How to become a chief privacy officer: A complete career guide

Data is undoubtedly the 21st century’s most valuable commodity. It is both the fuel that drives modern computing as well as the product of today’s computing systems. It is estimated that by the end of 2020, some 200 billion devices will be generating data. Much of this data will then be consumed by companies that use it to provide services and market their products. 

On its website, the data storage company Seagate writes, “Today, more than 5 billion consumers interact with data every day—by 2025, that number will be 6 billion, or 75 percent of the world’s population. In 2025, each connected person will have at least one data interaction every 18 seconds. Many of these interactions are because of the billions of Internet of Things (IoT) devices connected across the globe, which are expected to create over 90ZB of data in 2025.”

But who owns this data? What if this data is an individual’s personal information? Does the individual own it, or does the company that purchased or created it own it?

The need to answer these complex questions and understand legal and compliance requirements related to privacy has given birth to the role of chief privacy officer (CPO)

Like any corporate executive position, there are essential business skills that will be required. Candidates for CPO positions should take steps to develop the following abilities. 

• Collaboration, teamwork, and problem-solving to achieve goals
• Skills in verbal communication and listening
• Expertise in providing excellent service to customers
• Excellent writing skills
• A high level of integrity and trust
• Extensive familiarity with relevant legislation and standards for the protection of information and privacy
• Ability to skillfully negotiate and identify acceptable compromises

What is a chief privacy officer?

The CPO is a senior-level executive within an ever-increasing number of global organizations. The primary responsibility of the CPO is to manage risk related to information privacy laws and compliance regulations. This role is ostensibly created in an organization to be a central authority for making privacy decisions and protecting the interests of a company’s customers.

Any organization that collects and stores customer information should have a single place where knowledge resides about how the information is managed and where policies are established for obtaining and handling online and offline data. Otherwise, the organization risks introducing deviations that can compromise the security of the company and its customers. Damage to brand reputation and legal fines are some potential consequences of poor data protection.

Some companies designate a person to oversee privacy in an ad hoc way, without the CPO title. But giving a CPO apparent authority is essential because they will inevitably need to make difficult decisions that affect all parts of the company. Formalizing the role also sends the message that privacy is a real priority.

Chief privacy officer requirements, skills, and experience

To some degree, the requirements, skills, and experience desired by a company looking for a CPO will vary depending on their industry. A healthcare company may want skills and expertise relevant to that industry. A financial or retail organization will likewise look for someone with an intimate knowledge of these market segments. In most cases, however, an understanding of data privacy laws and regulations will carry more weight in the candidate selection process. 

The following is a list of common requirements for CPO candidates:

• Bachelor’s degree in a field related to the company’s core industry
• Knowledge and experience in state and federal information privacy regulations, including but not limited to:
  • Health Insurance Portability and Accountability Act (HIPAA)
  • California Consumer Privacy Act (CCPA)
  • New York Consumer Privacy Act (NYPA)
  • European Union (EU) General Data Protection Regulation (GDPR)
• Organization, facilitation, written and oral communication, and presentation skills
• Legal, operational, and or financial skills

What do chief privacy officers do?

Organizations may use variations of the CPO title with names such as Privacy Officer, Privacy Leader, and Privacy Counsel. Other organizations may roll the duties and responsibilities of the CPO up into the role of another C Suite executive, such as a Chief Legal Officer. 

Some similar-sounding titles, however, may have distinctly different responsibilities. The data protection officer (DPO), for example, is a similar title that is expressly prescribed by the European Union (EU) General Data Protection Regulation (GDPR). The DPO ensures explicitly that an organization applies the laws protecting personal data and tends to be a lower-level employee than are CPOs.

A chief technology officer (CTO) constructs a company’s strategies for information systems. The CPO then would work closely with the CTO to create a privacy program suited to those strategies.

Chief Privacy Officer Job Description

The following is a generic sample of a CPO job description. The specific requirements will vary depending on the industry of the company. This sample provides a good benchmark for evaluating a candidate’s current skills and abilities to those that may be required for a CPO.

Immediate Supervisor: Chief executive officer, (chief) compliance officer, senior executive (chief operating officer, CIO), (senior) in-house counsel, or practice manager

Position Overview: The CPO shall oversee all ongoing activities related to the development, implementation, and maintenance of the organization’s privacy policies following applicable federal and state laws. 

General Purpose: The privacy officer is responsible for the organization’s privacy program including but not limited to daily operations of the program, development, implementation, and maintenance of policies and procedures. They are responsible for monitoring program compliance, investigation and tracking of incidents and breaches, and ensuring customer’s rights. In all cases, following federal and state laws.

Responsibilities:

• Builds a strategic and comprehensive privacy program that defines, develops, maintains, and implements policies and processes that enable consistent, effective privacy practices that minimize risk and ensure the confidentiality of protected information, paper and/or electronic, across all media types. Ensures privacy forms, policies, standards, and procedures are up-to-date
• Works with senior organization management, security, and corporate compliance officer to establish governance for the privacy program
• Serves in a leadership role for privacy compliance
• Collaborate with the information security officer to ensure alignment between security and privacy compliance programs, including policies, practices, investigations, and acts as a liaison to the information systems department
• Establishes, with the information security officer, an ongoing process to track, investigate, and report inappropriate access and disclosure of protected information. Monitor patterns of improper access and/or disclosure of protected information
• Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation, and remediation
• Develops, delivers, and oversees initial and ongoing privacy training to the workforce
• Works cooperatively with the information management director and other applicable organization units in overseeing customer rights to inspect, amend, and restrict access to protected information when appropriate
• Manages all required breach determination and notification processes under applicable State breach rules and requirements
• Establishes and administers a process for investigating and acting on privacy and security complaints
• Maintains current knowledge of applicable federal and state privacy laws and accreditation standards
• Works with organization administration, legal counsel, and other relevant parties to represent the organization’s information and interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standards
• Serves as information privacy resource to the organization regarding the release of information and all departments for all privacy-related issues

Certificates available for chief privacy officers

Several professional certifications relate directly to the qualification of a CPO. These include:

• Certified Information Privacy Professional (CIPP) with regional specializations like the US, Canada, Europe, and Asia
• Certified Information Privacy Manager (CIPM)
• Certified Information Privacy Technologist (CIPT)
• Certified in Healthcare Privacy and Security (CHPS)
• Certified in Healthcare Privacy Compliance (CHPC)
• Certified Information Systems Security Professional (CISSP)

Outlook for chief privacy officers

The concern for privacy has been growing steadily since the age of data as a commodity began, but it has grown exponentially in the last two years. With the implementation of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States in 2018, CPOs are in high demand.

The rise of the CPO demonstrates the increasing need for leadership in the data-driven digital business world, as well as to champion the rights of individuals to control their personal data.

How much do chief privacy officers make?

The complexity of the CPO role and the challenge of finding individuals with the right mix of skills, education, and experience are reflected in the salary data. The International Association of Privacy Professionals (IAPP) states that “Chief privacy officers command an impressive $200,000 median salary in 2019 — $212,000 for those in the U.S. 

CPOs and privacy leaders, in general, receive the highest salaries of all privacy professionals and also tend to have enjoyed the largest increases in pay since 2017.”