OneTrust_Square Banner_300x250_DD_ROS_01_19
What Makes a Good Privacy Officer?

Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.

To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?

Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.

A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism.

Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.

CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.

Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.

Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.

Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.

We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?

Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.

This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?

Written By



If you want to comment on this post, you need to login.

  • Lanita Collette Feb 20, 2014

    Does the perfect privacy officer have a law degree?
  • Lee Feb 20, 2014

    I was right with you until the airline attendant and one little word 'attractive' - strike this, and you have a perfect description, no law degree required. :-)
  • Name Ester Horowitz, Compliance Inc Feb 20, 2014

    I disagree with the statement that compliance is a cost center. If you really are a CEO mindset then you know how to use compliance to effective profitability not just save the company a ton of money in liabilities. I teach this all the time
  • K Feb 20, 2014

    Hi Lanita. No, the perfect privacy officer might not have a law degree. I do, as does many I know, but I also know some really good ones who do not. One thing I have noticed is that not all attorneys are good in a privacy or compliance role. It requires a little more or different *something* that not all attorneys have. It's the same as saying not all attorneys are good litigators. There is just a certain mindset or personality that is required. Knowledge can be learned/acquired. That personality or mindset, probably not so much.
  • K Feb 20, 2014

    Hi Lee,
    You don't know how much I agonized over that one little word, especially given that it used to be a requirement and no longer is due to discrimination claims. I left it in to see if anyone else would pick up on it and disagree. Thank you for doing so! - and thank you for the compliment.
  • K Feb 20, 2014

    You are so right. I, too, argue that compliance with laws permits companies to sell their widgets - therefore, we are not a burden, we are an enabler. Like HR, we contribute indirectly to profit (and their contribution is much more direct than ours). Unfortunately, this is an argument that will likely never end.
  • Name Pat Nelson Feb 20, 2014

    "Attractiveness" in this case doesn't necessarily mean physical beauty in any way, it could mean something as simple as not leaving the house looking like a hot mess.  If a person can't pull themselves together professionally in front of the mirror, how will a company trust them to pull their compliance issues together professionally.  
  • K Feb 20, 2014

    I LOVE that view! Thank you for eloquently interpreting something I could not define myself. 
  • Cindy Compert Feb 20, 2014

    I would also add 'Technology Geek' to the mix- the ability to understand the organization's use of data at a technology level (high level) and what solutions are available to mitigate privacy concerns. If not directly an attribute of the privacy officer, then certainly a resource that can provide that perspective. 
  • K Feb 20, 2014

    Absolutely! We have to have some understanding of it, if not love, right? Although, I will confess, my IT people hate hearing me use the wrong terminology that I sometimes do it just to see them wince.
  • Chass Brown Feb 21, 2014

    Very good point. A very wise manager once told me to never leave the house without having your "leadership" on: face, hair and dress. Your credibility is 55% based on your LOOKS. You do not have to look like Gisele but you do need to be professional and dress the part you want to play.
  • K Feb 21, 2014

    Chass, you make a good point. I always heard "dress for two positions up" or "let them see what you'd look like in the role you want" - which is exactly what you are saying. I know someone who refuses to brush their teeth, wash their hair, or tend to other basic hygiene because he feels that people should respect him for his abilities not his looks. But no one wants to even try to get past the looks. Like Pat said above, if you can't pull yourself together, can you be trusted to pull together a department?
  • Tim Feb 21, 2014

    Interesting list, but I think you left out a very important skill. Teachers. As a whole, we function as teachers. Given that you ask how we would describe our roles when speaking to a bunch of six-year-olds, I find that teaching comes to mind more readily than some of your examples, albeit your examples are excellent.   
  • Eric Chung Feb 21, 2014

    Thank you for the wonderful article K!
    Adding a often-heard role of a "fireman", fighting fire with the coolest of mind, and evocating fire prevention with the hottest of heart!
  • K Feb 21, 2014

    Thank you, Tim. We are teachers. And sometimes I think it would be easier to teach six-year-olds than some of the adults I have worked with.
  • K Feb 21, 2014

    Hi Eric,
    What a wonderful analogy! I did not even consider that profession, but it is so akin to what we do. How often do we lament that we are so busy putting out fires that we cannot get our day jobs done? And our day jobs should not be putting out fires, we would prefer to identify drought areas and do fire prevention.
    And thank you for the compliment. This was a fun and meaningful exercise to go through. It really did help identify necessary skills - and perhaps some that can go on the performance review or resume'.
  • Kate Feb 21, 2014

    I don't think "attractive" necessarily means in the physical sense. We do need to be someone people want to see and consult - not hide from. Smiling but firm - that's practically my motto!
  • K Feb 21, 2014

    Hi Kate,
    You bring up something that is so prevalent in our world - people need to put a friendly face to our name. They need to be able to know that they can come to us with a concern and we won't shoot the messenger (at least without due process and consideration). We do need to be someone people want to see and consult. I love your motto!
  • Rene' Feb 22, 2014

    Great article, quite creative and entertaining. You can tell by the  people who comment that as privacy officers, we find it difficult to fully explain the scope of our roles. Sometimes, we ourselves, cannot put  term to it. The article also captures the independent nature of our roles. We are not typical attorneys (for those who are attorneys), nor are we the typical compliance officer, who seems to reside many times with HR or regulatory. We are unique and you captured that well. For myself, I would add EMT or first responder, because we are often called in for an emergency and sometimes we can save the project and sometimes we pronounce its demise. But we must  be ready to roll on an instant's notice with our knowledge sometimes the only tool at our disposal. I looked at your other articles as well and imagine the consternation your fresh perspective must bring to your co-workers, especially the other attorne
  • Scott Goss Mar 4, 2014

    I suggest adding brand manager and psychic to your list. A mere compliance mindset will only partially cover the privacy challenges facing modern companies.  Compliance is the floor, but a successful CPO must go beyond the law and address risks to his/her company's reputation and trust that consumers and the public put into their products and services.  A successful CPO must also be a bit of a psychic to anticipate where the law, industry best practices, and consumer sentiment is heading to help guide their company's next generation of products and services.
  • K May 7, 2014

    Scott, those are fabulous points. On the brand manager, I could not agree more.  I have branded my privacy program although you are thinking larger. When there is a breach or someone strengthens their data protections, we look at the brand impact. On the psychic point...If I had a dollar for every time I wished I were psychic, I would not be a privacy officer!


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»