How to hire your first Chief Privacy Officer

How to hire your first Chief Privacy Officer

Data privacy is becoming more complex to navigate as countries, regions and companies continue to evolve their regulations and policies.  Since the implementation of GDPR, it has been a legal requirement to have a data protection officer (DPO) assigned to oversee these matters. However, in many cases this role has been assigned to an existing team member, or outsourced to a contractor. Things are now changing. The responsibilities are too great and a solid data privacy strategy is no longer just about compliance.


Chief Privacy Officer vs Data Protection Officer

These two job titles are often interchangeable, but in reality they are quite different.  A Chief Privacy Officer is a full-time, in-house employee who is a more active participant in business implementation and strategy. On the other hand, a Data Protection Officer can refer to someone in an organisation who holds a dual role (with the DPO role assigned to their existing responsibilities) or it may refer to an external, independent DPO who could also work for other organisations.


Why hire a Chief Privacy Officer?

The Data Protection Officer role first emerged when GDPR was introduced and it continues to be a key post to ensure organisations have the right data protection strategy in place and that they are fully compliant with legislation.  Now, we are seeing an uplift in businesses hiring a dedicated Chief Privacy Officer who can undertake additional duties, such as  educating employees on the importance of data privacy matters and training those who handle data, and turning Privacy into profit centre. They also serve as the main point of contact between the company and the relevant data protection authorities.

With legislation continually changing around the world and the increased threats and attacks on data, the role of Chief Privacy Officer has become indispensable for large organisations.


Can a current employee become a Chief Privacy Officer?

In theory, yes.  However, the role brings a high level of responsibility, so it is not advisable to appoint a current employee, unless they demonstrably have all the requisite knowledge in data protection law and relevant experience.  It also cannot be an employee whose existing role may prove a conflict of interest; such roles may include marketing, HR or IT managers.

With both these factors in mind, it is far more common nowadays – not to mention sensible -  to hire a specialist CPO from outside the organisation, to take on a full time role in data protection.


What are the differences between an internal DPO (Or Chief Privacy Officer) and an external DPO?

Some organisations choose to work with an external contractor, while others will appoint their own full time, in-house Chief Privacy Officer. While the core responsibilities are ultimately the same, there are various factors to consider when deciding which is best for your organisation.



A Chief Privacy Officer is a company employee, with the same level of protection against dismissal as any other employee. On the other hand, an external DPO works to an agreed set contract – and the notice period along with other terms, are up for negotiation.



Even with the costs of hiring and ongoing training factored in, hiring a CPO is usually far more cost-effective than using an external agency. However, external DPOs do bring a higher degree of flexibility, so are a good idea if you have additional short-term requirements or an audit.


Independent vs Integrated

An external DPO may be viewed as a more impartial resource, bringing an independent point of view. However, in reality, there are far greater benefits to having a data privacy specialist who is integrated into the business and invested in its long term strategy.


Skills and qualifications to look for in a Chief Privacy Officer

The Chief Privacy Officer or Data Protection Officer role does vary according to the size of company and the industry sector they operate in. They can also come from a vast amount of background, including legal, risk, security and compliance. However, there are some core skills which recruiters and hiring companies will need to look out for, when considering applications.


Essential Skills
  • Vital – but often overlooked - are soft skills, the ability to bring other departments on board, collaborate and communicate effectively
  • Excellent knowledge of GDPR and sector-specific data protection laws, and as important, research skills (no one can know them all)
  • Commitment to keeping up with evolving legislature
  • Extensive knowledge of emerging technologies and how they affect data protection
  • Mentoring and training experience


Writing a job description

CPOs and DPOs are in increasing demand – and this demand is only growing as rules and regulations across the globe continue to evolve and AI Governance falls to privacy teams.  This means that candidates can be selective in their job search.

Data privacy specialists will want to work for a company which understands the importance of the role, so writing a compelling job description is really important, if you want to secure the best talent. As well as setting out the role and its responsibilities, it is important to highlight the company’s culture and values and how data protection fits into the fabric of the organisation.  At Leonid, we proactively seek out the best candidates, rather than writing an ad and waiting for the applications. However, it is still important to have a well-written job description to share with potential applicants.


Where to find help in recruiting a Chief Privacy Officer

A specialist data privacy recruiter should be your first port of call. They will understand the market and will be well connected with the data privacy community.  It is well documented that data privacy is one of the hardest markets to recruit in, so having a specialist on your side can be invaluable!

At Leonid, we work solely on a search basis, so when we are instructed by our clients, we reach out to our networks and proactively seek out the very best people for that role.  Unlike traditional contingency recruitment, this enables us to approach the most sought-after ‘passive’ candidates who aren’t actively looking for a new role and therefore would not be drawn in by a job ad, because they simply wouldn’t see it.

If you would like to find out more about our data privacy recruitment, you might like to read our data privacy global hiring guide – which contains exclusive salary data and recruitment market insights.


Or, for an informal chat, please contact Tom Woods to find out more!