ⓘ Chief privacy officer

                                     

ⓘ Chief privacy officer

The Chief Privacy Officer is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer, a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

The CPO role was a response to increasing "consumer concerns over the use of personal information, including medical data and financial information along with laws and regulations." In particular, the expansion of Information Privacy Laws and new regulations governing the collection and use of personal information, such as the European Union General Data Protection Regulation GDPR, has raised the profile and increased the frequency of having a senior executive as the leader of privacy-related compliance efforts. In addition, some laws and regulations such as the HIPAA Security Rule require that certain organizations within their regulatory scope must designate a privacy compliance leader.

                                     

1. History

In the United States, the position of chief privacy officer was first established at consumer database marketing company Acxiom in 1991 with the appointment of Jennifer Barrett as CPO. The role operated in obscurity until August 1999 when the Internet advertising technology firm AllAdvantage appointed privacy lawyer Ray Everett to the first Internet-era instance of the role. This started a trend that quickly spread among major corporations, both offline and online. The role of the Chief Privacy Officer was solidified within the U.S. corporate world in November 2000 with the naming of Harriet Pearson as Chief Privacy Officer for IBM Corporation. That event prompted one influential analyst to declare, "the chief privacy officer is a trend whose time has come."

By 2001, the non-profit research organization Privacy and American Business reported that a significant number of Fortune 500 firms had appointed senior executives with the title or role of Chief Privacy Officer. The growth of the Chief Privacy Officer trend was further fueled by the European Unions passage in the late 1990s of data privacy laws and regulations that included a requirement for all corporations to have an individual designated to be accountable for privacy compliance.

By 2002, the position of Chief Privacy Officer and similar privacy-related management positions were sufficiently widespread to support the creation of professional societies and trade associations to promote training and certification programs. In 2002 the largest of these organizations, the Privacy Officers Association and the Association of Corporate Privacy Officers, merged to form the International Association of Privacy Officers, which was later renamed the International Association of Privacy Professionals IAPP. The IAPP holds several conferences and training seminars each year around the world, hosting association members from major global corporations and government agencies, with executives seeking certification programs in privacy management practices. In 2019, it reportedly had more than 50.000 members globally, which its leadership attributed to laws like the GDPR.

                                     

2. Responsibilities & Duties

As the leader of a corporate privacy program, a CPO has a number of essential responsibilities, including:

  • Designing controls for managing privacy compliance
  • Leading incident response, including data breach preparedness
  • Driving privacy-related awareness and training among employees
  • Communicating privacy goals and values both internally and externally
  • Monitoring the effectiveness of privacy-related risk mitigation and compliance measures
  • Conducting Privacy Impact Assessments to identify risks in new or changed business activities
  • Managing the companys policies, procedures and data governance
  • Assessing privacy-related risks arising from existing products and services

Many of these activities and requirements are included in CPO job descriptions.

The role requires strong collaborative relationships with other stakeholders in an organization, including engineers and product managers for privacy impacts to products and services, human resources for privacy impacts to employee data, legal teams for monitoring and interpretations of applicable laws and compliance measures, procurement and vendor management, and information technology and information security teams.

                                     

2.1. Responsibilities & Duties Interactions with Other Senior Roles

As organizations identify the need for a CPO, a frequent challenge arises in regards to placement of the role within the organization structure and the issue of overlap between similar "C-level" roles, most notably the many intersections between the roles of the CPO and the Chief Information Security Officer CISO. While CPOs and CISOs have some overlap in responsibilities around data protection and data governance, ultimately privacy and security have different roles to play. For example, while CPOs and CISOs may both be concerned with the prevention of data breaches, responsibility for managing technical prevention measures will tend to lay with the CISO while a CPOs concerns will look more broadly at whether otherwise properly secured data is being used in ways that might place the company at legal, regulatory, or reputational risk.

Another area of potential overlap, and sometimes confusion, is the interaction between a CPO and the increasingly common role of Data Protection Officer DPO. The DPO role is specifically required for certain organizations falling under the jurisdiction of the EU GDPR. DPOs have very specific roles, requirements, and expectations delineated in GDPR Article 39 and associated regulatory guidance, and those include a level of required independence and organizational separation that make it very different from a CPO.



                                     

3. Qualifications & Background

While a number of CPOs come from legal backgrounds and have Juris Doctor or equivalent degrees, the CPO role is a multidisciplinary one. The role requires an executive with an understanding of how data collection and usage, and the associated risks, all factor into an organizations day-to-day business operations. CPOs also need to be aware of a range of legal, regulatory, contractual, and other factors that impact an organizations privacy risk strategy. For these reasons, many believe that a legal background is a necessary requirement for a successful CPO. Others believe a legal background may result in too narrow of a focus and CPOs should have more than just a legal background.

Among other qualifications that are seen as valuable in CPOs are strong communications skills, particularly in the area of public relations, because the role is not only partly responsible for development and execution of public outreach strategies in the event of data breach or other data-related security incident, the CPO often functions as the public relations face of the organization. CPOs are also often called upon to function as a lobbyist representing the organizations interests before lawmakers. CPOs are also increasingly required to have deep knowledge of the organizations data-related operational practices and technologies, as well as the interaction between compliance measures that span the realms of privacy and security.

                                     

3.1. Qualifications & Background Professional Certification

An increasing number of individuals seeking careers as CPOs will seek training in multiple disciplines related to the field. Among the most common credentials seen in the space include:

  • Certified Information Privacy Professional CIPP with regional specializations such as US, Canada, Europe, and Asia
  • Certified Information Privacy Manager CIPM
  • Certified in Healthcare Privacy and Security CHPS
  • Certified in Healthcare Privacy Compliance CHPC
  • Certified Information Privacy Technologist CIPT
  • Certified Information Systems Security Professional CISSP
                                     

3.2. Qualifications & Background Salary

The complexity of the role and the challenge of finding individuals with the right mix of skills, education, and experience is reflected in the salary data. As of 2019, the CPO role commands a median salary of $200.000 globally, and over $212.000 in the United States. By another account, median salaries in 2019 for general privacy office roles reached $112.857.