What am I worth and how do I increase my value as a privacy professional? What do I need to pay my privacy staff to attract and retain them? These are the recurring questions hiring managers and specialists have asked for the last two decades as the privacy profession exploded and morphed in multiple directions, and resource models have increasingly become strained. Why have they been so hard to answer?
The short answer is: constant flux. Since I joined the privacy ranks in 2000, near the birth of the IAPP, I’ve watched seven main trends unfold — mostly in the last few years. Taken together, it means privacy compensation is highly contextual and variable.
- Big Tech. A handful of Big Tech companies added thousands of privacy pros to their ranks in the last five years, especially in the rising role of privacy engineer, offering 40-100% higher compensation packages to experienced hires. And many recently rolled off hundreds.
- Unicorns. The recent entry of privacy-technology unicorns into the talent market boosted demand for entry-level analysts and mid-level privacy engineers, but that sector also experienced a round of layoffs.
- Boutiques. A growing panoply of privacy boutiques with flexible compensation structures increased demand for more experienced pros who need less predictability.
- Rainmakers. The standardization of million-dollar compensation packages for chief privacy officers and partners at law and consulting firms attracted top talent with commensurate pay expectations.
- Title dissonance. Varying privacy job titles and corresponding job descriptions below the CPO level create more compensation variability through market opaqueness, rewarding those who work with recruiting specialists.
- Shifting legal regimes. New U.S. state privacy laws, adoption of national privacy laws in dozens of countries and EU General Data Protection Regulation compliance demands have been a boon to privacy-based legal practices, driving up compensation in the U.S. and abroad.
- China rising. The surge in rulemaking and enforcement related to China's Personal Information Protection Law over the past year created a spike in demand for China-related privacy talent.
With all these trends in play, the same educational background and years of experience can yield a significant variance in pay based on geographic location, business model and formal title. How do you know what weight to put on each variable?
One of the go-to starting points in the last two decades has been the annual IAPP Salary Survey. I have been a close student of the survey since its inception in 2003 and even ran it for a few years.
If you mined these reports for their riches, you would notice two things: the focus on the median base salary, and that number’s slower growth over time relative to divergent market data from other sources.
What explains this? Three things:
- As the IAPP survey population grew, much of the growth was among lower-paid junior professionals.
- The share of lower-paid, non-U.S. respondents also steadily grew.
- Higher-paid external advisors have been excluded since 2015.
The 2023 survey's results will be released soon, drawing on yet a broader and larger audience from whom there is much to learn — especially with the global footprint of privacy resources and variance of roles contributing to the overall privacy equation greater than ever.
Looking at the survey data over time, as well as hiring and exit interviewing over a hundred professionals, here are key factors to consider when looking to maximize your compensation:
- Get your CIPP, CIPM and/or CIPT. I see more and more new graduates get their certifications right away, so if you don't have one it raises questions in my mind as a hiring manager.
- Finish a law degree or a master's degree in information systems. Enough privacy job postings require a Juris Doctorate to make a difference, and more and more, the privacy engineer role and similar consulting jobs require a technical background.
- Get in law or consulting stint. Usually done early in your career, this is an excellent way to get paid well, expand your network, and broaden your sectoral and functional experience.
- Work in-house for a U.S. Fortune 500 company. The salary surveys regularly show large employers and U.S. firms pay better.
- Don’t get pigeon-holed. Once you master incident response, vendor reviews and standard contractual clauses — the salt mines of privacy work — move onto the next strategic challenge.
- Steadily lead more people and scope. Like in any job, the more impact you can demonstrate, the better you will fare against your peers.
- Network, speak and write. By getting out into the market at IAPP conferences, local KnowledgeNet meetings, and other meeting and content forums, you will have more data points to know your options.
- Be patient. Surprise developments in the economy and your employer’s privacy budget can put a temporary lid on your compensation. If you take the above tips to heart, be like a surfer and catch the next wave, because it inevitably will crest in our profession.
If you oversee a privacy team, chances are your colleagues have been contacted by recruiters already. Maybe several times. If you have an open headcount, you might be surprised at the rates you suddenly need to pay suddenly. How do you make the most of it?
Here are some considerations for attracting and retaining top privacy talent:
- Compensation. Use the IAPP Salary Survey to help your team keep their compensation in line with their peers
- Work/life balance. Set the tone at the top on healthy workloads, advocate for the budgets needed to engage contingent workers to address workload overages and push prioritization decisions upward to your executives
- Seek internal transfers. Privacy can be learned and there are probably arbitrage opportunities to "buy low and sell high," attracting staff from other parts of your organization who want an exciting uplift in their careers.
- Embrace the gig economy. Retaining employees is broader than keeping staff full time equivalent. Proactively discuss the independent contractor route as a planned career-path option for your staff.
- Rethink the Juris Doctor requirement. If you let your privacy counsel handle legal matters, you can broaden your applicant pool with lower rates for the roles on your privacy program team.
- Engage external recruiters. The value of market specialists can help sort through the various contextual variables and shorten your cycle time, especially for hard-to-fill roles.
- Be transparent. Your less experienced, lower paid staff are probably the most sensitive to different compensation levels elsewhere and are least invested in staying, so they would benefit most from frank discussions about the pros and cons of career paths both inside and outside your organization. Their trust in you may one day lead to them boomeranging back to your team after a high-impact experience elsewhere.
- Throw them in the deep end. The most important nonmonetary aspect of working in privacy is the rapid pace of learning and development our dynamic risk and regulatory environment offers. Giving staff responsibilities that might be a stretch for them at first can accelerate the process and keep them sticking around for more.
Taking a closer look at the IAPP salary data over the past two decades, it’s clear privacy pro compensation rose more rapidly than the reported overall averages implied. As the profession continues to grow worldwide, the data points are piling up regarding the experiences that offer the greatest bump to privacy pro compensation. With compensation expectations exceeding inflation rates, hiring managers will need to adopt flexible hiring and retention models to meet their business objectives.