OneTrust_Square Banner_300x250_DD_ROS_01_19
A Proposed Career Roadmap for the Next Generation Privacy Professional

The concept of a career roadmap is something with which we are extremely familiar. We are both retired military intelligence professionals with a combined 60 years of service to the United States. We grew up in a system that consisted of an enterprise-wide, tiered certification process, which laid out a set of minimum skills and experience levels required at certain waypoints in our career. We have also witnessed the benefits of a structured career roadmap during our tenures in the U.S. government’s civilian career service. Entry-level employees understand exactly what knowledge, skills and abilities they must acquire to compete successfully at the middle and senior technical and management levels. Aspiring U.S. government civilian senior executives, positions comparable to corporate-level executives, also have structured career roadmaps that define executive core competencies they must possess in order to compete successfully at this level.

This is why we are proposing a career roadmap for privacy professionals.

Before continuing, we want to address the term “privacy professional.” We’re aware that many in our profession refer to themselves by other names, such as “data protection professionals.” However, for the sake of consistency, we will use “information privacy” to encompass those who are IAPP-certified and working within the information privacy profession, regardless of where they are on “Google Earth.”

Since 2004, the International Association of Privacy Professionals (IAPP) has made tremendous strides in professionalizing the information privacy profession through its globally recognized accreditation system consisting of the Certified Information Privacy Professional (CIPP), Certified Information Privacy Manager (CIPM) and soon-to-come Certified Information Privacy Technologist (CIPT) certifications.

In 2010, A Call for Agility: The Next-Generation Privacy Professional opined that a “rise in privacy awareness among small and medium-sized businesses, government agencies and other organizations—as well as ongoing maturation of roles pertaining to information governance, risk management, data security and compliance—will create new career paths and opportunities for privacy professionals.” We agree with this assessment and join the growing cacophony of voices from across the globe that believe it is time to develop and implement a career roadmap for the next generation of privacy professionals. Regardless of the privacy model (comprehensive, sectoral, co-regulatory), we believe a roadmap will provide professionals with a plan to progress through the entry levels, mid-levels and senior levels of the information privacy profession.

Our preliminary observations of IAPP certifications indicated no apparent structured relationship between the CIPP, CIPM and soon-to-come CIPT certifications. Moreover, the global information privacy profession appears to lack a general career roadmap that might provide future generations with a pathway to build mastery in the privacy profession. The IAPP’s “Privacy Pathways” program is definitely a step in the right direction. This program allows the IAPP to partner with law schools to enhance privacy education, and to assist students in certifying as IAPP privacy professionals. The Santa Clara University School of Law’s first-of-its-kind privacy law certification is an example of the IAPP’s success in this area. IAPP VPof Research and Education Omer Tene states, “We’re excited about Santa Clara Law’s efforts. At a time when data is becoming the most valuable currency in the information economy, the need for well-qualified professionals who understand global information management practices and the need to safeguard data are growing exponentially.” We strongly encourage the IAPP to expand its Privacy Pathways program to other non-legal academic programs.

We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession. These students will enroll in two- or four-year degree programs at any number of universities globally. Upon graduation, they will enter into the workforce armed with an associate or baccalaureate degree, apprentice-level knowledge of the profession and at least one of the CIPP disciplines. A career roadmap, similar to Figure 1, will provide aspiring privacy professionals with a pathway to success and establish hierarchical relationships between certifications.

Those personnel who choose a non-formal education route will supplement education requirements with equitable work experience and skills. We encourage privacy professionals to pursue formal education to improve their critical reasoning, critical writing, management and other essential skills. To continue their career progression, information privacy professionals will need to complete the appropriate-level IAPP certifications throughout their careers. Some students will continue their formal academic education by pursuing Juris Doctor (JD), other legal professional degrees or non-legal, graduate-level degrees in data protection, information privacy or a related discipline. Privacy analysts, after completing two years of demonstrated work, could seek additional responsibility by pursuing a CIPM certification, as well as a corresponding position. Following four years of experience as a CIPM, many professionals will look for more responsibility at a higher level.

These professionals will serve as the equivalents of today’s chief privacy officers (CPOs) within the private sector. Australia, Canada, the European Union, the U.S. government and others have used legislation to define the responsibilities of CPOs working within their respective governmental systems. They have not established a certification process for these officers. The privacy sector also lacks a common certification for its CPOs. We believe the time has come to develop a certification, the Certified Information Privacy Officer (CIPO), for both private-sector and public-sector CPOs to better prepare them for the multitude of adversarial, legislative and regulatory challenges their organizations will face in the 21st century.

Certifications raise the professional standards by giving special peer-recognition to those who fulfill a prescribed standard of performance and who demonstrate and maintain a high level of documented expertise. We believe the creation of a CIPO certification provides official, public and peer recognition of a person’s competencies and capabilities in the information privacy profession. A tiered certification process, starting with CIPP, followed by CIPM and peaking in the CIPO certification, demonstrates a lifelong commitment to the information privacy profession.

We envision a day in the future when high school students, faced with myriad academic and employment options, will decide to pursue careers in the privacy profession.

We believe the discriminator between each level of certification will lie in the scope of organizational responsibility. We contend that, in the future, privacy professionals or subject matter experts possessing an IAPP compliance and policy certification,e.g., US, G, C, E, will work within a work center or business unit. The CIPTs will work with their information security counterparts, i.e. CISA, CISO, CISSP, etc. As their work experiences and skill levels increase in areas of scope and responsibility, we believe they will work as CIPMs who will serve as project or program managers within an organization’s business units. We also view this certification as being comparable to the “Certified Information Security Manager” within organizations.

Of note, we have made a clear distinction between the CIPMs and CIPOs that will work in tomorrow’s organizations. We do not view the CIPM position as being on par with the CIPPs in the future. We envision tomorrow’s CIPMs managing teams comprised of entry-level CIPPs within an organization’s business centers, i.e., finance, marketing, human resources, information technology, information security, etc. The word “manager” denotes some level of management responsibility, hence, our designation of the CIPM as an operational manager of information privacy professionals. We envision tomorrow’s CIPOs working with the organization’s senior executives to manage the organization’s strategic information privacy program. They will ensure information privacy is interwoven into every facet of the strategic plan’s enterprise and mission objectives.

We applaud the information privacy profession pioneers who worked diligently to establish the information privacy career field. Their foresight has allowed us to develop a cadre of information privacy professionals capable of addressing the myriad of threats to information privacy. We realize it’s extremely difficult to capture all of the nuances of a career roadmap in a short thought piece; however, we feel that privacy professionals will benefit from having a path to guide them throughout their careers. We hope that this contribution advances the dialogue on this important topic.

Written By

Christopher Stevens, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT

Written By

Stephen Holland, CIPM


If you want to comment on this post, you need to login.

  • Kerry Childe Jun 11, 2014

    Without opining on the benefit of a career roadmap for privacy professionals, I would offer that the levels of education/experience suggested seem to me to be inadequate.
  • James Jun 11, 2014

    There's a saying in information technology that the competence of an IT professional is inversely related to how many certifications they hold. Passing an exam like the PMP is no guarantee that one actually has any competence at project management; it merely shows that one can pass the exam.
    There are a few skills missing here. Privacy professionals like to make a big deal of out 'data', but if data is so important, why isn't training in relational databases (object, no-sql, etc) part of the curriculum? You are going to have a very hard time understanding privacy implications of large scale data processing without at least a basic background in that area. Add to that information security, privacy preserving data publishing, requirements engineering, data mining, etc.
    Privacy has intersections with numerous fields, including law, ethics, communications, accounting, software engineering (etc). At best these little certifications show that someone has been exposed to a few concepts at the level of a multiple choice test. The hard skills (e.g., databases) and soft skills (e.g., stakeholder management) required for success cannot be tested this way. A test like the CIPP/IT is not a form of assurance that a person is competent in those areas.
  • Greg Jun 11, 2014

    The idea of a roadmap is good in that it attempts to provide general directional guidance.  However, as proposed here, it seems to neglect consideration of the breadth of other skills, knowledge, and experiences required to be professionally competent.  I think perhaps minimal educational and job experience requirements would be more useful for qualifying and individual to earn a specific certification.  However, I don't see any direct linkage between the privacy certification and educational qualifications otherwise at this time.  The discussion, analysis, and application of controls around topics relating to privacy encompass varying fields and knowledge sets (legal, information technology, business process, social/culture values, etc).  I believe the value of many certifications is simply to give credence towards developing and understanding an alternate perspective relative to a particular subject area, and isn't and indicator of expertise in most cases…but more to demonstrate having baseline knowledge.  A roadmap for privacy professionals can (and should) go in many different directions beyond what is represented here.  However, I do recognize this as a first step.  
  • Richard Beaumont Jun 12, 2014

    I too applaud this effort - essentially to map out career pathways within privacy.
    However, I would caution against being too stratified in any model.  And perhaps my own current pathway can illustrate the point.
    Though relatively new to the privacy field, I have years of experience in technology management - such that I am at a middle/senior management position.
    My role and interests in where I want to go in the future, led me to choose to go for the CIPM certification, rather than the CIPP - which in your model would be the entry level.
    I think these certifications, and the new CIPT reflect more the route into the privacy field from other areas - Law, Project Management and IT - rather than necessarily hierarchical levels.
    I also believe experience and skills in other areas can play a very strong role in what would be an appropriate position to place any individual.
    The idea of a senior level CIPO certification is a good one - but equally it could be possible for someone in senior management role in other areas, to enter the profession at that level.
    What would be very useful progressions in my view would be some kind of system of CPD recognition(which of course the lawyers have in their own profession) plus  additional levels of recognition of knowledge and experience - often found through the application of titles like 'Master' and 'Fellow' in other professional areas.
    I hope this adds to the debate.
  • Rita Heimes Jun 12, 2014

    The University of Maine School of Law launched one of the first privacy pathways in the US four years ago, in collaboration with IAPP. The law school has a course in information privacy, a three-course Information Privacy Summer Institute that takes place partially at IAPP's headquarters, an opportunity to sit for the CIPP exam, and multiple externships with businesses (including IAPP) for students to get hands-on experience in information privacy law.
  • Domenic Jan 17, 2015

    I also too wish to applaud the efforts that was made by the contributors of this article. Where I feel that this information may have more of an immediate and more long term impact, would be for the IAPP to reach out to NIST and establish a way of incorporating this career roadmap within the National Institute for CyberSecurity Initiative (NICE).  Data and Securing data in a way that protects Privacy information go hand in hand. If the stated goals are to increase the size of both the Privacy and CyberSecurity workforce with future leaders, having the IAPP and NICE work together would go a long way towards achieving that goal. I see the CIPT has more along CyberSecurity. The CIPP US/G/M/EU/C designations along with Masters degrees can prepare the next generation of leaders of being in the "C" Suite. I am working on Masters of Jurist Law (new program) that I feel will bode well for those who (i.e., such as myself) who are looking to be those next CIPO's (e.g., shaping the organization’s strategic information privacy program)


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»