• Privacy
  • Regulations

How To Become A Chief Privacy Officer (CPO)


The Privacy job market continues to accelerate. There are more entrants every day and robust movement between companies. Privacy is now recognized by many companies as not simply a compliance requirement, but rather increasingly an area of competitive differentiation critical to business success. As such, those accumulating requisite experience and know-how are sought after and moving up the ranks as programs mature and capture increased funding.

One thing is clear, there has been no single pathway to privacy or its top slot. The road for today’s leading privacy professionals is typically a winding, forked, anything but straight path. This is evidenced by the many panelists and attendees at the Summer 2022 Spokes Privacy Technology Conference, (held June 22-23) and every year since its inception.

So, what does it take to secure the top slot? How does one become a Chief Privacy Officer (CPO)?

Host, George Ratcliffe, Head of Data Privacy and GRC Search at executive search firm Stott & May was joined by VMware’s VP and CPO Stuart Lee and Noga Rosenthal, CPO and General Counsel of adtech company, Ampersand to discuss How to Become a CPO and provide sought-after insight.

Key CPO attributes

“Privacy is one of those fields where you really need to have a broad understanding. It’s a renaissance field in every sense of the term. As a privacy leader, you will be pulled into meetings from HR, sales, and marketing to IT and Customer Success. You really need to be able to understand the different needs and areas of the business.

—Stuart Lee, VMware

As a result, a successful privacy leader needs to be able to speak the language of the business and industry that you’re in to really help get your point across.”

And of course, as Lee notes, you need a deep understanding of what the privacy requirements are, how they playout globally, and how they impact your business. “There really is a lot there.”

Importantly, “it’s not just enough to be able to recite law verbatim. You need to understand how you can communicate those requirements back to your stakeholders” while maximizing value for the company and doing right by the customer.

“I think a lot of us here today, and indeed anybody who’s a CPO, DPO, or privacy leader in any way, walks that tightrope every single day: how do we make sure we’re meeting [customer] requirements and expectations, while helping our business to do what it needs to do.”

For Rosenthal, the soft skills are critical. “Being able to speak clearly and make things understandable to everyone, and not speaking in such a high level that nobody has any idea what you’re talking about.

I remember the first time I said to my marketing team ‘Hey, we I don’t want to use the word anonymous; can we use the word pseudonymous?’ And they all just looked at me like ‘I can’t even spell that, what are you talking about?’

—Noga Rosenthal, Ampersand

The ability to be flexible and deal with ambiguity are next on her list of critical “soft skills.” She cautions that what can make the job so difficult is that the laws aren’t very clear. “We have to use our instincts, we have to use benchmarking, we have to look at risk. And sometimes people want a job that’s very clear cut with drawn lines. This is not that job.”

Lastly and perhaps most importantly, it’s about building trust.

Are certifications really necessary?

Rosenthal has a significant history as a privacy professional, and “It was interesting to me.” She relates that as “I was going to DC, speaking on panels, I was applying for a job, and they asked me for it for my CIPP certification. I thought, ‘really?’” To be clear, she does think certifications are helpful. “It’s a checkbox.”

“There’s no replacing grey hair,” says Lee. “You just have to have the experience of going through a lot of the [privacy] exercises, because privacy has long been principle based and when you’re interpreting principles and applying it to what you do, then that often based on the experience of what you’ve seen work and fail.”

—Stuart Lee, VMware

Lee tells the people he works with that “it’s great to have the certifications, but if you don’t have the experience to show that you know what that means it doesn’t really help. That’s the key part.”

Stuart notes that years ago it was the Data Privacy Officer (DPO) that was “the first person invited to any party, but in the event of a regulatory investigation or an incident your DPO became the host of the party.”

The privacy lead is the one involved in instant response and working with regulators. “Trust is incredibly important and it’s a 360-degree relationship with your stakeholders, customers, and the regulators. There is no replacing experience.”

Ultimately, while credentialing may help at the start, becoming a Chief Privacy Officer (CPO) is about experience.

What is the executive recruiter looking for?

“The all-arounder,” says Ratcliffe. “We get a lot of questions about the lawyer v non-lawyer debate but setting that question aside for the moment, “it’s absolutely somebody that can cover all bases. And somebody that is an excellent communicator can build that trust.” Interestingly, says Ratcliffe, “the conversations around the softer skills go on for far longer and are far higher up the agenda than the harder skills that come to you later on around the technology side.

The softer skills and the cultural alignment between the company and the individual takes up 75% of the conversation. And is the role right for you or is it just the title?

—George Ratcliffe, Scott & May

It’s not enough just to say I’ve managed DSARs, and I’ve done X number of reviews. It’s how have you actually made the process something that is really a strategic initiative. Really understanding how those are going to impact the business.

Ultimately, “when we’re looking at executives, whatever the industry, being able to tie in business objectives and goals [in terms relatable to the various stakeholders] is super important,” says Ratcliffe.

Clearly, the CPO role requires the ability to relate the arcana (and nuances) of privacy to your stakeholders across the organization – from sales and marketing to IT and operations, from executive management to your consumers to gain the buy-in necessary and be successful. This takes exceptional communication skill.

“The harder skills,” opines Ratcliffe “are easier to develop with certification training courses and the other types of things that you should be picking up naturally as you develop throughout your career.”

Lawyer versus non-lawyer

A legal background has “certainly been the path of least resistance for filling the role of a privacy officer,” offers Lee.

“Where it becomes super interesting is when you really think about what your chief privacy officer is charged to do, versus what a data protection officer is charged to do, and what counsel is provided to do.

You’ve done the education on the CIPP; you have the experience of doing privacy risk management and DSARs – often working directly with business. None of those things that you picked up along the way you’ve learned by completing a legal education. You’ve got it through your experience in the field.

—Stuart Lee, VMware

That said, continues Lee, you absolutely have to have a legal counterpart. “I would also argue that if you’re a CPO, who is a lawyer, you should have a really good business operations person with you as well,” suggests Lee.

In fact, when you look at Data Privacy Officers (DPOs) who have been around much longer than CPOs research showed that approximately 28% were lawyers, and another 28% were IT professionals, notes Lee. “There’s a huge kind of balancing act and It’s often determined based on the industry you’re in. if you’re in a very highly regulated industry it will likely lean more towards favoring lawyers as a CPO.”

As a lawyer, and playing devil’s advocate, Rosenthal counters, “of course, it should be an attorney because you’re taking laws, interpreting them, and that’s what legal should be doing” rather than breaking the role in two and having privacy go to legal to get the interpretation.

“Another piece to consider” offers Rosenthal “is you’re doing contract negotiations. You want it to be an attorney. When you’re negotiating, you’re usually negotiating with another attorney, so you need two attorneys talking to each other, though that’s not always the case.”

However, some of the strongest privacy CPOs out there are not attorneys.

—Noga Rosenthal, Ampersand

So are there challenges for someone coming from a legal background asks Ratcliffe.

“I’ve had attorneys work for me from the commercial side switch over to privacy and the greatest struggle” says Rosenthal is the lack of clarity in the law. And “they don’t get that.” She further points to the disadvantage stemming from a lack of knowledge regarding things like cookies and browsers.

“Your IT guy knows all your networks, all your systems, and that’s a huge advantage. You can jump right in and understand where the data is coming from.” So conversely, here is where the Lawyer does have to go elsewhere.

Lawyer or not – privilege, contract negotiations, and interpretation of the law notwithstanding – it is fair to say that the CPO can’t go it alone. Allrounder or not. But the emerging law in the U.S. is clear: whatever your background, a CPO must be “qualified.”

Listen to the session audio