IAPP members can click here to access the full survey.
Salaries are holding strong for privacy professionals in this tenth IAPP salary survey. With Europe’s General Data Protection Regulation (GDPR) looming and an increasing global appreciation for information privacy risks, new opportunities abound for privacy veterans and rookies alike. This report reveals wide variance in salaries, raises and bonuses among geographies, industries, and job titles, as well as among those with and without professional certifications. Who gets the top pay? A privacy pro working in the United States, for a large firm in tech or banking, with the title of chief privacy officer or above, coming from a legal background, and holding a CIPP credential. Those outside the U.S., working for small firms or in health care or government, and coming from a compliance background certainly are at a salary disadvantage. For the first time, this survey presents salary and education data for privacy’s most hotly debated new role: the Data Protection Officer (DPO), revealing that most professionals who currently enjoy this responsibility are not lawyers and earn higher wages than most of their peers.
The IAPP fielded its periodic salary survey in early 2017, working with third-party research firm Fondulas Strategic Research to document compensation for the world’s privacy professionals.
The survey was sent to privacy professionals by email and via a link in the Daily Dashboard to its more than 30,000 subscribers. We focused specifically, as we have going back to 2003, on salaries, bonuses, and raises, and this year paid particular attention to pathways into the profession. Nearly 900 respondents from around the globe provided detailed information about pay in their own currency, which we converted to U.S. dollars for ease of comparison in this report. All responses were anonymous and only analyzed in the aggregate. The survey did not consider differences in the components of total renumeration packages that might include health care, pension benefits, vacation, or family leave allowances.
In 2017, the median salary for privacy professionals globally is $115,000, an increase of more than $4,000 from 2015. The mean salary is higher, $123,000, reflecting an overall trend of increasing pay over the last decade, notwithstanding the profession’s expansion beyond senior leadership ranks into a wide variety of positions and departments within the enterprise.
Privacy professionals have the same likelihood of receiving a raise as in years past, but that raise is directionally higher on average. We also see a greater likelihood of receiving a year-end bonus, although the bonus amounts are slightly lower than in 2015.
As in prior years, salaries are highest in the United States, where the median salary is $130,000, up from $126,992 in 2015. This compares to a median salary of $95,800 in the European Union, a healthy climb from the median salary of $89,739 in 2015.
U.S. privacy pros also enjoy higher raises and bonuses, both in percentages and in absolute amounts, than their peers elsewhere around the world. Predictably, professionals working in the largest firms, and in the software and banking industries, earn the highest salaries, bonuses, and raises. Salaries vary greatly by position. Those holding the “Chief Privacy Officer” (CPO) title command considerably higher salaries and bonuses than other professionals, reporting a median salary of $170,000 globally and $191,000 in the U.S. However, not many respondents hold that title – only around seven percent are CPOs.
In the run-up to implementation of the GDPR, the most hotly debated job title in the industry is “Data Protection Officer” (DPO), the role mandated under Article 30 of the new European law. Interestingly, this title is already held by 18 percent of survey respondents. This is the first year our survey asks respondents about DPOs, discovering that professionals who hold this title report slightly lower salaries ($106,500 median) than the overall median ($115,000). Looking at regional breakouts, however, we see that those serving the DPO role in the U.S. are particularly well compensated, at $148,000 median, versus $130,000 for those who do not have DPO responsibilities. This high figure is weighed down by those working as 8. Historical Salary Trends DPOs in Europe, Canada, and around the globe, where there is little difference between the salaries of DPOs and non-DPOs.
This year’s survey confirms that there is robust demand for privacy pros. Nearly nine of 10 privacy professionals came to privacy from another job – more often from the legal field than any other. And those who held legal positions previously report a much higher median salary in privacy than those coming from other fields, although those from an information security/IT background also earn above-median salaries.
Another consistent trend is that privacy professionals holding at least one IAPP certification earn markedly higher salaries than those without one, as certifications are more commonly held by those in corporate leadership positions. In the U.S., for example, those with at least one IAPP certification earn on average an additional $25,000 in annual salary ($135,000 vs. $109,400), and those with multiple certifications average more than $35,000 per year over the salary of their non-certified peers ($145,100 vs. $109,400). The percentage of respondents with at least one IAPP certification has grown since 2015 – up to 64 percent from 55 percent.
Professional Pathways, Privacy Experience, and Education
Title and role
More than a decade into the IAPP’s tracking of privacy professional compensation, our population of respondents has stabilized, with 2017 results drawing a nearly identical distribution of privacy professionals across industries and job titles as the last survey in 2015. As in the past, representation is highest from the software and services sector, followed by government. Respondents were most likely to be managers, followed closely by director-level positions. This year, in response to member feedback, we added a new job title category, “associate lead counsel,” which represented 12 percent of respondents.
One-third of respondents serve as their organization’s privacy lead. A small but well compensated proportion (7 percent) hold the title “Chief Privacy Officer” (CPO). At $170,300 per year, CPOs earn the highest median salaries of all privacy titles.
The DPO designation, a title introduced by European privacy law, has grown in importance in the profession’s landscape, not only in Europe but also in the U.S. and rest of the world, due to the GDPR’s mandate. As a GDPR-compliance function, the DPO role is new to many companies and it remains unclear how it will interact with the CPO in privacy leadership, job responsibilities, and salary in the coming years. This year – the first year our survey has inquired about DPOs – 18 percent of respondents identify as having the DPO responsibilities, even if it is not their sole title.
The DPO is directionally more likely to be someone from IS/IT (25 percent) or compliance (26 percent) than someone from a legal background (16 percent), suggesting that professionals have so far not been required to have a law degree to serve as DPOs. This may explain why median salaries for DPOs ($106,500) are slightly lower than the overall median ($115,000), which factors in the higher salaries of privacy pros with a legal background. The median salary of DPOs is also weighed down by the role’s prevalence among EU and Canadian respondents, who on average earn lower salaries than their U.S. counterparts.
As the number of DPOs rapidly expands with the coming into force of the GDPR, we will follow how organizations around the world staff the position. Will the DPO track present itself as a new professional pathway for lawyers looking for ways to expand their job opportunities, or will it lend itself to management and IT privacy professionals without a law degree?
Pathway to the profession
Privacy is still a relatively new profession. Only 11 percent of respondents present privacy as their first professional job. For the nearly nine in 10 who came to privacy from another field, the most common background by far is law (35 percent). The next most common is information security (12 percent), followed closely by information technology (11 percent) and compliance at 8 percent (24 percent specified “other” background). Rank and tenure offer privileges, of course. Survey respondents have spent, on average, eight years in privacy; the median salary for those with between five and nine years of privacy experience is $115,000, with the next salary band – for those with 10-19 years of experience – yielding a median annual pay of $128,000.
Lawyers in privacy
Those coming to privacy from the legal field tend to make the highest salaries – a median of $141,600, compared to the $120,000 median salary for those who were in information security or IT. Each of these professional backgrounds, however, far outpaces the $99,600 median salary of privacy professionals with a background in compliance.
Lawyers also tend to hold “counsel” positions, with 24 percent at the “assistant counsel” or “associate counsel” level and 11 percent as “lead counsel,” while 11 percent serve in a vice president role and 16 percent are managers or other supervisors. Around one in four lawyers – roughly the same proportion as for those coming from other fields – serves as the privacy lead, and lawyers are slightly more likely than others to serve as CPO.
Our survey this year also asked respondents about their educational achievements. Consistent with their six-figure median salaries, 93 percent of respondents around the globe have at least a college degree or its equivalent, and nearly seven out of 10 have a post-graduate degree. Among respondents, nearly 40 percent hold an advanced professional degree such as a JD or an MBA.
Many privacy professionals do not stop with the degree, however, but continue to pursue privacy-specific credentials, typically in the form of an IAPP certification. The most popular certification is the CIPP/US, held by 42 percent of respondents globally, followed by the CIPP/E, earned by 21 percent. The number of respondents around the world with at least one CIPP certification jumped from 55 percent in 2015 to 64 percent in 2017.
Among professional certifications, the biggest growth is by the CIPP/E credential, which is held by 21 percent of survey respondents in 2017 compared to just 11 percent in 2015. This is, no doubt, due to the increased global attention to European data protection regulation as well as the IAPP’s general fast growth in the EU.
Which positions tend to have the most certifications? Those in the C-Suite lead the pack at 86 percent, with director roles, at 77 percent, the next most likely to have an IAPP certification. Six out of 10 who fill manager or lower roles also pursue privacy credentials. Among attorneys who answered the survey, slightly more than half hold a CIPx credential; 42 percent hold none.
There is a strong correlation between holding at least one IAPP credential and a higher median salary. Those with CIPT have the highest median salaries at $130,000. CIPM credential holders come next at $129,000 median, followed closely by CIPPs at a median salary of $125,000. This compares favorably with those with no IAPP certification, who have a median annual salary of $95,800.
Holding more than one IAPP certification, moreover, correlates with a significantly higher median salary: $137,200. Multiple credentials also correlate with a significantly higher likelihood of receiving a bonus; 73 percent of those with more than one IAPP certification earn an annual bonus, compared to only 49 percent among those with no IAPP credential.
Of course correlation is not necessarily causation, and the higher salaries could be attributed, for example, to the higher proportion of CIPs in more senior executive ranks. But clearly, the data show that privacy pros in large companies or software and hardware companies, as well as those holding privacy leadership positions, tend to earn higher salaries, and also tend to invest in obtaining IAPP credentials.
Median Salary Data by Region, Industry, Location and Title
Looking for the highest median salaries? They can be found in:
- The United States, where the median salary is $130,000 and the mean is $138,000.
- Firms with between 25,000 and 75,000 employees, where the median salary is $127,200 and the mean is $138,300.
- Large urban areas, where the median salary is $117,100, or suburban locations where the median salary is $115,000.
- The technology hardware industry, where the median salary is $146,000, compared to the next highest industry – software – where the average pay is $130,000.
- The C-Suite and vice president roles, where the median salary is $170,000, compared to lead counsel, which is next highest at $159,700 median annual pay.
On the other hand, the lowest median salaries can be found in:
- Government positions, where the median salary is $80,500, below the education sector at $86,600, and health care and non-profit privacy sectors, averaging salaries in the low $90,000s.
- Firms employing fewer than 100 people, where salaries sit just under six-figures at $95,000 per year.
- Small urban locations, where the median salary is $100,000 and the mean is $110,000.
- Below-manager positions, where salaries average $80,000 per year.
Many companies hedge against financial risk by offering employees lower base salaries and providing them with bonuses if all goes well. A significant majority of firms in our survey offer bonuses based either on company performance or a combination of company and individual performance.
Overall, a larger percentage of respondents reported receiving a bonus in this year’s survey compared to 2015, although the median bonus amount dipped from $15,000 to $13,500.
Companies located in the U.S. and in large urban centers are the most likely to offer bonuses at year’s end. Employer size also factors heavily in bonus awards. Among respondents working 2015 2017 for an employer with more than 25,000 employees, more than 70 percent received a bonus, while only 39 percent of those working at the smallest firms received one.
As with the likelihood and size of a raise, discussed below, the banking, telecom, and insurance industries are the most generous in offering bonuses – rewarding more than 75 percent of their privacy staff with bonuses – and are most likely to base bonuses on company performance rather than individual performance alone. Bonuses are rare among those in government (20 percent) or education (14 percent).
Likelihood of receiving a raise
Privacy professionals by and large enjoy annual raises, as confirmed by this year’s salary survey and consistent with statistics from 2015. Among respondents living in the U.S., 76 percent report receiving a raise, while 65 percent of European respondents enjoyed an annual pay increase.
In companies with fewer than 100 employees, however, only 45 percent of privacy professionals received a raise. Crossing the 100-employee threshold makes a big difference: 67 percent of privacy pros at companies with 100-999 employees enjoy a raise, and 78 percent of those at companies with 1000-4999 employees saw salaries increase this year.
Although salaries in the health care industry are not competing for top billing, raises are common with 82 percent of health care industry respondents reporting a raise. Next highest is the banking industry at 80 percent.
Beyond geographic location, company size, and industry, factors such as title, education, years in privacy, and IAPP certification do not seem to heavily influence the likelihood of a raise. The one exception is the CPO, 81 percent of whom report raises. This compares quite favorably to the average privacy lead (69 percent), DPO (73 percent), or non-DPO (70 percent), although by and large the likelihood of receiving a raise among all those groups is quite solid.
It’s good to receive a raise, of course, but here size does matter. So we asked respondents to estimate the percentage of the raise they received and looked for trends or distinctions by geography, industry, and title.
Consistent with the likelihood of a raise, the amounts of raises are higher in the U.S. (on average 4.6 percent), and in companies based in large urban areas (4.5 percent). Privacy pros working at firms with less than 100 employees see the smallest raises (3.3 percent) while those at firms with between 100-999 employees enjoy the largest pay increase at 5.2 percent.
Looking at industries, it pays to work in insurance or retail, where privacy employees earn raises of 5.7 percent and 5.6 percent, respectively. Those in the banking industry see the next highest bump at 4.8 percent. Once again, education and government employees report the lowest raise amounts at just over two percent.
What position gets the biggest raise? Once again, the CPO. Among respondents with that title, the average reported raise is 6.1 percent. Those who carry the DPO title, meanwhile, earn a 4.9 percent raise, which is higher than every other position besides the C-Suite and vice president titles.
The data therefore confirms that firms willing to give privacy leaders an “officer” title, CPO or DPO, are also willing to reward them financially for taking on the responsibility.
Even as the privacy profession grows beyond the executive suite, median salaries remain strong on a global average. There is considerable variance of pay among privacy professionals in different regions of the world, across industries, professional backgrounds, job titles, and credentials. In preparation for the GDPR, the new “officer” role of the DPO is coming on strong, drawing $106,500 as a global median salary, and nearly $150,000 in the U.S. alone. Professional certification continues to pay o , with CIPs commanding a sizeable premium over their peers in salary, likelihood of a raise, and bonus amount.
As the profession continues to grow and diversify, it would not be unexpected for the overall median and mean salaries to decline over time. There quite simply was no such thing as an “entry level” privacy professional in the past; we will most certainly see them in the future. Each year, more and more privacy professionals begin their careers in privacy, rather than come from an adjacent profession. It will be exciting to see how their careers develop, and how compensation means and medians fluctuate over time.