my journey into data protection, part one
Growing up, I wished for more radical honesty and openness around careers and opportunities online. How others achieved anything was beyond me. I was simply missing the experience and maturity to at least even guess how others' successes came to be, so it was often a big mystery to me. Many people are ashamed of freely sharing what it actually took. I guess some feel that if they reveal it, people will nitpick about what could have been done better, some guard their connections, others don't want to put out there that they're actually a 'nepo baby'. People are embarrassed about the failures on the way and would prefer to make it all seem effortless and instant on the outside. I want to do my part to be as open as is sensible about my path of trying to work in data protection/privacy; my challenges and my failures, the reasons for doing what I did, and my thoughts during some of the difficult moments and choices. I originally wanted to keep updating this for years until I hit a specific milestone and then release it, but even just writing down everything that happened until now was a lot . So I guess there will be two parts, with the second part coming one day :) I actually used to think I was too stupid for law. I admired law students and was secretly jealous, because I was intrigued but thought I could never do it. In 2017-2018, right as the GDPR was soon coming into effect, I saw lots of ads about Data Protection Officers, as they'd be needed soon. Offers for companies to send their employees to 2-week crash courses, or companies emerging whose lawyers could be your external officers. I saw these ads and thought: " Wow, this would be so cool. But no shot that I could actually do it. ", after all, I'm probably bad at law, and I was only working as a trainee at the time. Only the established IT guys would be sent to these courses, right? I was very interested in privacy online already at that point, but more focused on reducing unnecessary tracking and deleting social media. In the school part of my traineeship, I actually did have to learn some law, and I was surprisingly good at it. Soon after, I found out you don't always need to become a full on lawyer via the two Staatsexamen (state exams) in Germany - you can also do a Bachelor of Laws (LL.B) . That would fit me more! I chose to enroll in a distanced learning university in 2022 to do the degree part-time, as I had finished my traineeship and began a full-time position at the same place in 2021. At that point, I did that just for me, with no goals to make this relevant for my career in any way. That enabled me to take it slow with no pressure to finish as quickly as possible or with the best grades. Still, I started my studies with great grades. The degree had some elective courses, and one of them was data protection law. That made me even more interested (daring to dream, and all) and soon after, I considered taking that elective in the Winter semester of 2024/2025 to make sure it really suits me and learn more. It went great and cemented my interest and passion for the field. Months prior, I had seen that the same university offered an 1.5y Advanced Studies degree that would also certify as a Data Protection Consultant upon completion and enable work as a Data Protection Officer. The problem: To qualify, you needed a finished Bachelor degree or more. I'd been almost halfway through mine, but it would still be years, and who knows if I'd truly be able to finish it successfully? So I looked more deeply into it, and on one sub-page, they sneakily added an exception for people who had no degree but whose work involved data protection law concerns. To prove that, they required a CV signed by you, and a document from your employer confirming it. I shot my shot and asked my (very nice and supportive) boss, and she was on board. Admittedly, we exaggerated some parts of the work and tried to focus hard on the few things that would fit, like the way I managed the user accounts in our database. I applied for the program, and I got accepted in November 2024! I couldn't be happier. It cost close to 3k, and I paid it off in 10 months (March - December 2025), no interest. It's meant to be completed as two exams a semester, but I ended up grinding hard and finishing it early, taking all 6 exams in one semester (6 months instead of the 1.5y), all while continuing full time work and my part time LL.B. During that program, I was looking to gain more experience and network connections in the field, so I messaged the Data Protection Officer at my place of work. I said I have questions about the field in general and the job itself, and wanted his advice on what people looking to enter the field should do or bring to the table. He accepted gladly, and we kept meeting up like every other month for over a year to discuss things, like questions I had about a specific paragraphs and principles, or how to implement something in practice. He shared a lot of practical tips with me as well as how our workplace had implemented Microsoft or OpenAI products. He also took a lot of interest in the exams I wrote! In July 2025 started volunteering for noyb.eu . I became a Country Reporter first for Germany, later also for Austria. That helped me in multiple ways: I also chose to attend the Beschäftigendatenschutztag 2025 in Munich at the end of October 2025 (just as I had finished the cert) for a similar reason: I wanted to learn from others, show presence and get a feel for how the professionals discuss. I sadly couldn't attend the Datenschutzkonferenz that year. These events are super ultra expensive. Usually, companies cover their employees' fees when sending them there, but... no one was sending me. I wasn't hired in any role that would make my employer send me there and cover the costs, so I had to do it on my own. I got a student discount of 50% , which brought it down to a little over 500 Euro. Still expensive for me, though. I didn't live anywhere near Munich, so my lovely wife suggested we stay at my in-laws place near Nuremberg for the week and I take the train to Munich for the two event days. I was ready to put myself out there. I wanted to put all of my experience and credentials so far to good use and learn more, so I started asking for more data protection related tasks at work. Our DPO had become my mentor by that point and would have loved to work with me and could use the help, so I requested that. Unfortunately, leadership was neither wanting to create a new role in his team, nor interested in allowing me to internally transfer there. They saw data protection as an annoying topic and did not want more people working in it. That gave me my first taste on how employers would see me... My boss, meanwhile, tried to involve me in new projects that were tangentially related as best as she could as I kept asking for that, but most things fell through or were not giving me enough to chew on, through no fault of any of us. Unfortunately, my employer struggled with a lot of budget cuts at the time, which didn't help. My job involves a lot of pharmaceutical health data, and it's a part I love about it. So, I decided that as best as I could, I would like to specialize in data protection around health data. A promising niche, as AI and projects combining health databases all around the world could lead to amazing breakthroughs, but needed a lot of safety and oversight. Hopefully, I could combine my experience working for my employer with my extra qualifications. Luckily they had just built up a research data center that would focus on health data, and were searching for a Data Protection Consultant for it. Their wishlist was intense: A finished degree in law, IT, and related fields, ideally the state exams. I knew though that our place always gets a very little amount of applications and such lists in job postings are always the ideal candidate, and many places usually have to settle for less. I easily suited the rest of the requirements and the tasks for the job. And why not just try? The worst that could happen is a no. So I applied. First, they extended the application deadline. I already knew it was hopeless by then. Then they rejected me, and re-posted it externally. Even 5 months later, that spot doesn't seem to have been filled, but the listing is gone as well. They'd rather hire no one, than hire me, because of a missing Bachelor/Masters degree or StEx, despite I assume I was already filtered out by HR, because HR doesn't know how to properly judge the qualifications in that field. For many people, law is when you are a full lawyer with both state exams, and that's it (like I used to think!). They don't know much about the LL.B or LL.M, and they sure as hell don't know the extra degree you can get on top of a Bachelor's degree (or on my case, as an exception, if your work qualifies you). What should have qualified me to at least get an interview got me thrown out of the (non-existent) pile even though I was very likely the only applicant. That taught me my first important lesson: Until I clear the arbitrary lines they draw in the sand, I have to bypass HR . A while later, I read a tweet thread by user gabriel1 that was saying the same; especially: "never compete when applying for jobs, there are hundreds of applicants with better grades and universities than you. [...]" "straight to managers, ceo, ppl with incentive for the company to go well. HR people play losers game, they just don't want to make mistakes. if you are bad but are from harvard they can just say "oh he was supposed to be good" and they have an excuse. so they'll dislike you" I'd take this to heart. I was also rejected when I applied to another company. I was sure I could at least get an interview. Their requirements were loose and low and I could meet everything perfectly. Instead, I was rejected a week after I submitted my application, so I didn't even make it to further consideration. Reason for that was possibly the fact that I admitted to volunteering at noyb.eu in the motivational letter. That taught me my second valuable lesson: Unless employers directly approach me first and already know about it, I should rethink mentioning my volunteering. I thought it would show passion and knowledge in the field, but what it instead communicated was that I was being an activist . Noyb pushes to hold private companies and corporations accountable, and this is the opposite of what companies hiring privacy professionals actually want. What they want is someone who can make anything happen with a good legal justification. They aren't interested in ethics; they want new tech, especially AI, at any cost as long as their Compliance department finds ways to make the processing compliant with as little costs, obstacles and delay as possible. They were scared I was going to be someone who would delay and veto things. This complaint doesn't make much sense, as DPOs (here in Germany at least) do not have authority to issue any instructions or decide the course of action; all they can do is advise and document what they have advised, so if leadership goes against recommendations, the DPO can't do anything about it. If a DPO does anything else, they're overstepping. What they can do is prove they have said otherwise, and aren't liable for anything. I guess that is either not something leadership knows, or they want the DPOs who wanna enable anything to be their fall guys. It sucks, but I guess in the overall hellscape we are in, it makes sense. Gabriel also talked about a personal demo being better than a simple CV and motivational letter, and I thought long and hard about how I'd apply that to my field (as it was much easier to do that with any field that values portfolios, like tech). I couldn't develop a demo of anything in that way; no use recording a video introducing myself and... showing a Data Protection Impact Assessment for Microsoft Teams? It doesn't work like that in my field. What I could come up with instead was: I knew the last point would be slim chances, but I didn't realize how slim until I tried it. The e-mail addresses for DPO's of the companies I messaged were mostly automated and strictly for access requests only. It wasn't for human exchanges. I didn't receive a reply back for the first two I messaged and knew I had to change my approach for the rest of my list; probably find out via LinkedIn or other means who exactly is hired in their Privacy Compliance teams and messaging them directly. I also recognized my disadvantage: I'm not "big" already. No podcast personality, not a panel speaker, not a known author, not a big blogger in that space. My blog isn't hosted on Substack and the interview wouldn't be posted on LinkedIn. All of these things could give the people I reached out to some reassurance about who I am and that they will be featured somewhere "reputable". I still continue trying to make that happen. Other things I have been doing to bruteforce my way in somehow: 1. I submitted an idea to our Idea Management team about implementing data protection coordinators ( "Datenschutzkoordinatoren" ). This is standard practice for other companies, very common, but we don't have them despite our DPO/my mentor approving of it. Leadership doesn't want to, and had rejected the idea 5 years prior. But I had better ammo than the old idea submitter, and with AI in the workplace now, things have shifted massively, warranting a reevaluation of the idea. I expect it to be rejected, but at least I tried. This could open the door to me being the data protection coordinator for my department, at least. 2. I indeed created a deletion concept for my team. My mentor/DPO was very happy with it overall when I briefly showed my work in a meeting, and I've sent it to him for more in-depth feedback soon. Once that is done, I will move on to making one for our sub-department, and then maybe one day, the whole department. No one is asking me for this, but I have a lot of unused time at work, want to show my skills, and help fix a severe compliance error my workplace has been in for years now. 3. We had an internal seminar on the " Data Analysis and Real World Interrogation Network " ( DARWIN EU ), which is an EU initiative coordinated by the European Medicines Agency to generate and utilize real world evidence data (RWE) to support the evaluation and supervision of medicines and treatments and enhance decision-making in regulation by drawing on anonymized data from routine healthcare appointments. Many countries' health databases exchanging data, and possibly in the future using AI for better insight, was totally my jam. We got the contact info of the initiative coordinators in case we have questions and ideas, and I sent an e-mail basically asking how to get involved as a privacy professional in the project. No answer so far. 4. We have an AI Coordinators group at work that always welcome new ideas, input and help. During one of their presentations showing the current progress of AI adoption in-house and how well it works (not at all!), I sent in a question asking how employees can get involved in the project in terms of privacy compliance. Didn't receive an answer until the next day, which was worded very nicely, but also showcased our internal rigidity again. In other workplaces, employees can be used more fluidly and assigned across departments if it makes sense, but in our case, they sadly had to be very insistent on not being able to get deeply involved in the actual work if not part of that team as official role, aside from submitting ideas. And obviously, the compliance needs were already covered by our DPO/my mentor. What they suggested instead was that I could try developing an internal GPT model focused on privacy compliance. That made me a little mad! I want to work . I want to think . I don't want to train my replacement for a job I don't yet have, but want. I want you to ask me one day! And for now, the way LLMs are, I cannot recommend asking it for legal advice, and I can't train it to be better; the hallucinations are a current fundamental flaw I cannot solve. That's the point where I arrived at another lesson: I while I keep my options open, I'll likely never work for a private company, and instead am better suited for regulatory bodies, NGOs, research, and academia . I have much more fun genuinely diving deep into the law and ethics, writing opinion pieces, maybe even proposals, help with research and papers, etc. than playing doormat for IT guys who want a new toy. 5. Made it a goal to do more case translations and summaries for noyb this year, with at least one case each week on Saturday. I've hit 10 done cases total a few days ago. 6. I have applied to and been accepted into the volunteer pool of The Midas Project , a watchdog nonprofit working to ensure that AI technology is safe and helpful to everyone. They lead strategic initiatives to monitor tech companies and counter corporate propaganda. Their releases have been very informative and have also drawn the attention of OpenAI, who are challenging them legally. You read that right - I sort of doubled down on the volunteering, despite the very real negative consequences. I'm not sure yet if I will stay; they only offer Fellowships (= opportunities to volunteer on a project) every couple of months. I'm also noticing a bit of a weird vibe compared to noyb, and I actually have quite a bone to pick with Effective Altruism, which is a big influence on it and the people in the space. But I hope I can learn valuable lessons in AI governance, and praying that it is not dominated by people with very grandiose conspiracy theories about AGI. That marks my progress on the end of January 2026; almost 2 years since fully plunging into data protection law. Writing all of this out, I realize how much I have managed in that time. It feels simultaneously long and short. I'll have to remember that when I get sad about handing in my Bachelor thesis in 2028 :) Not gonna lie, I have felt crushed and discouraged lately. It sucks when you feel like your true interests, skills and passions don't matter or are a flaw in others' eyes. The praise I get cannot move the mountains that are seemingly in my way. But it's the year of rejection , so I'll take it. If you have made it this far, thank you! And happy Data Protection Day, which was yesterday. You should read 5 myths about data protection debunked! Reply via email Published 29 Jan, 2026 I kept up-to-date with current legislation, cases and problems via their newsletters, blog posts, and internal communication, like their interesting presentations during the Country Reporter meetings. It gave me a space to connect with like-minded people. I was practicing reading case law and writing English legal jargon. I could build up a reputation in the space. Me being halfway done with the Bachelor degree, Having the Advanced Studies Degree, Already having worked there for years, no onboarding needed, knowing the organization and its processes well, Both my boss and my mentor (our DPO) who would have sung praises about me and were named as references in my application, Had a document proving I had already attended events in the industry, and My volunteer work showing I am passionate, hardworking and always up-to-date on the field. Developing missing compliance documents and concepts for my workplace. We didn't have any internal GDPR-compliant deletion concepts ( "Löschkonzepte" ) at all (not house-wide, not department-wide, not even in sub-departments and teams). I cannot show these in a demo to other companies, but it would at least be a sort of portfolio/demo internally . Continuing my volunteer work , showcasing it with a list of all my contributions, and making it into noyb.eu's newsletter with a newly translated and summarized court case (as they highlight new decisions there with attribution). That would only attract people who are okay with it. Continuing to write about data protection law on the blog , and in a different, more professional way on my other, work-friendly website as well. Being open about searching for work online, so people working for fitting companies reading my blog could stumble across it as well. Potentially making a LinkedIn , though I preferred not to so far. Pursuing a blog project I loosely thought about more seriously: Inviting DPO's and other privacy professionals to answer questions in an interview I'd post on my blog.
Career
Business
Programming
AI
Writing
HTML
C++
Web Development
Open Source
Culture
C#
Security
Data
Shell