Chief privacy officer

Last updated

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. [1] Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." [2] However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated. [3] [4]

Contents

The CPO role was a response to increasing "(c)onsumer concerns over the use of personal information, including medical data and financial information along with laws and regulations." [5] In particular, the expansion of Information Privacy Laws and new regulations governing the collection and use of personal information, such as the European Union General Data Protection Regulation (GDPR), has raised the profile and increased the frequency of having a senior executive as the leader of privacy-related compliance efforts. [6] In addition, some laws and regulations (such as the HIPAA Security Rule) require that certain organizations within their regulatory scope must designate a privacy compliance leader. [7] [8]

History

In the United States, the position of chief privacy officer was first established at consumer database marketing company Acxiom in 1991 with the appointment of Jennifer Barrett as CPO. [9] The role operated in obscurity until August 1999 when the Internet advertising technology firm AllAdvantage appointed privacy lawyer Ray Everett to the first Internet-era instance of the role. [10] This started a trend that quickly spread among major corporations, both offline and online. [11] [12] The role of the Chief Privacy Officer was solidified within the U.S. corporate world in November 2000 with the naming of Harriet Pearson as Chief Privacy Officer for IBM Corporation. That event prompted one influential analyst to declare, "the chief privacy officer is a trend whose time has come." [13]

By 2001, the non-profit research organization Privacy and American Business reported that a significant number of Fortune 500 firms had appointed senior executives with the title or role of Chief Privacy Officer. [14] [15] The growth of the Chief Privacy Officer trend was further fueled by the European Union's passage in the late 1990s of data privacy laws and regulations that included a requirement for all corporations to have an individual designated to be accountable for privacy compliance. [6] [16]

By 2002, the position of Chief Privacy Officer and similar privacy-related management positions were sufficiently widespread to support the creation of professional societies and trade associations to promote training and certification programs. In 2002 the largest of these organizations, the Privacy Officers Association and the Association of Corporate Privacy Officers, merged to form the International Association of Privacy Officers, which was later renamed the International Association of Privacy Professionals (IAPP). [17] The IAPP holds several conferences and training seminars each year around the world, hosting association members from major global corporations and government agencies, with executives seeking certification programs in privacy management practices. [6] In 2019, it reportedly had more than 50,000 members [18] globally, which its leadership attributed to companies' responses to new laws like the GDPR. [19]

Responsibilities & Duties

As the leader of a corporate privacy program, a CPO has a number of essential responsibilities, [20] including:

Many of these activities and requirements are included in CPO job descriptions. [21] [22]

The role requires strong collaborative relationships [23] with other stakeholders in an organization, including engineers and product managers [24] (for privacy impacts to products and services), human resources [25] (for privacy impacts to employee data), legal teams [26] (for monitoring and interpretations of applicable laws and compliance measures), procurement and vendor management, [27] and information technology and information security teams. [28]

Interactions with Other Senior Roles

As organizations identify the need for a CPO, a frequent challenge arises in regards to placement of the role within the organization structure and the issue of overlap between similar "C-level" roles, [29] most notably the many intersections between the roles of the CPO and the Chief Information Security Officer (CISO). [30] [31] While CPOs and CISOs have some overlap in responsibilities around data protection and data governance, ultimately privacy and security have different roles to play. For example, while CPOs and CISOs may both be concerned with the prevention of data breaches, responsibility for managing technical prevention measures will tend to lay with the CISO while a CPO's concerns will look more broadly at whether otherwise properly secured data is being used in ways that might place the company at legal, regulatory, or reputational risk. [32]

Another area of potential overlap, and sometimes confusion, is the interaction between a CPO and the increasingly common role of Data Protection Officer (DPO). The DPO role is specifically required for certain organizations falling under the jurisdiction of the EU GDPR. [33] DPOs have very specific roles, requirements, and expectations delineated in GDPR Article 39 and associated regulatory guidance, and those include a level of required independence and organizational separation that make it very different from a CPO. [4]

Qualifications & Background

While a number of CPOs come from legal backgrounds and have Juris Doctor (or equivalent) degrees, the CPO role is a multidisciplinary one. The role requires an executive with an understanding of how data collection and usage, and the associated risks all factor into an organization's day-to-day business operations. [34] CPOs also need to be aware of a range of legal, regulatory, contractual, and other factors that impact an organization's privacy risk strategy. For these reasons, many believe that a legal background is a requirement for a successful CPO. [35] Others believe a legal background may result in too narrow of a focus, [36] and CPOs should have more than just a legal background. [37]

Among other qualifications that are seen as valuable in CPOs are strong communications skills, particularly in the area of public relations. This is due to the role being partly responsible for the development and execution of public outreach strategies in the event of data breach or other data-related security incident, and the CPO often functions as the public relations face of the organization. [38] [39] [40] CPOs are also often called upon to function as a lobbyist representing the organization's interests before lawmakers. [41] CPOs are also increasingly required to have deep knowledge of the organization's data-related operational practices and technologies, as well as the interaction between compliance measures that span the realms of privacy and security. [42]

Professional Certification

An increasing number of individuals seeking careers as CPOs will seek training in multiple disciplines related to the field. [43] Among the most common credentials seen in the space include:

Salary

The complexity of the role and the challenge of finding individuals with the right mix of skills, education, and experience is reflected in the salary data. As of 2021, the CPO role commands a median salary of $200,000 globally, and over $212,000 in the United States. [51] [52] By other accounts, median salaries in 2021 for privacy office roles in the US ranged from $114,638 to $126,000. [53] [54]

See also

Related Research Articles

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

<span class="mw-page-title-main">International Association of Privacy Professionals</span> Nonprofit membership association

The International Association of Privacy Professionals (IAPP) is a nonprofit, non-advocacy membership association founded in 2000. It provides a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, and to provide education and guidance on career opportunities in the field of information privacy. The IAPP offers a full suite of educational and professional development services, including privacy training, certification programs, publications and annual conferences. It is headquartered in Portsmouth, New Hampshire.

TrustArc Inc. is a privacy compliance technology company based in Walnut Creek, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws and best practices. Their privacy seal or certification of compliance can be used as a marketing tool.  

A chief security officer (CSO) is an organization's most senior executive accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, operational, strategic, financial and reputational security risk strategies relating to the protection of people, intellectual assets and tangible property.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

<span class="mw-page-title-main">Hugo Teufel III</span> American lawyer

Hugo Teufel III is an American lawyer and former government official.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

<span class="mw-page-title-main">Julie Brill</span> American lawyer

Julie Simone Brill is an American lawyer who serves as Chief Privacy Officer and Corporate Vice President for Global Privacy, Safety and Regulatory Affairs at Microsoft. Prior to her role at Microsoft, Brill was nominated by President Barack Obama on November 16, 2009, and confirmed unanimously by the US Senate to serve as Commissioner of the US Federal Trade Commission on March 3, 2010. Brill served as a Commissioner of the Federal Trade Commission (FTC) from 2010 to 2016.

Jules Polonetsky is an American lawyer and internet privacy expert from Brooklyn, New York, who currently serves as Chief Executive Officer of the Future of Privacy Forum. Polonetsky is co-editor of the Cambridge Handbook on Consumer Privacy, with co-editors Omer Tene and Evan Selinger.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

Nuala O'Connor is Senior Vice President and Chief Counsel for Digital Citizenship for Walmart. From 2014 to 2019, O’Connor served as the President and CEO of the Center for Democracy and Technology (CDT). O'Connor is an expert on digital human rights and civil liberties, technology policy, privacy, and information governance. From 2003–2005, O'Connor served as the first Chief Privacy Officer for the US Department of Homeland Security.

Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy.

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

The Campus Privacy Officer (CPO) is a position within a post-secondary university that ensures that student, faculty, and parent privacy is maintained. The CPO role was created because of growing privacy concerns across college campuses. The responsibilities of the CPO vary depending on the specific needs of the campus community. Their daily tasks may include drafting new privacy policies for their respective college campus, creating a curriculum that informs teachers and students about privacy, helping to investigate any privacy breaches within the university, and ensuring that the university is abiding by current state and federal privacy laws. CPOs are also responsible for connecting with student and faculty groups across the entire campus in order to understand the privacy concerns of the campus. The role of CPO is an expanding profession within the United States and other countries, such as Canada and South Africa. There are numerous organizations that exist to provide training for CPOs and support them.

<span class="mw-page-title-main">General Personal Data Protection Law</span> Brazilian regulation on the processing of personal data

The General Personal Data Protection Law, is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data. The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.

Panorays is a SaaS-based third-party security risk management platform. It was founded in 2016 and is headquartered in New York, United States.

References

  1. "The New Terminology for Privacy". The New York Times. 10 April 2019. Retrieved 2019-05-23.
  2. "Full Report: Benchmarking Privacy Management and Investments of the Fortune 1000". www.iapp.org. Retrieved 2019-05-23.
  3. Coseglia, Jared (3 January 2019). "Coffee with Privacy Pros: DPO vs. CPO. Lawyer vs. Technician. The Dualities of Privacy". CPO Magazine. Data Privacy Asia Pte. Ltd. Retrieved 26 May 2019.
  4. 1 2 "Chief privacy officers may not be eligible to serve as data protection officers under the GDPR, says expert". Out-Law.com. Pinsent Masons LLP. 7 September 2017. Retrieved 26 May 2019.
  5. "Chief Privacy Officer | DefineFinance". www.definefinance.com. Retrieved 2015-10-31.
  6. 1 2 3 Tittel, Ed (6 June 2018). "Gearing up for GDPR certification: Only a few good options". Hewlett Packard Enterprise. Hewlett Packard Enterprise Development LP. Retrieved 24 August 2019.
  7. "Summary of the HIPAA Security Rule". US Department of Health and Human Services (HHS). Retrieved 25 May 2019.
  8. "HIPAA Privacy Officer Responsibilities". Compliancy Group. Retrieved 24 May 2019.
  9. "About the IAPP - Jennifer Barrett Glasgow, CIPP/US". IAPP.org. Retrieved 23 May 2019.
  10. Dan Tynan (23 Nov 2012). "Q and A: Privacy Pioneer Ray Everett". IT World. IDG. Retrieved 23 May 2019.
  11. Justine Brown (30 May 2014). "Rise of the Chief Privacy Officer". Government Technology. Retrieved 23 May 2019.
  12. Ulfelder, Steve (2001-01-15). "Oh No, Not Another O!". CIO Magazine. Archived from the original on 2006-12-06. Retrieved 2006-12-18.
  13. "IBM appoints chief privacy officer". CNET.com. 2 January 2002. Retrieved 23 May 2019.
  14. Sandberg, Jared (16 July 2001). "The Privacy Officer". The Wall Street Journal. Dow Jones & Company Inc. Retrieved 26 August 2019.
  15. Schwartz, John (12 Feb 2001). "First Line of Defense; Chief Privacy Officers Forge Evolving Corporate Roles". The New York Times. Retrieved 26 August 2019.
  16. "International Association of Privacy Professionals:Career and Certification Guide". Business News Daily. June 15, 2018. Retrieved May 10, 2019.
  17. Maselli, Jennifer (25 August 2003). "Privacy Group Focuses on RFID". RFID Journal. Emerald Expositions, LLC. Retrieved 18 August 2019. "This is a timely topic," says Shara Prybutok, an administrator for IAPP, which was formed recently by the merger of the Privacy Officers Association and the Association of Corporate Privacy Officers.
  18. "50K members: A landmark for the IAPP and global privacy". IAPP.org. International Association of Privacy Professionals. 2 May 2019. Retrieved 1 October 2019. The IAPP had hit 50,000 members worldwide.
  19. Hughes, J. Trevor (25 May 2018). "GDPR Day 1: Reflections on what the heck just happened". IAPP.org. International Association of Privacy Professionals. Retrieved 2 June 2019. Just two weeks before the GDPR deadline, we surpassed 40,000 members in over 100 countries around the world.
  20. Densmore, Russell, ed. (2019). Privacy Program Management (Second ed.). International Association of Privacy Professionals. ISBN   978-1-948771-24-5.
  21. "Sample (Chief) Privacy Officer Job Description". AHIMA Body of Knowledge. AHIMA. Retrieved 2 June 2019.
  22. "Chief Privacy Officer Career Guide". Florida Tech Online. Florida Institute of Technology. Retrieved 2 June 2019.
  23. "Chief Privacy Officer". Ethics.org. Ethics and Compliance Initiative. Retrieved 2 June 2019. Build strong and collaborative relationships with key partners from IT Security, Human Resources, Procurement, Legal, Finance, Global Security and the Business Units
  24. Ross, Alexandra (29 September 2014). "Top 5 Qualities in a Great Chief Privacy Officer (CPO)". TrustArc. Retrieved 2 June 2019. Hands-on experience with technology and the ability to see a company's products and services through the lens of a privacy-aware customer is essential.
  25. O'Connor, Brian; Yates, Amy (1 August 2009). "A review of current HR privacy issues". IAPP.org. International Association of Privacy Professionals. Retrieved 2 June 2019.
  26. McCreary, Mark G. (9 August 2017). "Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO". Fox Rothschild. Retrieved 2 June 2019. [T]he post must, by design, have a strong connection with the firm's office of the general counsel
  27. Merrick, Robert; Ryan, Suzanne (1 April 2019). "Data Privacy Governance in the Age of GDPR". Risk Management Magazine. RIMS. Retrieved 2 June 2019. ...in Canada, the United States and Europe, businesses sharing personal information with a vendor are required to ensure the vendor has adequate security processes in place to safeguard that information.
  28. Bassett, Mike (February 2015). "So You Want to Be a Privacy Officer?". For the Record. Vol. 21, no. 2. Great Valley Publishing Co. Inc. p. 24. Retrieved 2 June 2019. the privacy officer position has evolved in such a way that it's necessary to understand more about security safeguards
  29. White, Sarah K. (31 March 2018). "Five reasons you need to hire a chief privacy officer (CPO)". CIO Magazine. IDG Communications Inc. Retrieved 2 June 2019. A CPO helps develop strategies to support how personally identifiable information is protected from these types of incidents and can fully brief the C-suite on the issues — both technical and business — which could arise from a breach
  30. Davis, Jessica (17 April 2019). "CPO and CISO: The Evolving Roles of Privacy and Security Professionals". Health IT Security. Xtelligent Healthcare Media, LLC. Retrieved 2 June 2019.
  31. Gloeckle, Maggie; Royal, K (15 November 2017). "CPO and CISO: The Evolving Roles of Privacy and Security Professionals". ACCDocket.com. Association of Corporate Counsels. Retrieved 2 June 2019.
  32. Bergal, Jenni (21 August 2018). "More States Appoint 'Chief Privacy Officers' to Protect People's Data". Government Technology Magazine. e.Republic. Retrieved 2 June 2019. And chief privacy officers don't just deal with external threats. Sometimes, breaches occur when state employees inadvertently release data that contains personal information, email a confidential document in an unsecured format, or don't securely store it.
  33. "Data protection officers". ico.org.uk. UK Information Commissioner's Office. Retrieved 2 June 2019.
  34. Lawton, Stephen (5 April 2018). "How to hire a chief privacy officer". SC Magazine. Haymarket Media Inc. Retrieved 2 June 2019.
  35. Carson, Angelique (25 August 2015). "Would a Law Degree Take Your Privacy Career to the Next Level". IAPP.org. International Association of Privacy Professionals. Retrieved 2 June 2019. "There are really good people in this field who don't have a law degree [...] But most of the higher-up people tend to have law degrees."
  36. Creamer, Matthew (25 April 2011). "Does Your Agency Need A Chief Privacy Officer?". AdAge Magazine. Crain Communications. Retrieved 2 June 2019. "If it's a legal person who's going to attend meetings and try and limit liability, it's not totally useless, but I don't think it's going to do what we really need to do, which is to communicate to our client base and get our consumer base educated...
  37. Ng, Cindy (2 June 2017). "Interview: Dr. Ann Cavoukian on Privacy by Design". Varonis. Retrieved 2 June 2019. You need a much broader skill set than law alone. So, for example, I'm not a lawyer, and I managed to be [Ontario Privacy] Commissioner for three terms.
  38. Dan Tynan (23 November 2012). "Q&A: Privacy Pioneer Ray Everett". IT World. IDG. Retrieved 23 May 2019.
  39. Ulfelder, Steve (2001-01-15). "Oh No, Not Another O!". CIO Magazine. Archived from the original on 2006-12-06. Retrieved 2006-12-18. "I wind up dancing between three different fields: legal/policy, marketing, and technology." -Ray Everett-Church, CPO and vice president of public policy at AllAdvantage.com
  40. Dieterle, E.J. "Future roles: Should recruiting for a Chief Privacy Officer be a priority?". YesPartners. Retrieved 2 June 2019.
  41. Kang, Cecilia (24 April 2018). "Facebook Replaces Lobbying Executive Amid Regulatory Scrutiny". The New York Times. Retrieved 2 June 2019. Ms. Egan, who is also Facebook's chief privacy officer, was responsible for lobbying and government relations as head of policy for the last two years.
  42. Simberkoff, Dana (11 December 2018). "Should the Chief Privacy Officer and Chief Information Security Officer Roles Merge?". CMS Wire. Simpler Media Group Inc. Retrieved 2 June 2019.
  43. Kim, Lee (11 March 2019). "My Journey to Attaining Two Professional Certifications, CIPP and CISSP". HIMSS. Retrieved 2 June 2019.
  44. "Certified Information Privacy Professional". IAPP.org. Retrieved 2 June 2019.
  45. 1 2 3 "Is IAPP Certification a Consideration for Health IT Professionals?". USF Health Online. University of South Florida . Retrieved 24 August 2019.
  46. "Certified Information Privacy Manager". IAPP.org. Retrieved 2 June 2019.
  47. "Certified Information Privacy Technologist". IAPP.org. Retrieved 2 June 2019.
  48. "Certified in Healthcare Privacy and Security". AHIMA. Retrieved 2 June 2019.
  49. "Certified in Healthcare Privacy Compliance". Compliance Certification Board. Retrieved 2 June 2019.
  50. "Certified Information Systems Security Professional". ISC2.org. Retrieved 31 May 2020.
  51. "2021 IAPP Privacy Professionals Salary Survey". IAPP.org. Retrieved 18 June 2021.
  52. Spiezio, Caroline (7 May 2019). "US Chief Privacy Officers Get Paid More Than EU Peers, Have Closer Ties to Legal". Law.com. ALM Media Properties LLC. Retrieved 24 August 2019. According to the IAPP's 2019 Privacy Professionals Salary Survey, American CPOs' median salary is $212,000 compared to $185,000 in the U.K. and $142,000 in the European Union. The global median salary for CPOs is $200,000 in 2019.
  53. "Privacy Officer Salary". ziprecruiter.com. Retrieved 18 June 2021.
  54. "Pandemic hasn't stemmed the rise of privacy salaries, but there is still some work to do". scmagazine.com. 29 June 2021. Retrieved 1 July 2021.