Your Guide to Becoming a Chief Privacy Officer
If you’re seeking an important, high-paying career that provides incredible value to an organization or business, consider a position as a chief privacy officer. Employing skilled professionals — including all types of privacy and data protection positions — is one of the best steps a company can take to combat cyber crime. The chief privacy officer is a vital, senior-level role that requires the right combination of education and experience. Our career guide will help explain what this position entails and how you can get started today if you’re interested in this lucrative, mission-critical role.
What Is a Chief Privacy Officer?
As defined by the International Association of Privacy Professionals (IAPP), a chief privacy officer is “a position within an organization that is responsible for managing risks of privacy laws and policies.” This position was created within the U.S. government under section 522(a) of the Consolidated Appropriations Act of 2005.
Robert Fusaro, chief privacy officer for Microsoft, explained in a Harvard Business Review article that every company needs this type of position because “it’s critical to have a single place where knowledge resides about the way customer information is handled and where policies are set aside for collecting and using online and offline data.”
Chief Privacy Officer vs. Data Protection Officer
First, let’s explain the background behind the GDPR (General Data Protection Regulation), which is a European data protection law that became effective in 2018. If you’re considering a career in data or privacy, you’ve likely come across this term.
The GDPR, which defines itself as “the toughest privacy and security law in the world,” imposes data privacy requirements and obligations to organizations that focus on or collect data related to people in the European Union (EU). Data privacy violations and failure to comply with the regulations result in costly penalties.
One of the requirements of the GDPR is that organizations must appoint an employee to oversee GDPR compliance. This is also known as a data protection officer, but this responsibility could also be handled by a chief privacy officer.
What Does a Chief Privacy Officer Do?
A chief privacy officer will “oversee all ongoing activities related to the development, implementation and maintenance of the organization’s privacy policies following applicable federal and state laws,” according to Cybersecurity Guide. This includes being responsible for the organization’s privacy program, monitoring program compliance, investigating incidents and breaches and ensuring customers’ rights.
Other chief privacy officer responsibilities typically include developing and modifying privacy policies and practices and staying up to date on privacy laws and regulations. These positions are also common in health care due to regulations from HIPAA — the Health Insurance Portability and Accountability Act, which protects sensitive patient information.
Chief Privacy Officer Job Description
As with any position, the exact job description will vary depending on the business or organization. But to give you an idea of what companies are looking for, here are some real-world examples pulled from LinkedIn postings for chief privacy officers:
- Collaborate with partners in legal, compliance and IT to address risks, recommend solutions and ensure compliance with regulations
- Maintain overall responsibility for incident and breach management policies
IAPP also links to a sample chief privacy officer job description, originally from the American Health Information Management Association, which can provide some additional insight as to what employers are looking for. The list of typical job responsibilities is lengthy, but here are a few highlights:
- Builds a strategic and comprehensive privacy program
- Works with organization senior management, security and the corporate compliance officer to establish governance for the privacy program
- Establishes an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information
- Maintains current knowledge of applicable federal and state privacy laws and standards
Chief Privacy Officer Education Requirements
For most privacy-related positions, you’ll need a minimum of a bachelor’s degree. However, some companies require chief privacy officers to hold a graduate or law degree, according to Cybersecurity Education Guides. Relevant degrees for a chief privacy officer career include those associated with:
- Cyber law
- Computer science
- Computer engineering
- Software development
Work Experience Needed
A chief privacy officer is not an entry-level position, but one that requires a decent amount of work experience. Exactly how much experience is required will depend, of course, on the position and the company. Many of the recent job postings for chief privacy officer on LinkedIn required anywhere from 5–15+ years of relevant experience. Some even specify relevant experience in health care operations, regulatory compliance and financial services.
As WiseGEEK explains: “You can become a CPO by combining general executive-level business education and experience with specific knowledge of privacy laws in different contexts and across jurisdictions.”
WiseGEEK further explains that those who are interested in privacy law may learn through practical experience or by obtaining a law degree — but acknowledges “the CPO title is a relatively new creation, so the standard requirements are still evolving.”
In most cases, industry certifications are either required or preferred to become a chief privacy officer. The most common ones include:
- Certified Information Privacy Professional (CIPP)
- Certified Information Privacy Manager (CIPM)
- Certified Information Privacy Technologist (CIPT)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
- GIAC’s Penetration Tester (GPEN)
- Certified in Healthcare Privacy Compliance
Desirable Hard and Soft Skills
In addition to familiarity with privacy protection laws, regulations and standards, it’s important for data privacy officers to have hands-on experience with technology, excellent writing and leadership skills and the ability to demonstrate a high level of integrity and trust, according to Comparitech. Real-world job postings have also included these desired skills:
- Knowledge of Payment Card Industry (PCI), Sarbanes-Oxley Act (SOX), HIPAA and Personal Identification Information (PII)
- Strong public speaking and presentation skills
- Ability to translate legal advice into meaningful guidance
- Passion for technology, especially privacy-related innovations
Career Paths to Become a Chief Privacy Officer
One of the initial important steps is to secure a relevant undergraduate degree. Many CPOs, however, have an advanced degree. Some positions even require a law degree. Senior-level executives need about 7-10 years of experience in order to work their way up to this type of position. You may also need specific experience to actually become a CPO, so it might be worthwhile to look for entry-level positions that deal with health care compliance and global privacy laws.
Work Environment for Chief Privacy Officer
It depends on the company since the work environment could vary, depending on the industry. You could work in a hospital or health care facility, a retail business, technology startup or financial firm. In any case, you will likely be in an office-type location. Travel may also be required, especially if you are overseeing a business or organization with multiple locations. As a chief privacy officer, you may also regularly attend conferences and seminars, such as the IAPP Global Privacy Summit.
Does HIPAA Require a Privacy Officer?
The short answer: yes. As outlined by the Compliancy Group: “The HIPAA Security Rule mandates that every practice or health care organization that creates, stores, or emits, ePHI, must designate a privacy compliance officer regardless of their size. In larger firms there will typically be a dedicated HIPAA privacy officer, however in smaller firms the role might fall on an employee with administrative or IT responsibilities as well.”
How Much Do Chief Privacy Officers Make?
A chief privacy officer’s salary will depend on many factors, including the job itself, the company, where the position is located and more. Below are a few numbers to give you an idea of salary ranges. (Please note that salaries are dynamic and are subject to change. The salaries here reflect the latest data at the time this blog post was written.)
- Average salary of $153,888 (Payscale)
- Range of $123,461 to $162,561 (Salary.com)
- National average of $128,979 per year (ZipRecruiter)
- Median annual pay of $103,590 for information security analysts (BLS)
- Chief privacy officers earned a median salary of $200,000 in 2021 (CMSWire)
Career Outlook for a Chief Privacy Officer
Even though chief privacy officer is a somewhat new position, it’s become an extremely important one. The U.S. Bureau of Labor Statistics doesn’t include chief privacy officer (yet), but it does contain information for a closely related position — information security analyst. The career outlook for this position is extremely favorable with employment expected to grow 33% from 2020 to 2030. About 16,300 information security analyst positions are expected to open every year within the decade.
As the BLS explains: “Banks and financial institutions, as well as other types of corporations, will need to increase their information security capabilities in the face of growing cybersecurity threats. In addition, as the healthcare industry expands its use of electronic medical records, ensuring patients’ privacy and protecting personal data are essential. More information security analysts are likely to be needed to create the safeguards that will protect personal information and satisfy patients’ concerns.”
Companies Hiring Chief Privacy Officers
If you’re in the market for a high-level privacy gig, there are certainly plenty of opportunities. While finance, technology and health care are popular industries for these types of positions, openings for privacy-related jobs are also available in education, retail and entertainment. Here are some top companies recently hiring for privacy-related positions (for the most updated postings, check out LinkedIn and Indeed).
- UMass Memorial Health
- Stony Brook University
- General Motors
- NYC Health + Hospitals
- Nationwide Children’s Hospital
- Rutgers University
It’s important to note that a search for “chief privacy officer” will result in other job titles. Here are some common ones you’ll find:
- Chief Information Security Officer (CISO)
- Chief Compliance and Privacy Officer
- Chief Privacy Officer/Privacy Officer
- Chief HIPAA Privacy Officer
- Privacy Project Manager
- Chief Data Officer
- Privacy Program Director
What does a chief privacy officer do?
Simply put, a chief privacy officer oversees everything related to an organization’s privacy policies, including compliance with state and federal laws. This could mean overseeing a comprehensive privacy program, monitoring program compliance and investigating privacy-related incidents and breaches.
Does every business and organization need a chief privacy officer?
Not necessarily. Businesses and organizations that “focus on or collect data related to people in the European Union (EU)” are required by the GDPR to appoint an employee to oversee GDPR compliance — also known as a data protection officer. Any type of health care business or organization that “creates, stores, or emits ePHI” must have a designated privacy compliance officer, regardless of size, per HIPAA. In larger firms, this position is the chief privacy officer or a HIPAA privacy officer.
What is the typical educational background for a chief privacy officer?
For most privacy-related positions, you’ll need a minimum of a bachelor’s degree. But many companies require chief privacy officers to hold a graduate or law degree. Relevant degrees for a chief privacy officer career include those associated with cybersecurity, law, cyber law, computer science, computer engineering, software development and IT.
How much does a chief privacy officer make?
The number will depend, but the average range is anywhere from $123,000 to $162,000 — with some much higher.
Reach Your Goal of Becoming a Chief Privacy Officer with an Advanced Degree from USD
Advanced degrees are highly desirable in these types of senior-level positions. If you’re considering a career as a chief privacy officer, or you’re looking to advance your career in cybersecurity or data protection, consider furthering your education with the University of San Diego — a highly regarded industry thought leader and education provider that offers a 100% online Master of Science in Cyber Security Operations and Leadership. This degree program features practical, cutting-edge curriculum taught by expert instructors who share insights drawn from highly relevant industry experience.