TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Rethinking the role of CPOs: Prioritizing operationalizing privacy controls over legal expertise Related reading: A view from Brussels: Germany seeks extension for CJEU judge



In April 2020, I started my role as chief privacy officer of Silicon Valley Bank after serving in the position at Capital One. My time at SVB was both enriching and challenging, marked by the development of a mature global privacy program amid tremendous growth at the bank. Unfortunately, this journey took an unexpected turn earlier this year with the failure of SVB. As I embark on my search for my next CPO role, I’ve been surprised by the prevalence of law degrees being listed as a mandatory qualification for open CPO positions. 

Complex privacy landscape

Granted, CPOs are expected to navigate a complex landscape of data protection laws and regulations.  Monitoring, interpreting and providing legal guidance on privacy laws is a crucial role companies must have in place in managing privacy risks effectively. I'm not an attorney, yet I’ve been successfully building and running corporate privacy programs for the last 24 years. What I'm used to seeing, at least over the past 18 years at my last three companies, is a corporate privacy office that works closely with designated attorneys who specialize in privacy law. 

The evolution of privacy laws

In the early 2000s, corporations may have been able to get away with having attorneys draft and post privacy notices without the necessary operations, controls, remediation, monitoring and testing activities you need in place to ensure compliance today. Data privacy laws have evolved tremendously over the past decade. This legal complexity may have led to the notion that CPOs must hold law degrees to interpret and comply with these regulations. While legal knowledge remains important, it should not be considered a major determinant of a CPO's effectiveness. 

Emphasis on operational skills

Since relatively new privacy laws like the EU General Data Protection Regulation and California Consumer Privacy Act provide the ability for data subjects to access or delete data, the right to restrict processing activities, or require the implementation of privacy by design, companies must understand what it takes to build, manage and monitor privacy programs through operational processes, controls, privacy technology, tools and automation. The emphasis should shift towards an operational skill set for CPOs to effectively manage data privacy in the modern digital age.

Operationalizing privacy

It is crucial for CPOs to have the ability to turn legal requirements into practical actions throughout the company’s various departments. Operationalizing privacy controls entails seamlessly integrating privacy considerations into an organization's daily activities, systems, policies and processes. This requires a deep understanding of business process, technology and applications, data flows, data classification and taxonomies, products and services, risk mitigation strategies, incident response, data retention, marketing, third party risk, monitoring and testing, training, and effective collaboration across various departments — none of which requires a Juris Doctor degree or law firm experience.

Collaboration between legal and the privacy office

If you can find a job candidate with a JD and deep experience implementing privacy operations and controls, great. But I believe the best approach is to let the legal experts focus on providing legal advice and counsel on the requirements of privacy regulations. Let legal work on drafting, reviewing and negotiating privacy provisions in various contracts and agreements, monitor privacy laws and regulations, interpret laws and their impacts on the company, respond to litigation, assess potential legal risks, or draft or review privacy notices. However, don't also expect your legal counsel to build and run the operations of a global privacy program, manage the overall privacy execution strategy, integrate controls into business processes and provide legal counsel to itself (conflict of interest!). 


Both roles are essential for effective privacy management. In-house privacy attorneys should primarily concentrate on providing legal guidance and ensuring legal compliance, while the CPO takes a strategic and operational role in developing and implementing the organization's privacy program across various functions. My advice to hiring managers: keep the CPO postings coming, just remove the JD from the list of required qualifications.

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Michael Borromeo • Sep 22, 2023
    Love this article, as it describes my feelings exactly.  In addition to the strategic aspect, CPOs need to be able to build and maintain business processes, educate the masses, and win hearts and minds - and you don't necessarily need a JD to do that.  Appreciate this shared perspective!
  • comment Al Raymond • Sep 24, 2023
    I feel your pain on this. Whenever I've been in an interview process and the inevitable (and lazy) question of why should we hire you without a JD when we have another candidate with one comes up, this is how I reply: I love and rely on my legal friends, but you have lawyers in-house, and you have outside counsel. You do not need another lawyer. You need a person who understands the business and how to operationalize privacy. Bam! Hired.
  • comment Barry Young • Sep 25, 2023
    Love this article, it reminds of the early days when GDPR was "going live" and you would hear the argument within the business as to where "ownership" should sit. The business would often say it's a legal thing, but the lawyers would protest and say it was technical, while if appointed to the IT/InfoSec teams, they would argue it was a law. Ultimately, I believe that understanding Privacy regulations and all that that entails: from ETR, to localization to data subject rights etc. etc. AND the ability to follow through with delivering on those obligations, is a combined and collaborative process. Legal, InfoSec and dedicated Privacy pro's (who understand such nuance and interplay between the other two areas) are critical in my opinion to providing an all round solution to the challenge. Project Management is also not an insignificant skill in this space, but purely looking for another lawyer? Well, that's just massively restricting and limiting yourself to a pool of qualified and capable individuals in my humble opinion.
  • comment John Kropf • Sep 25, 2023
    The best CPO I know does not have a law degree.
  • comment Paul Graf-Nowak • Sep 29, 2023
    couldn't agree more, the most effective privacy team is the mix of operational - strategic  - legal pros!
  • comment JOHN CHAISSON • Oct 26, 2023
    CPOs must be able to cross-functionally communicate with Legal, but are most effective as non-attorneys.  It's my experience that communication between Legal and Tech or Product teams has felt more confrontational that Privacy to Tech or Product communication.  
    From my experience, cross-functional analysis and communication is by far the most important skill of great CPOs.  The legal framework instilled in law school and the profession at large tend to limit this skill in attorneys.