3 Key Considerations for Hiring a Chief Privacy Officer

Given the realities of today’s world, people and businesses are finally starting to take their data privacy seriously. Consumers now expect businesses to be attentive and trusted caretakers of their private information. In fact, 94% of respondents in the Cisco 2023 Data Privacy Benchmark Study said customers won’t buy from their business if data is not properly protected. Add the fact that data privacy noncompliance can come with steep penalties (HIPAA Privacy Standards violations can cost $100 to $50,000 each), as well as major reputational risk, and you can see why data and privacy is such a critical topic today.

Industries like fintech and healthcare, as well as companies with significant ecommerce operations and those with multinational presence, are increasingly aware of the need to prioritize privacy in order to protect their businesses. And while some organizations now acknowledge there’s a business case for hiring a dedicated leader to own this critical area, many are grappling with key questions about the Chief Privacy Officer (CPO), including:

• How to scope the role
• What skills are necessary
• How the role intersects with other departments

As an executive recruiting firm, we have the opportunity to speak with a variety of legal, privacy, and information security experts every day. So, we turned to some of our trusted clients and candidates to discuss the evolution of the data privacy landscape. Here are three key themes we gathered from those conversations regarding the evolving role of the CPO.

Navigating an Entangled Regulatory Environment

When it comes to data privacy, the lay of the land is always changing. The enactment of the General Data Protection Regulation (GDPR) in 2018 started the conversation, but the state-by-state patchwork of regulations instituted since present unclear guidelines for corporations to follow.

Moreover, there’s no solution on the horizon. Federal legislation has stalled as California’s congressional representatives fight to protect the personal data rights and freedoms enshrined in the Consumer Privacy Act and the California Privacy Rights Act. The fear of preemption provisions, which allow higher authorities like the U.S. Congress to displace rulings of state legislatures, has likely postponed any clear rulings on a national level.

What all this means is enterprises operating or selling to customers in more than one state need to examine the letter of data privacy laws across every relevant jurisdiction. For executives not dedicated to privacy, this can be a tedious and time-consuming process, especially since the landscape is as stable and predictable as quicksand.

One Chief Legal Officer we spoke with said, “It was impossible to perform my legal duties and keep up with privacy – a CPO was needed.” The 2022 ACC Chief Legal Officers Survey showed this attitude was far from uncommon. As many as 60% of participants expected an increase in the volume of regulatory enforcement that year, which could drag them away from obligations to strategy, business growth, compliance, and risk management. Other executives (CIOs, CISOs, COOs, etc.) can equally find themselves waylaid in elusive legislation if they don’t hire an executive focused explicitly on data privacy.

Harnessing a Unique Blend of Key Skills

A highly qualified and successful Chief Privacy Officer can look quite different from one organization to the next, which begs a common question: what is the traditional background / career path of a CPO? From our first-hand experience and conversations with clients, it’s clear there’s no single formula for what a typical career path to CPO looks like, though there are common backgrounds and skillsets that top talent share.

CPOs typically have a wide range of backgrounds, including legal, IT, compliance, or even HR. Some businesses are finding that it’s valuable for a CPO to be an attorney, particularly because their law degree can help them dissect and interpret information privacy laws and compliance regulations. Many other organizations are finding value in having a CPO serve in more of a hybrid function, bridging the divide between corporate counsel, IT, and compliance. Regardless of where CPO candidates originate, our conversations revealed they should demonstrate aptitudes in active listening, IT, strategic thinking, cross-functional collaboration, and presenting cogent points to the C-Suite. Moreover, a CPO should always be learning and broadening their knowledge to ensure they understand the evolving ways privacy intersects with security, legal, and other core enterprise functions.

The Certified Information Privacy Professional (CIPP) credential is a common way for many privacy professionals to demonstrate their proficiency in knowing, and applying, data privacy laws and regulations. It is a foundational credential for a variety of roles in legal, IT, HR, and compliance departments that may be on the trajectory to CPO. For any business that’s about to embark on a CPO search, this designation is usually deemed table stakes for candidates seeking to transition into this executive function.

Understanding How CPOs Bridge Departments

How can a Chief Privacy Officer impact the work of other teams? Because of the cross-functional nature of this role, there are plenty of opportunities for collaboration in ways that can transform just about every department within your organization.

On the legal side, the CPO not only can translate the legal implications of IT implementations to the General Counsel or Chief Legal Officer but can provide hands-on guidance around technical language for contract reviews. Moreover, they can work alongside in-house and outside counsel, maintaining compliance across the full spectrum of practice areas.

The Chief Privacy Officer offers a complementary set of skills to the CISO, blending compliance and legal perspectives with a security mindset. Often, these two roles build upon each other’s knowledge to enhance the outcomes for creating vendor management guidelines, managing data breach incident responses, training employees, and conducting due diligence. Also, both the CISO and the CPO are essential to mitigating risk and protecting client data held by third-party vendors.

Overall, the right person in the CPO role enhances connectivity between CISOs, legal, compliance, and other departments. Exceptional CPOs are true collaborators and act as a vital bridge between these other essential areas the company.  

Taking the Next Step

Though the conversation around data privacy is complex and variable, it’s not going to go away if you bury your head in the sand. Now is the time for your enterprise to get ahead of the curve and plan to hire your first Chief Privacy Officer. If you are still wondering where a CPO fits into your executive hierarchy and what specific attributes this person should have, the right executive search firm can help calibrate your requirements.

To stay up to date on trends shaping the executive talent landscape, subscribe to our blog for additional insights.