations, such as DORA?

Where should you start?

A career change is a big life decision. It takes time, especially in the current job market. If you cannot fully transition to a privacy role, a great interim solution could be taking on (more) privacy responsibility in your current roles or apply to positions that involve privacy as well. For example, many commercial transaction roles nowadays will require you to negotiate DPAs and BAAs or many employment lawyers will need to have a working understanding of privacy requirements, and that could be your start to your privacy journey. Then, when you apply to your first full time privacy position, you can highlight these experiences which will be invaluable to the hiring manager.

 

Bio

Seçil Bilgiç is an attorney at law specializing in tech transactions, data privacy, and data regulations. Currently, Seçil is Head of Global Privacy / Data Protection Officer at Cohesity, world’s largest data protection software provider. She has built the combined company’s data privacy programme after Cohesity’s merger with Veritas and is responsible for managing its global data privacy and data responsibility program. Before Cohesity, she was an M&A/Corporate associate at White & Case law firm.

Member of both the New York State Bar and Istanbul Bar Association, Seçil holds an LL.M. degree from Harvard Law School, where she completed her studies as a Fulbright Scholar. She graduated from Koç University (Istanbul) with a double major in law and international relations and as the Valedictorian of both departments. Her publications include "Digital Evidence Collection in Turkey" chapter in the Cambridge Handbook on Digital Evidence in Criminal Matters and "The Privacy Crisis under the Cloud Act" published by Harvard Journal of Law & Technology.