IAPP_Salary-Survey_300x250_FINAL
S17_Banner_300x250-COPY
iapp-privacycore
What skills should your DPO absolutely have?

Based on surveying data protection officer job postings, companies are trying to fill DPO positions with junior associates with only a few years of experience. Many are treating the DPO as merely an IT role with no legal experience or as a compliance role with no real risk or IT experience. But what does the General Data Protection Regulation in fact require and what do those requirements mean for the DPO’s job skills? It may be useful to summarize the necessarily skills into a listing usable to identify qualified DPO candidates, which you'll find at the bottom of this article. 

GDPR’s requirements for DPOs:

Risk/IT: Recital 77 and Articles 39.2 and 35.2 require DPOs to offer guidance on risk assessments, countermeasures and data protection impact assessments. DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications. 

These skills should be founded upon wide-ranging experience in IT programming, IT infrastructure, and IS audits. While compliance checklists may be helpful, the DPO position first and foremost requires an experienced professional. Because risks constantly evolve, DPOs must demonstrate awareness of changes to the threat landscape and fully comprehend how emerging technologies will alter these risks.  Providing guidance is like the lawyer skill of giving advice, using client-relationship skills to ensure controllers continue to seek such advice even if not in agreement and at the earliest phase.

DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result.

Legal expertise/independence: Recital 97 and Articles 37.1, 37.5, and 38.5 specify “a person with expert knowledge of data protection law and practices” to assist the controller or processor, to be “bound by secrecy or confidentiality,” and “perform their duties and tasks in an independent manner.”

DPOs must know data protection law to a level of expertise based upon the type of processing carried out. This signifies that DPOs should be licensed lawyers knowledgeable of not only the GDPR and other relevant EU legislation (e.g. E-Privacy Directive) but also privacy and related laws in all jurisdictions their organization does business or outsources operations. 

Confidentiality is second nature to the legal profession. DPOs must have experience acting in an independent manner, indicating a need for a mature professional with client relationship and audit experience to handle the delicate task of discovering gaps, encouraging gap mitigation, and ensuring compliance without taking an adversarial position.

Cultural/global: DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result. Think of the simplified example of an organization with a retail presence in Europe, contract manufacturers in China, IT outsourcers in India, and headquarters in the U.S.  DPOs should be based in the EU but globally focused.

Leadership/broad exposure: Article 38.2 requires, “The controller and processor shall support the DPO … by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” DPOs will need to have leadership and project management experience, to be able to request, marshal and lead the resources need to carry out their roles. They also must be able to critically assess themselves for knowledge gaps and request training in those areas.

DPOs should have broad business experience to know the industries of the data controller and processor well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.

DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights.

Self-starter/board-level: Article 38.3 requires, “The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks …  The DPO shall directly report to the highest management level of the controller or the processor.” DPOs have to be self-starters, with the competence and skills to carry out the role without guidance and to know where to find necessary information. DPOs must also have board-level presence and be able to deal with experienced business people who will not know the intricacies of DPO functions. Licensed external auditors such as CPAs/CAs, who audit compliance with laws, standards, and practices, are independent of the auditee, and report to the board, would have this type of experience.  

Common touch/teaching: Article 38.4 allows data subjects to contact the DPO “with regard to all issues related to processing of their personal data and to the exercise of their rights.” DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights. DPOs must also have skills in both legal training and awareness raising, to ensure all data subjects are aware of their rights and responsibilities and to help train others to assist data subjects on specific requests.   

No-conflicts/credibility: Article 38.6 allows DPOs to fulfill other tasks as long as “any such tasks and duties do not result in a conflict of interests.” DPOs who are members of the data controller’s organization may not perform roles that conflict with their DPO role. For example, a DPO also overseeing information-security has a conflict when their security risk assessments and treatments are evaluated under their DPO role. DPOs should be dedicated or the role outsourced to an independent external DPO. 

Article 39.1 states that DPOs are required “to cooperate with the supervisory authority … [and] act as the contact point for the supervisory authority on issues relating to processing.” A prior relationship with the data protection authority is helpful, or DPOs must be able to establish instant credibility based on their wide experience, knowledge, credentials and relationship skills. 

Summary of DPOs Required Job Skills

  • Significant (5-10 years) experience in EU and global privacy laws, including drafting of privacy policies, technology provisions and outsourcing agreements
  • Significant (5-10 years) experience in IT operations and programming, including attainment of information security standards certifications and privacy seals/marks
  • Significant (5-10 years) experience in information systems auditing, attestation audits and the assessment and mitigation of risk
  • Demonstrated leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects
  • Demonstrated negotiation skills to interface successfully with DPAs
  • Demonstrated client relationship skills to continuously coordinate with controllers and processors while maintaining independence
  • Demonstrated communication skills to speak with a wide-ranging audience, from the board of directors to data subjects, from managers to IT staff and lawyers
  • Demonstrated self-starter with ability to gain required knowledge in dynamic environments   
  • Demonstrated record of engaging with emerging laws and technologies
  • Experience in legal and technical training and in awareness raising
  • Experience in dealing successfully with different business cultures and industries
  • Professionally licensed as a lawyer and in information security and privacy, including ethical requirements for competence, confidentiality and continuing education 
  • EU resident and independent of real and perceived conflicts

This view was verified against publications from the Network of DPOs for EU Institutions[1] and the Article 29 Working Party [2]. The former specified at least seven years of relevant experience, including knowledge of the institution and its data protection practices. It also included the following personal and interpersonal skills: “Personal skills: integrity, initiative, organization, perseverance, discretion, ability to assert himself/herself in difficult circumstances, interest in data protection and motivation to be a DPO. Interpersonal skills: communication, negotiation, conflict resolution, ability to build working relationships.” The latter extended DPO roles to the Internet of Things. 

The decision lies with each organization, to find these required DPO skills in either a single person or several people, to locate them internally or outsource the role, and to manage this function under the CPO or let it operate independently. The requirements should now be clear, the telling will be how each organization chooses to implement its own DPO role and affect the likelihood of full compliance with the GDPR.  

photo credit: Gabi Wi Kelvin Kalvus via photopin (license)

Written By

Thomas Shaw, CIPP/E, CIPP/US

13 Comments

If you want to comment on this post, you need to login.

  • Emma Butler Jan 25, 2017

    I'm afraid I have to completely disagree with several of your assertions in this post. It is absolutely not the case that a DPO has to be a lawyer, that they have to have IT programming or audit skills / experience. It is widely acknowledged, including by regulators, that one person alone cannot possibly fulfil all the obligations and meet all the requirements of the GDPR DPO. To achieve what GDPR requires will need cross-business collaboration led by the DPO. The DPO has always had to rely on technical expertise from other areas, such as IT, internal audit, marketing and legal, and works with these other business functions, rather than providing all the expertise themselves. It is also not the case that the GDPR DPO has to be in the EU. Neither the GDPR nor the Art 29 guidance require this.
  • Madelon Smith Jan 25, 2017

    Thanks, Emma Butler - agreed
  • Carey Lening Jan 30, 2017

    I think that to some degree, those requirements are ideals, rather than requirements. If the estimates are true, there will be 28,000 DPO positions opening up ( https://iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/). And those folks must be EU-based.
    
    Doing a very quick search of a handful of countries, yields about 600 results on LinkedIn (https://www.linkedin.com/search/results/people/?facetGeoRegion=%5B%22no%3A0%22%2C%22gb%3A0%22%2C%22es%3A0%22%2C%22de%3A0%22%2C%22fr%3A0%22%2C%22be%3A0%22%2C%22ie%3A0%22%2C%22dk%3A0%22%2C%22se%3A0%22%5D&keywords=%22privacy%22%20AND%20%22IT%22%20AND%20%22Security%22%20AND%20%22legal%22%20AND%20%22compliance%22&origin=FACETED_SEARCH) . 
    
    That's nowhere near the numbers needed. Even if you factor all 28 EU countries in, I wager you're left with at least 27,000 positions filled. Something will have to give.
  • Leon Ravenna Jan 30, 2017

    First of all, thank you for taking the time to put these down to review.  With so many DPOs needed it will be a difficult role to fill.  The clock is ticking and resource requirements are stiff.  However, providing ALL the requirements listed takes the available pool of candidates to about 200 globally (maybe).   You are correct that it can't be a junior resource and in fact it may need to be multiple senior level resources with focused skill sets.  I tend to see it being a very, very specialized Lawyer or IT/ Audit with a combination of security, privacy, global understanding and customer service/ negotiation skills.  Unfortunately, that doesn't broaden the field a great deal.  My hat is off to anyone who meets all the stated requirements.  I tend to see the first iteration as multiple specific skill sets working for a senior level resource.  Not ideal, but you aren't going to be able to hire someone who hits all the marks, get them up to speed to then implement before June '18.
  • Peter Westerhof Jan 30, 2017

    I beg to differ from the comments by Butler and Smith. The above title clearly states 'Should Have', not 'Must Have'.
    Referring to the 'MoSCoW-rules' of the DSDM-methodology 'Should Have' should be interpreted as 'would probably be classed as mandatory in less time-constrained development, but the system will be useful and usable without them' [ref. DSDM Business Focused Development, 2nd Ed. 2002, Stapleton ed.]
    
    Translated for the above requirements I would say "The DPO has at least a 'foundation level' (ref. Cabinet Office & AXELOS) or better, of knowledge and experience and the capability of improving on those to practitioner level".
    
    Key in my opinion are a helicopter view, the ability to build bridges between experts and the personality to consolidate all necessary input into a time constrained approach and manage that.
    I know for a fact there are ample people qualified.
  • Roger Edwards Jan 30, 2017

    Agreed.  It does not have to be a lawyer, but as the DPO will be the primary contact for the regulatory personnel of the DPAs (many of whom may be lawyers) the data controller just has to be comfortable that the DPO has the professional judgment to balance the duty of candor to the regulator with the recognition that the manner in which company's compliance achievements and challenges are communicated to the regulators will be a major element in determining the nature and amount of any penalties assessed ("good guy or bad guy").  Because the assessment is not likely to be a "check-the-boxes-and-bing-here's-your-fine-amount" exercise the DPO, as appointed leader of the company's compliance effort, must provide candid, revealing, information to the regulator while advocating for the company, all without inadvertently placing the company's efforts in a light that exposes it to the most punitive fine levels for any assessed violations.  Agreed that if a company has the comfort that the appointed DPO will handle that duty in a calm professional manner, and not be at a negotiating disadvantage to the regulator's representatives, then it indeed does not need to be a lawyer.  I don't believe that role of a DPO can be delegated to another individual.
  • Greg Albertyn Jan 31, 2017

    Completely agree...the GDPR in no way suggests the DPO has to be a lawyer. Indeed, the contextual reality of many organizations makes it that a lawyer is not the best choice for DPO.
  • Thomas Shaw Feb 3, 2017

    The PA editor notified me that there were comments, not typical for my PA articles, and asked me to respond.  Let me first thank those who read the article and those who posted thoughtful comments.  Emma, I believe if you read the article again you will find it addresses your two points.  These are the required job skills of the DPO role and it is optimal to have as many as possible in a single individual, for obvious reasons of cost, communication, productivity, and responsibility.  While of course a DPO may rely upon technical skills of others, they must be sufficiently capable in all of these areas to provide an independent assessment.  I did not say the GDPR mandates that the DPO be in the EU, it is just common sense that the person negotiating with local DPAs is co-located in the same geography as the DPA and understands the culture, language, legal cases, and business norms of that member state.  Having practiced around the world I am often humbled by how little I truly understand the thinking and business approaches of the different cultures I work among.
    
    Leon, I agree currently there are not sufficient people who meet all of these requirements.  I am training technology and privacy-focused lawyers here in the EU but the experience gap itself takes years to fulfill and various more expensive stop-gap measures will likely be used in the early days.  Greg, I firmly believe that given no constraints of time, money, and resource, you want a technology and privacy-focused lawyer in the DPO role and that should be the starting point for organizations in their search.  Based on an organization’s unique individual constraints of time, money, and resources and willingness to accept the risk of significant penalties by under-spending on the DPO position, other choices are clearly possible, as I stated in the article.  As with any area of legal compliance, the most significant factors are the corporate culture and the tone set from the top of the organization.
      
    I have a number of reasons for believing that a technology and privacy focused lawyer is the ideal candidate for the DPO role, including all the reasons stated in the article plus issues like the advantages of legal privilege, competency and ethical mandates, and avoiding the unauthorized practice of law.  One point I will leave for consideration is that if the DPO is not a lawyer, this means that they are going to be leaning heavily on the corporate counsel but when doing so, are they still sufficiently independent?  Without the DPO’s ability to rely on their own legal, IT, audit, and risk evaluations and not merely accepting those from internal staff, it seems that it would be difficult to maintain the necessary independence and avoid all potential conflicts of interest.  That is why, for example, internal accountants prepare financial statements and licensed external accountants audit and opine on those statements, based upon their own independent professional judgment.  And so should the DPO.
  • Richard Cooke Feb 7, 2017

    Consideration has been given to the selection criteria for a DPO including knowledge, professional qualities and abilities, as part of a wider study into the implementation of the GDPR provisions on the the role of the DPO by the Centre for Information Policy Leadership in their whitepaper 'Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation'  The executive summary states: 'An overarching goal of the recommendations in this paper is to encourage a flexible interpretation of the DPO requirements to make them work for large multinational organisations, as well as SMEs, start-ups, NGOs and public authorities' and that '..the appointment of DPOs should be based on the specific requirements and needs of an organisation in terms of the skills and qualities required to fulfill the role of the DPO.'  The paper is available here: https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2016/11/final_cipl_gdpr_dpo_paper_17_november_2016.pdf 
    
    Thomas cites two sources that were used to verify his list.  The Article 29 Working Party reference is vague, but could in the context of this article be the WP 243 'Guidelines on Data Protection Officers ('DPOs')' and 'WP 243 Annex - Frequently Asked Questions'; as reported by the IAPP these are open for comment until 15 February.  http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf  http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf
    
    The second is the 'Professional Standards for Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001' published in 2010. As the title suggests this is concerned with DPOs working for the EU, and the selection criteria has been defined by the Network of DPOs for the needs of the EU institutions and bodies under the Regulation. Whilst it would be difficult to dispute the personal and interpersonal skills criteria, those for experience as defined by time in role (actually 3 or 7 years dependent upon data protection being defined as a 'core business' and also the volume of data being processed) have been drawn up by the Network to identify 'someone well qualified for appointment as DPO in an EU institution or body' and to perform duties as set out in Section 4 of the standard. Organizations should therefore consider their own needs, and based on this make an assessment of the experience and knowledge requirements for a DPO. https://ec.europa.eu/anti-fraud/sites/antifraud/files/docs/body/dpo_standards.pdf
  • Emma Butler Feb 13, 2017

    Based on Thomas' reply to my comment I am compelled to comment again. I think it is misleading and dangerous to suggest as you do that DPOs should be lawyers and that they should have all the requirements you list in your article. The 'we need a lawyer' myth is one I have been fighting against strongly in the last 5 years as uninformed hiring managers / companies see 'data protection law compliance' and think 'oh we must need a lawyer to deal with that then'. The CPO for Coca Cola is not a lawyer, neither are the heads of privacy for John Lewis, BT, Royal Mail, nor the head of DP EMEA for Fujitsu, nor the VP for privacy and technology at JP Morgan and I could go on to list hundreds of non-lawyer successful DPOs but you get the idea. I think it is a misinterpretation of the GDPR requirements to extrapolate the list in your article as what a DPO needs. Apart from the fact that you can probably count on one hand the number of people with everything you list, it's a completely unrealistic 'job description' to present, and risks not only disadvantaging good DPOs without all the requirements you list, but risks organisations trying to recruit people who don't exist. I recommend CIPL's paper on the DPO role for a balanced interpretation of the GDPR role based on actual experience of its member companies and its EU head (who was formerly the head of privacy for Accenture). https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/final_cipl_gdpr_dpo_paper_17_november_2016.pdf
  • Stuart Ritchie Feb 13, 2017

    Broadly concur with Thomas Shaw, who we should all thank for raising these issues in-our-face. That said, there are serious fundamentals everyone is missing, I imagine because few have seen the elephant in Court if it's screwed up. I have, and foresee a massacre if people recruit in anything but a "professional" manner. 
    
    The first point is that the number one requirement, set above all others, is professional qualities. On combining perusal of the recitals and general statutory and court interpretation, it is submitted this requires an individual human being with current or former membership of a regulated profession in which misconduct can result in permanent deprivation of livelihood by a professional body - for example, doctors, lawyers, accountants. 
    
    Alternatively, an individual human being who both can and has already satisfied such a body that they possess professional qualities. Such mechanisms are readily available - for example, the professional ethics examination I was required to pass when cross-qualifying for professional membership of another such body.
    
    Next, the matter of expertise in law. As it happens, I have some experience in this, having instructed sufficient experts in foreign law that I've had to draft templates to avoid reinventing the wheel. There are three sub-points here: (a) how to avoid instant fail in Court generally with experts in law; (b) the higher Court threshold required for DPOs than for other experts in law; (c) and the extraordinary disaster, unlike with any other expert, that will befall in litigation if the DPO cannot be proved, to the satisfaction of the Court, that the threshold is met.
    
    (a) In legal practice - private international law - I always would try to appoint a former judge in the relevant subject matter, or a very senior advocate in the subject matter, to be confident of success. A PhD might do the trick, but I'd be less confident. The absolute bare minimum, which I've never been sufficiently desperate to try, would be a LLM specializing in the subject matter. As an expert in law, the CV has to be plausible to a Court of, guess what, lawyers. Which leads to...
    
    (b) the extra threshold which a DPO has to pass is that generally at least three lawyers in Court, i.e. the two advocates and the judge, will themselves be expert in the same local law of which the controller claims their DPO is expert. They therefore will have considerably greater and innate skepticism, and permit rather more robust cross-examination, of an expert in local law than of other laws. As a conduct matter, experts normally are handled with kid gloves. Yet anyone lacking credibility as an expert, for example the classic "liar-for-hire", can be handled otherwise with the thorough approval of the Court. I have gotten away with handling certain experts, even medical experts, even professors, very roughly indeed.
    
    (c) Worst of all, the DPO will not be called as an expert in law, but as a witness of fact. So they can be handled without the gentleness accorded to experts. But the real killer (and why they will have to be called as a witness of fact), is that the question of the expertise is sufficient to lose the case for the controller irrespective of the primary pleadings in the case. Why? Because, my friends, a non-expert DPO in and of itself is conclusive of breach of the GDPR, irrespective of the "main" case. Sure it's only a slam-dunk 2% fine per se, but it's the spring-board for much worse, including a more general data subject right fine, followed by class actions. It's going to be an absolute massacre - so much so that I won't be feasting myself. Instead I'm teaching people how to comply now, and when May 2018 rolls around I'll be teaching others how best to feast. Sometimes it's sadistic fun being a lawyer.
    
    So, as Vladimir said, what is to be done? How do we find these superhuman paragons? We look for professional qualities by way of current or former regulated professionals, or those who've satisfied a regulated professional body. And we look for those with a LLM in a relevant field, or litigators in data protection law (note: traditional defense lawyers are non-optimal, prefer plaintiff lawyers because by definition they're one step ahead). As a stop-gap, proof of embarkation on a LLM ought to be sufficient to establish we're trying and nearly there. Which is huge mitigation. This is not rocket science: if you might be found liable, mitigate your quantum as much as you can. Plenty of universities already offer LLMs in data protection law to non-law honors graduates (including a vital preliminary pass-fail crash course in EU law, sorry but I doubt CIPP/E would cut it for a Court), and those that don't have been gearing up since 2015 to do it. 2 years part-time. And don't be frightened, it's much easier than a law degree or graduate diploma in law. Just get it done. In some countries (such as the UK) you don't even need a post-graduate honors year.
    
    Finally, abilities (I tend to regard "skills" as BS (business-speak) or HR-speak). I have a laundry-list of a few dozen items (evidenced by training and/or experience, Thomas admirably covers most of these), as well as a laundry-list of SLAs for externals and guidance of internals. However to me the most important of all is: mediation, which I regard as mandatory (Thomas partly covers this in respect of negotiation, which is half-way there). There are many obvious places in the GDPR where, if a DPO lacks mediation ability (plus either training or practical experience), they are bound to fail and fail miserably. 
    
    Pro tip: don't ever get HR involved in DPO recruitment beyond administrative assistance (not even clerical). You'll end up multiply breaching the GDPR, starting with the job description. If you wouldn't hand over to HR the recruitment of your entire Board, why would you hand them the recruitment of someone far more existentially dangerous? 
    
    I should say I'm not entirely shooting from the hip here: I've been considering these matters since the 2014 draft, and one of my course modules teaches it, and I've put in an 8-page submission to WP29 on, essentially, this.
    
    Post-script: I know only a handful of people around the world who could do the full-on EU DPO job almost straight away. They tend to be local lawyers in the continental EU (especially Germany) or second-career lawyers in the USA with an IT background (though the latter need a crash course in EU law because it's sui generis and even more alien to common lawyers as it is to civil lawyers). I'm not available because I'm too busy teaching this stuff (and grabbing suitable others to teach it)! Good luck out there...
  • Emma Butler Feb 15, 2017

    Reply to Stuart Ritchie: wow. Spoken like a litigation lawyer! You have spectacularly missed the point of a DPO and their role. It is not first and foremost about representing the company in court. In fact, if the company is in the position where it's going to court, it has failed in its privacy responsibilities and needs a practitioner DPO sharpish! If you go to court you get in external counsel / a litigator; you hire a DPO for an entirely different role.
  • Thomas Shaw Feb 15, 2017

    Hello Emma, the PA editor notified me again that there were further posts and asked me to reply.  I guess controversy sells.  I have to admit before your reply I was not aware of you but I see now that you are located in a country that will soon not be part of the EU.  I am also guessing you are not a lawyer.  The converse applies to me, just so I guess we are well positioned to see two sides of this.  Most importantly, I want for you and others to understand this point from my article, that these are the JOB SKILLS of the DPO role under the GDPR (not existing legislation).  It would be ideal if one person could fulfill this role but as you and others have noted, there are less of us out there, so organizations will have to undertake various techniques to address these job skills in the interim.  Rather than targeting lawyers, I wish you would comment on the job skills.  If we generally agree on those job skills for the DPO role under the GDPR (not under existing legislation), then it is merely a matter of how each organization fills those roles, one person or several, internal or outsourced.  Which is exactly what I have now said twice, so I am not sure what it is we disagree on.  Feel free to contact me privately and we can continue to work on our mutual consensus for this topic.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»