Yahoo, LinkedIn, Facebook, Marriott International, My Fitness Pal. These popular companies created headlines in recent years due to one unfortunate thing in common: They made the list of the 15 biggest data breaches of the 21st century. The reality, however, is that cyber attacks are a growing problem for every size and type of business and organization — with the cost of cyber crime projected to reach $10 trillion by 2025.
In addition to implementing cybersecurity best practices, such as training employees, backing up data and instituting multi-factor authentication, businesses also have the option of employing skilled cybersecurity professionals. In this career guide, we’ll discuss the details of one such important position — the data protection officer.
What Is a Data Protection Officer?
This is a security-based position charged with protecting a company’s or organization’s data and information. For the most part, data protection officers (and other data and privacy-related positions) are not required in the United States, though they are in some other countries, but they are becoming much more common. In the U.S., with the exception of businesses and organizations regulated by HIPAA, there is no requirement to appoint a data protection officer, though it is considered a best practice, especially for larger entities.
Data Protection Officers and the GDPR
If you’re considering a job in data and privacy, there is a good chance you will encounter the term GDPR — General Data Protection Regulation, which is a European data protection law that became effective in 2018.
The GDPR, touted as “the toughest privacy and security law in the world,” imposes data privacy requirements and obligations to organizations that focus on or collect data related to people in the European Union (EU). Data privacy violations and failure to comply with the regulations result in costly penalties.
As explained by the Digital Guardian, the GDPR was created by the European Parliament, the European Council and the European Commission to “strengthen and streamline data protection for European Union citizens.”
One of the requirements of the GDPR is that organizations must appoint an employee to oversee GDPR compliance. This is also known as a data protection officer. As the regulation explains: “The Data Protection Officer, or DPO, is an organization’s GDPR focal point and will have to possess expert knowledge of data protection law and practices.”
Data Protection in the United States
There is no single, all-encompassing and over-arching data privacy law in the U.S., but there is an assortment. Here are some of the most common:
- Health Insurance Portability and Accountability Act of 1966 (HIPAA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Electronic Communications Privacy Act of 1986 (ECPA)
- Children’s Online Privacy Protection Rule (COPPA)
- California Consumer Privacy Act (CCPA)
Even though data protection officers are not required positions in the United States, they are becoming prevalent as more businesses and organizations recognize the importance and value of skilled privacy professionals.
What Does Personal Data Entail?
There is no one list that identifies every type of personal data; rather, the GDPR explains that it is “information relating to an identified or identifiable natural person.” Names, for example, could be considered personal data, but that isn’t always the case. As IT Governance explains, John Smith isn’t enough to identify one person since there are many people with that name. But if you combine the name with other information, such as a birthday and address, it could be enough information to identify someone.
The range of personal data includes:
- Names and surnames
- Email address
- Phone number
- Home address
- Date of birth
- Credit card number
- Social security number
- IP address
- Identification card number
The GDPR does not cover personal data that relates to deceased individuals, data in which personal identifying details have been removed or information about public authorities and companies.
What Does a Data Protection Officer Do?
In the simplest terms, a data protection officer (DPO) is involved in all aspects of personal data protection.
The position is also one that stresses confidentiality; typically the DPO only reports to the highest levels of management. Here is a good explanation from LinkedIn:
“A Data Protection Officer is responsible for educating a company’s employees about data compliance, training members of staff who are involved in processing data, and carrying out regular security audits. They also serve as the main point of contact between the company and the relevant data protection authorities. The role of Data Protection Officer is mandatory for all companies that process or collect EU Citizens’ personal data.”
Data Protection Officer Job Description
Every data protection officer job description will be specific to the company or organization, but here are some real-world examples of responsibilities recently posted on LinkedIn:
- Monitor compliance with legislation and regulations
- Work closely with legal, compliance, governance and information security functions to develop and monitor policies and standards applicable to the business and in compliance with the GDPR and CCPA.
- Establish a privacy governance framework to manage data use.
- Work with key internal stakeholders to review projects and related data to ensure compliance with local data privacy laws; where necessary, complete and advise on privacy impact assessments.
- Collaborate with IT to maintain records and a data privacy and security incident management plan.
Data Protection Officer Education Requirements
According to the Cybersecurity Guide, data protection officers typically need a BA or BS degree in computer science, information security or a related field. A bachelor’s degree, J.D. or equivalent work experience in privacy, compliance, information security, auditing or a related field may also be an accepted alternative, according to Cybersecurity Guide.
An advanced degree is typically not required, but it may depend on the position. Even if one isn’t required, there are many benefits to obtaining one; an advanced degree can provide real-world experience, demonstrate your proficiency for continued learning and provide an edge over other job applicants.
Work Experience Needed
A data protection officer is not an entry-level position, especially since it deals closely with personal information. How much experience is required will depend on the specific job and the amount of data a company handles. To give you an idea of required experience, here are some examples from recent LinkedIn job postings:
- DPO experience in a global firm with more than 500 employees
- Experience in building a privacy framework from scratch
- Minimum 12 years of experience in and strong knowledge of privacy, data, operational risk management, information security, or related areas in IT
- 5 years of experience within a compliance, legal, audit and/or risk function, with recent experience in privacy compliance
- At least 2 years of experience with GDPR and working knowledge of CCPA
- Fintech experience
Certifications may be required, depending on the position. Either way, they are incredibly valuable to becoming a successful data protection officer. Some of the most popular ones include:
- Certified Information Privacy Professional (CIPP)
- Certified Information Privacy Manager (CIPM)
- Certified Information Privacy Technologist (CIPT)
- ISACA certifications may be preferred
Desirable Hard and Soft Skills
In addition to professional certifications, these are the skills a data protection officer should have, as outlined by the International Association of Privacy Professionals (IAPP):
- 5-10 years of experience in EU and global privacy laws (drafting privacy policies, technology revisions and outsourcing agreements)
- 5-10 years in IT operations and programming
- 5-10 years of experience in information systems auditing, attestation audits and assessment and mitigation of risk
- Leadership skills
- Experience working with a variety of stakeholders
- Experience managing various projects
- Negotiation skills
- Strong client relationship skills
- Good communication skills
- Demonstrated self-starter
- Experience in legal and technical training
- Experience in dealing with different business cultures and industries
Career Paths to Become a Data Protection Officer
Experience in different privacy-related disciplines is a good way to become a data protection officer. These include privacy law, information governance, information security and incident response. But that doesn’t mean you absolutely must work in privacy. Those with careers in finance, business, administration or other fields may be considered “as long as the candidate can demonstrate relevance to this information security-based role,” according to Cybersecurity Guide.
Can an Organization’s Employee Be a Data Protection Officer?
Yes, in some cases, but it’s highly recommended that a data protection officer be independent from the company or organization.
“The Data Protection Officer reports directly to upper management,” according to Dataversity. “It is meant to be a professional position and the DPO primary duties involve communicating with other professionals. Additionally, there cannot be a conflict of interest regarding their duties of compliance with the GDPR. For this reason, an independent officer is strongly recommended, rather than folding responsibilities into an existing security or IT position.”
This is true for both European and U.S.-based organizations and companies. In most cases, these positions must be appointed.
Can Organizations Share a Data Protection Officer?
It’s a possibility. Related organizations can share the same DPO but “all data protection activities must be managed by the same person and data must be readily accessible by staff from the related organizations, as it is needed,” explains Dataversity.
How Much Do Data Protection Officers Make?
Salary will depend on a number of factors, including how much experience is required, the location of the job itself and your own background/education. The annual pay for a data protection officer in the U.S. is $86,309 but annual salaries can be as high as $162,000; the range is typically $33,500 to $113,500.
Outlook for Data Protection Officers
The outlook is extremely favorable for this type of position. As Cybersecurity Guide explains, “the field of data protection and privacy rights is booming,” and as a result, positions like these are in high demand.
And more good news: Gartner predicts that by the end of 2022, more than 1 million businesses and organizations will have appointed a data protection officer — or a privacy officer.
Companies Hiring Data Protection Officers
Since every type of business and organization deals with data in some capacity, these types of positions are available across a wide variety of industries. Here are some top companies that are hiring (for the most recent postings, check out LinkedIn and Indeed):
- City and County of Denver
- Vault Health
- BNY Mellon
- State of Tennessee
- Morgan Stanley
A search for “data protection officer” will also generate similar positions with different job titles. These may include:
- Security and Privacy Officer
- Global Data Protection Officer
- Data Protection and Privacy Officer
- Sr. Data Privacy Specialist
- Data Privacy Analyst
- Data Governance Officer
- Data Protection Specialist
- Information Protection Officer
Frequently Asked Questions
Take Your Data Protection Officer Career to the Next Level
This career guide is brought to you by the University of San Diego — a highly regarded industry thought leader and education provider that offers a 100% online Master of Science in Cyber Security Operations and Leadership. This degree program features practical, cutting-edge curriculum taught by expert instructors who share insights drawn from highly relevant industry experience.