The GDPR is a new EU-wide regulation that aims to streamline and harmonize the privacy regulations throughout the EU. As a result, most companies will be required to appoint a DPO. It is expected that at least 75 thousand new DPOs will be required as a consequence of the General Data Protection Regulation (GDPR).
The GPDR nicely outlines the tasks of data protection officers (Article 39) but makes nothing more than a passing mention of education level and skills required, stating only that a DPO should be sufficiently educated for the role.
Since the official description is not detailed enough, we have composed a list of crucial skills a DPO must have. Do not make the mistake of appointing junior staff with insufficient experience, or IT and HR staff without additional education. You will soon understand why!
DPO Tasks: An Overview
The role of a DPO is truly multidisciplinary, requiring a varied skillset consisting of both “soft” and “hard” skills that are necessary for smooth fulfilment of the tasks listed in the GDPR.
A DPO is required to inform and advise the company of their obligations regarding handling of personal data, not only concerning the GDPR but also other national laws. A DPO must also monitor compliance with the provisions from these regulations. Plenty of tasks are included in this blanket responsibility, including the assignment of responsibilities, awareness- and staff-trainings, various audits and similar.
A DPO also must provide advice regarding data protection impact assessments; in fact, companies are required to consult a DPO for advice. The DPO also serves as a contact point between the company and the supervisory authority. DPOs handle all communication with the authorities and are responsible for cooperation and consultations.
It is no wonder, therefore, that a wide range of skills is required from a competent DPO. This, of course, depends on the size of the company and the complexity of the processing operations.
SKILL #1: LEGAL KNOWLEDGE
This is the most obvious skill a DPO must possess. A good DPO must know these regulations like the back of their hand, and also regularly monitor the relevant laws for any updates that could influence the business. This requires meticulous attention to detail and quick analytic skills in order to determine what category certain processing belongs to or to give relevant advice to the company.
A DPO should, therefore, be well-versed in legal matters, and possibly, have legal educational background. Drafting of policies and other agreements should be second nature to them. Often, a DPO will be bound by confidentiality.
SKILL #2: TECHNICAL BACKGROUND
Knowing all the legal loopholes is not enough. A DPO must have practical knowledge of the systems the processing is carried out on – the IT infrastructure, in other words. One cannot give much advice on how to handle breaches if they have no idea how they are caused and how to work towards preventing them.
They must be fully aware of new technologies and potential risks they present to data safety or proper handling practices. Various certification mechanisms are available that DPOs can use to demonstrate their knowledge in this field.
While certain privacy impact assessments and other audits can technically be performed via simple checklists, this is exactly what your company should try to avoid. Seek someone with understanding of the problem; performing assessments just to satisfy the formal requirements could result in huge mistakes further down the road.
Since a DPO must provide advice when conducting privacy impact assessments, general knowledge of risk reduction is also useful. A tiered approach is often recommended – the more sensitive the data, the higher the security measures need to be (encryption, data destruction, access controls, etc.) A DPO must be aware of all these methods.
SKILL #3: COMMUNICATION
This may be the first ‘soft’ skill on this list, but it is one of the most important skills for a DPO, particularly if they are employed by a multinational organization.
A DPO must be able to communicate with a variety of people from various fields and often coordinate them. People from different countries often have different manners and ways of doing business, so a little sensitivity goes a long way.
It is not unusual for a DPO to have to communicate with business partners from abroad – many products are manufactured in the Far East, for example, and plenty of services are also outsourced to other countries. A silver tongue can go a long way in business!
Additionally, a DPO is the contact point for the company that ordinary people can reach. They should be able to communicate with regular citizens in an engaging, jargon-free manner. Since they are responsible for handling complaints, they must be tactful and helpful at the same time.
A DPO will also have to communicate with top management and other experts quite often, who might not be well-versed in the domain of privacy matters. In that case, a DPO should be able to succinctly distil the crux of the matter to them in brief detail. In other words, a DPO should be able to teach certain concepts to other people, but be assertive at the same time.
SKILL #4: INDEPENDENCE
This is often a double-edged sword. A DPO is very independent by design. The GDPR mandates that a DPO is responsible only to the highest level of management. A DPO must be able to handle all issues and work independently – and the GDPR says so. A DPO must not accept any orders and instructions from anyone in the company.
This can cause resentment from the rest of the staff and impede cooperation, which is critical for success of a DPO. Some may even feel that a DPO is working against company’s best interest, especially if the changes proposed by them are deemed to be expensive or time-consuming to enact. For that reason, a DPO cannot be easily dismissed just because the decisions reached by him/her are met with derision by the company. A company also must provide a DPO with enough resources to that they can perform their tasks properly.
The management should take care to ensure a DPO is well integrated into the company. DPOs must be involved in and kept up to date with new projects and schedules if they are to do a good job.
SKILL #5: CREDIBILITY
Having no conflicts of interest is a prerequisite of becoming a DPO. The head of an IT department could have a conflict of interest as a DPO, since he/she would in fact be assessing their own work. It is best to keep the role of a DPO dedicated, i.e. segregated from other roles within a company if at all possible.
It is a good thing for a DPO to appear (and be) credible when communicating with the supervisory authorities. Good cooperation could mean huge savings in terms of fines. A fruitful relationship with the regulators should always be nurtured. Seek someone with experience dealing with regulators if this is a priority to you.
It is recommended that experienced experts fill the role of the DPO. This entails at least 7 years’ experience in both legal and IT matters. Smaller companies could very well outsource a DPO and ‘call it quits’, while larger corporations could require several DPOs, each DPO with their set of strengths and weaknesses. Supervisory authorities will audit DPO credentials to weed out sham DPOs, so take care and really employ only knowledgeable individuals.
Of course, employing several DPOs, or a single senior one, could be an insurmountable expense for smaller companies. That is why we recommend outsourcing as a better option than designating someone with insufficient education as a DPO, since this is a very responsible role for the company, and bad performance can not only result in fines, but also ruin your company’s reputation.