If you hold a Data Protection Officer title today, there is a good chance the job description you were hired against no longer describes your week. You were appointed to oversee compliance with the General Data Protection Regulation. Somewhere in the last eighteen months you also became the person who answers for the company’s AI models, its data ethics posture, and an expanding share of its cybersecurity regulatory obligations. The title did not change. In most cases, neither did the pay. This is the central problem facing privacy leaders in 2026: the role quietly absorbed several adjacent disciplines, the market has not repriced it, and the regulatory framework that governs the DPO position was never designed to carry this load.
This piece is about how to recognize what your role became, why the AI governance grab happened, why it should not always sit with one person, and how to renegotiate scope and compensation from a position of evidence rather than grievance. For the wider context on how leadership roles are being redrawn across the security and privacy function, see The State of Security Leadership in 2026.
What the role became
The expansion is not anecdotal. Survey data on chief privacy officers and senior privacy leaders shows that the function has been treated as the default home for any governance problem involving data. Roughly 69% of privacy leaders reported taking on additional responsibility for AI governance. The same share, about 69%, picked up data governance and ethics. Around 37% absorbed cybersecurity regulatory compliance, and a smaller group took on platform liability and related obligations. Taken together, more than 80% of privacy teams reported gaining responsibilities beyond privacy itself.
Read those numbers as a single trend rather than four separate ones. The organizational silos that used to separate privacy, cybersecurity, AI, ethics, and legal compliance have collapsed into one another, and the privacy office is where the pieces landed. The logic, from an executive’s point of view, is lazy but understandable: the DPO already deals with regulators, already understands data flows, already runs impact assessments, and already operates with some degree of independence. So when a new data-adjacent obligation appears, the path of least resistance is to hand it to the person who looks closest to it.
The result is a role that is broad, senior in responsibility, and frequently misclassified in the pay structure. You are doing the work of a cross-functional governance lead while being titled and compensated as a single-regulation specialist.
The AI governance grab
AI governance is the clearest case. As organizations rushed to deploy machine learning and generative systems, someone had to own the risk, and the DPO was the obvious candidate. There is real overlap. AI systems process personal data, so data protection impact assessments and AI risk assessments touch the same material. Both disciplines care about purpose limitation, data minimization, transparency, and the rights of the people affected by automated decisions.
But overlap is not equivalence, and the timing matters. The bulk of the EU AI Act’s substantive obligations, including most high-risk system requirements and the full penalty regime, take effect on 2 August 2026. That deadline is forcing organizations to staff AI governance now, and the cheapest way to staff it is to extend the existing DPO’s mandate rather than create and fund a new function. If you want the operational detail of what that deadline requires, see the EU AI Act August 2026 deadline.
The convenient move and the correct move are not the same thing. AI governance demands competencies a data protection background does not automatically supply: model risk and validation, bias and fairness testing, the technical behavior of machine learning systems, conformity assessment under the AI Act, and the engineering relationships needed to influence how systems are actually built. A DPO can learn these things, and many are. But assigning the work by default, without a budget, a title, or an acknowledgment that it is a distinct discipline, is how organizations end up with AI governance that exists on paper and nowhere else.
DPO versus AI Officer
The legal architecture underlines the difference. The DPO is a statutory role. Under the GDPR, certain organizations must appoint one, and the regulation specifies the DPO’s tasks, independence, and protection from dismissal for doing the job. It is a defined position with defined guarantees.
The AI Officer is not. The EU AI Act does not mandate an AI Officer the way the GDPR mandates a DPO. The role is strongly recommended, particularly for providers and deployers of high-risk AI systems, but it is not legally compulsory. That distinction is being used against privacy leaders. Because the AI Officer is “only” recommended, organizations treat the function as optional staffing, and the duties get folded into the mandatory DPO role at no additional cost. The obligation is real; the dedicated headcount is treated as discretionary.
There is also a genuine independence problem with merging the two, and it is worth raising explicitly in any conversation about your scope. The DPO’s value depends on independence and freedom from conflicts of interest. The same principle is now being applied to the AI Officer function: the person overseeing AI use is supposed to act without interference or pressure from management. If one person both sets the direction for AI deployment and serves as its independent overseer, that independence is compromised. The DPO who is told to “make the AI work” cannot credibly be the same person who certifies that it is lawful and ethical. For organizations building high-risk AI, separating the roles is not empire-building. It is the only way to preserve the independence both functions are legally supposed to have.
This is where the emerging “digital compliance officer” or “digital governance officer” model enters. Rather than bolting AI, data ethics, and cyber regulatory duties onto a DPO title invisibly, some organizations are creating an explicit umbrella role with a mandate, a team, and a budget that match the combined scope. That model is not automatically better. Consolidation under one leader can recreate the same independence conflict at a higher altitude. But it has one decisive advantage over the status quo: it names the work. A role that is named can be staffed, scoped, and paid. A role that is merely assumed cannot.
The pay and scope gap
Now to compensation, where the honesty has to be sharpest. Public salary data for the DPO title is wide and, frankly, unreliable as a single benchmark. Aggregators in mid-2026 show average annual figures clustered roughly between $119,000 and $131,000 for the US market, with a typical range running from the high $80,000s into the $160,000s depending on source, with one outlier source reporting figures far lower that almost certainly reflect part-time or junior listings. The spread tells you that “Data Protection Officer” is not a clean market signal. It captures everything from a part-time compliance coordinator to a senior executive answering for AI, ethics, and multi-regulation exposure across a global business.
That ambiguity is the trap. When your title benchmarks to a number, and your actual responsibilities span three or four disciplines that each carry their own market rate, you are being paid against the narrowest interpretation of what you do. The AI governance work alone, performed by a dedicated AI Officer or model risk lead, commands its own compensation band. The data ethics and governance work does too. You are absorbing several priced functions and being paid for one.
The gap persists for structural reasons, not because anyone decided to underpay you. Privacy roles were historically slotted as cost-center compliance positions. The scope expansion happened faster than HR job architecture could track it. And the absence of a legal mandate for the AI Officer role gives organizations a ready justification for not creating a new, separately compensated position. None of those reasons survive contact with a well-documented case. They persist only as long as the expansion remains undocumented and unspoken.
How to renegotiate
The objective is to convert an invisible scope expansion into a visible, priced, properly governed role. Approach it as a structured case, not a complaint.
Document the actual scope. Before any conversation about money, write down what you actually own. List every domain you are responsible for, mapped to its source: GDPR for data protection, the EU AI Act for AI governance, sector and cyber regulations for the rest. For each, capture the obligations, the recurring deliverables, the assessments you sign, and the personal and organizational liability attached. The goal is a single document showing that your role spans four priced disciplines, not one. This is the foundation; nothing else works without it.
Separate independence from operations in writing. Identify where your oversight duties conflict with operational pressure, especially in AI. Naming the conflict does two things at once. It protects you, because an independent role you cannot perform independently is a personal liability. And it strengthens your case for either a properly resourced umbrella mandate or a genuine split of duties. Independence is not a soft concern here; it is a legal feature of both the DPO and AI Officer functions, and a documented conflict is a serious governance finding.
Fix the title. Title drives both internal authority and external market benchmarking. If your responsibilities have grown into AI governance, data ethics, and cyber compliance, “Data Protection Officer” understates the role and anchors your pay to the wrong band. Push for a title that reflects the actual mandate, whether that is a digital governance or digital compliance officer designation, or a clearly defined dual structure. The title is not vanity. It is the keyword your compensation will be measured against for the rest of your tenure.
Benchmark against the real role, not the old one. Bring comparison points for each discipline you cover, not just for the DPO title. Show what a dedicated AI Officer, a data governance lead, and a cyber compliance lead are paid in your market, and present your role as the combination it has become. Anchor to the broader, more senior bands, because that is the work being performed. Aggregated DPO averages are a floor to argue up from, not a ceiling.
Secure the reporting line and the resources. Compensation is only half of it. An expanded mandate without independence, budget, or staff is a setup for failure and personal exposure. Press for a reporting line that preserves independence, ideally to the board or an executive without an operational stake in the systems you oversee. Specify the headcount and tooling the combined scope requires. If the organization will not fund the role, that is itself a finding worth documenting, because it tells you the mandate is nominal and the liability is still yours.
Conclusion
The privacy leadership role of 2026 is not the role the GDPR drafted. It has become the default owner of AI governance, data ethics, and a growing slice of cyber regulatory compliance, often without a corresponding change in title, pay, independence, or headcount. The 2 August 2026 AI Act deadline is accelerating this, because extending an existing DPO is cheaper than funding a new function. That convenience is exactly what you have to convert into a conversation.
The leverage is real, and the timing favors you. Organizations need this work done and done credibly, and the deadline is non-negotiable. The privacy leaders who come out of this period well will be the ones who documented their actual scope, named the independence conflicts, and renegotiated title, compensation, and reporting line on the basis of evidence. The ones who stay quiet will keep carrying four disciplines on a one-discipline salary, holding the liability for all of them. Decide which of those you intend to be, and start writing the scope document this week.
This article is provided for informational purposes only and does not constitute legal, financial, or career advice. Compensation and regulatory figures reflect industry reporting available as of mid-2026 and vary by jurisdiction and sector.
