IAPP-GDPR Web Banners-300x250-FINAL
What Makes a Good Privacy Officer?

Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.

To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?

Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.

A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism.

Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.

CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.

Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.

Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.

Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.

We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?

Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.

This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?

Written By



If you want to comment on this post, you need to login.
  • Lanita Collette Feb 20, 2014

    Does the perfect privacy officer have a law degree?

  • Lee Feb 20, 2014

    I was right with you until the airline attendant and one little word 'attractive' - strike this, and you have a perfect description, no law degree required. :-)

  • Name Ester Horowitz, Compliance Inc Feb 20, 2014

    I disagree with the statement that compliance is a cost center. If you really are a CEO mindset then you know how to use compliance to effective profitability not just save the company a ton of money in liabilities. I teach this all the time

  • K Feb 20, 2014

    Hi Lanita. No, the perfect privacy officer might not have a law degree. I do, as does many I know, but I also know some really good ones who do not. One thing I have noticed is that not all attorneys are good in a privacy or compliance role. It requires a little more or different *something* that not all attorneys have. It's the same as saying not all attorneys are good litigators. There is just a certain mindset or personality that is required. Knowledge can be learned/acquired. That personality or mindset, probably not so much.

  • K Feb 20, 2014

    Hi Lee, You don't know how much I agonized over that one little word, especially given that it used to be a requirement and no longer is due to discrimination claims. I left it in to see if anyone else would pick up on it and disagree. Thank you for doing so! - and thank you for the compliment.

  • K Feb 20, 2014

    Ester, You are so right. I, too, argue that compliance with laws permits companies to sell their widgets - therefore, we are not a burden, we are an enabler. Like HR, we contribute indirectly to profit (and their contribution is much more direct than ours). Unfortunately, this is an argument that will likely never end.

  • Name Pat Nelson Feb 20, 2014

    "Attractiveness" in this case doesn't necessarily mean physical beauty in any way, it could mean something as simple as not leaving the house looking like a hot mess. If a person can't pull themselves together professionally in front of the mirror, how will a company trust them to pull their compliance issues together professionally.

  • K Feb 20, 2014

    Pat, I LOVE that view! Thank you for eloquently interpreting something I could not define myself.

  • Cindy Compert Feb 20, 2014

    I would also add 'Technology Geek' to the mix- the ability to understand the organization's use of data at a technology level (high level) and what solutions are available to mitigate privacy concerns. If not directly an attribute of the privacy officer, then certainly a resource that can provide that perspective.

  • K Feb 20, 2014

    Cindy, Absolutely! We have to have some understanding of it, if not love, right? Although, I will confess, my IT people hate hearing me use the wrong terminology that I sometimes do it just to see them wince.

  • Chass Brown Feb 21, 2014

    Very good point. A very wise manager once told me to never leave the house without having your "leadership" on: face, hair and dress. Your credibility is 55% based on your LOOKS. You do not have to look like Gisele but you do need to be professional and dress the part you want to play.

  • K Feb 21, 2014

    Chass, you make a good point. I always heard "dress for two positions up" or "let them see what you'd look like in the role you want" - which is exactly what you are saying. I know someone who refuses to brush their teeth, wash their hair, or tend to other basic hygiene because he feels that people should respect him for his abilities not his looks. But no one wants to even try to get past the looks. Like Pat said above, if you can't pull yourself together, can you be trusted to pull together a department?

  • Tim Feb 21, 2014

    Interesting list, but I think you left out a very important skill. Teachers. As a whole, we function as teachers. Given that you ask how we would describe our roles when speaking to a bunch of six-year-olds, I find that teaching comes to mind more readily than some of your examples, albeit your examples are excellent.

  • Eric Chung Feb 21, 2014

    Thank you for the wonderful article K! Adding a often-heard role of a "fireman", fighting fire with the coolest of mind, and evocating fire prevention with the hottest of heart!

  • K Feb 21, 2014

    Thank you, Tim. We are teachers. And sometimes I think it would be easier to teach six-year-olds than some of the adults I have worked with.

  • K Feb 21, 2014

    Hi Eric, What a wonderful analogy! I did not even consider that profession, but it is so akin to what we do. How often do we lament that we are so busy putting out fires that we cannot get our day jobs done? And our day jobs should not be putting out fires, we would prefer to identify drought areas and do fire prevention. And thank you for the compliment. This was a fun and meaningful exercise to go through. It really did help identify necessary skills - and perhaps some that can go on the performance review or resume'.

  • Kate Feb 21, 2014

    I don't think "attractive" necessarily means in the physical sense. We do need to be someone people want to see and consult - not hide from. Smiling but firm - that's practically my motto!

  • K Feb 21, 2014

    Hi Kate, You bring up something that is so prevalent in our world - people need to put a friendly face to our name. They need to be able to know that they can come to us with a concern and we won't shoot the messenger (at least without due process and consideration). We do need to be someone people want to see and consult. I love your motto!

  • Rene' Feb 22, 2014

    Great article, quite creative and entertaining. You can tell by the people who comment that as privacy officers, we find it difficult to fully explain the scope of our roles. Sometimes, we ourselves, cannot put term to it. The article also captures the independent nature of our roles. We are not typical attorneys (for those who are attorneys), nor are we the typical compliance officer, who seems to reside many times with HR or regulatory. We are unique and you captured that well. For myself, I would add EMT or first responder, because we are often called in for an emergency and sometimes we can save the project and sometimes we pronounce its demise. But we must be ready to roll on an instant's notice with our knowledge sometimes the only tool at our disposal. I looked at your other articles as well and imagine the consternation your fresh perspective must bring to your co-workers, especially the other attorne

  • Scott Goss Mar 4, 2014

    I suggest adding brand manager and psychic to your list. A mere compliance mindset will only partially cover the privacy challenges facing modern companies. Compliance is the floor, but a successful CPO must go beyond the law and address risks to his/her company's reputation and trust that consumers and the public put into their products and services. A successful CPO must also be a bit of a psychic to anticipate where the law, industry best practices, and consumer sentiment is heading to help guide their company's next generation of products and services.

  • K May 7, 2014

    Scott, those are fabulous points. On the brand manager, I could not agree more. I have branded my privacy program although you are thinking larger. When there is a breach or someone strengthens their data protections, we look at the brand impact. On the psychic point...If I had a dollar for every time I wished I were psychic, I would not be a privacy officer!


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»