The European Union’s General Data Protection Regulation (GDPR) has created a new urgency for US based firms to refine how they collect, manage, and distribute customer and employee data. For US firms, upgrading data protection compliance procedures will not just be a concern related to European operations. California has passed a measure, The California Consumer Privacy Act of 2018, which is partially modelled after GDPR. An examination of The Conference Board Help Wanted OnLine® (HWOL) Data Series illustrates the mix of IT, legal, managerial, and marketing talent that companies will need to meet these new compliance challenges without sacrificing their digital ambitions. HWOL, produced by The Conference Board and CEB, Inc., generates detailed timeseries of online job ads for the US, regions, states, MSAs, and counties by occupational level.

Under GDPR, individuals are guaranteed new rights over whether and how their personal data is collected and used by companies – including providing explicit consent and having the right to be forgotten. Companies must also adhere to new practices and standards, such as reporting a data breach, within 72 hours. Failure to meet these obligations can result in fines of 20 million euros, or 4% of company revenue, whichever is larger. The regulation, passed in April 2016, applies to any US company that stores or processes the personal data of European based customers and employees, or uses a European-based data processor organization, such as a company subsidiary or external cloud service provider. American firms gradually realized that they could run afoul of the measure while working with customers and employees based in Europe.  For example, as The Conference Board’s recent report The Long Arm of the Law: GDPR’s Impact on HR Data details, US human capital practitioners will have to meet GDPR’s rigorous standards in order to maximize the performance of global organizations.

According to Help Wanted OnLine®data, in the year prior to GDPR’s May 2018 implementation, online job ads that mentioned “GDPR” or “General Data Protection Regulation.” in a keyword search, increased 10-fold in the US. Google Trends data, which measures US user searches for “GDPR”, showed a similar delayed pickup in user interest. Searches only reached a fifth of peak volume in April, less than a month before the regulation was implemented and notifications of GDPR compliance procedures began flooding customer inboxes. The surge in demand for experts to deal with the European regulation is unlikely to abate soon. The California measure described above is set for implementation in 2020 and other states and countries may follow. Knowing who the key compliance figures are is critical in determining how to react to new initiatives as they are enacted.

Chart 1: Firms began hiring for GDPR skills early in 2018 in earnest even though the pending regulation had been announced by the European Commission two years before.

Sources: The Conference Board Help Wanted OnLine® and Google Trends

What are the job functions firms are seeking when they ask for GDPR knowledge and skills? Information security analysts, lawyers, and computer and information systems managers lead the way. This is hardly surprising. The regulation requires firms to be able to carefully control customer and employee data and to delete and provide such data to stakeholders upon request. These positions were critical in shaping the near ubiquitous announcements firms sent to customers announcing that they had updated internal data management practices to comply with GDPR.

In 2018, positions in marketing like marketing managers and market research analysts began to rise in share of GDPR ads, signaling a shift in firms from a technical to strategic focus as companies wanted to ensure that their ability to promote products to European customers would not be disrupted by the new regulation. These customers are often difficult to identify due to the difficulty of determining customer location from email addresses[1]. Human resource departments in the US do not frequently include the terms GDPR or “General Data Protection Regulation” in job descriptions. Just 37 ads mentioning GDPR have been posted in 2018 for human resource related positions. This does not necessarily mean GDPR is being ignored as an HR concern. Other departments such as IT, legal, and data privacy can lead the way in designing data management strategy and developing compliance protocols, but it is critical that HR be included in these discussions as they know best what employee data are kept and how they are being utilized. HR professionals therefore need to learn about GDPR and how it may affect their ability to manage data and implement integrated human resource analytics programs across international borders.

Chart 2: Information security and legal occupations account for most GDPR job postings, but business functions like marketing are starting to see more interest in GDPR skills.

Source: The Conference Board Help Wanted OnLine® 

The geographic distribution of GDPR online ads suggests a clear tilt towards traditional tech hubs like the Bay Area.  San Francisco and San Jose accounted for 16% percent of all ads in 2017 and 13% in 2018. The New York metro area led the way both years suggesting the role played by the global and data intensive nature of finance. 2018 ads so far have been a bit more diffuse than those published in 2017 with the top ten cities in 2017, which accounted for 66% of ad volume, accounting for 56% in 2018. Chicago, San Diego, Austin, Portland, and Houston were among the cities experiencing the largest ad volume upticks in 2018. Still, the concentration of positions in tech hubs illustrates the role consultants and remote work play in these new jobs, and the ability of firms wherever they are located to engage the best available US based talent.