Many company executives believe that they can hire a fairly junior IT specialist or assign the office manager (or another existing generalist staff) to fulfill the role of DPO. This is not the case. The DPO needs to be appropriately qualified, or else you could be in breach of the General Data Protection Regulation (GDPR).
The DPO doesn’t necessarily need to be a salaried employee; the position can, in fact, be outsourced. A group of companies might appoint a single DPO, provided that the person is easily accessible from each establishment.
The DPO’s tasks, as defined in Article 39 of the GDPR, are listed here:- Inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws.
- Monitor compliance with the GDPR and other data protection laws, as well as with your data protection polices, including assigning responsibilities, raising awareness, training staff involved in processing personal data, and conducting (or being consulted on) internal audits.
- Provide advice on data protection impact assessments (DPIA) and monitor performance of the project to which the DPIA relates.
- Co-operate with your supervisory authority.
- Act as the contact point for your supervisory authority on issues related to data processing.
Experience in privacy and security risk assessment
Article 39.2 of the GDPR requires DPOs to “have due regard to the risk associated with processing operations.” This reflects other risk-based provisions of the GDPR, such as the requirement under Article 24 to implement “appropriate technical and organizational measures” in order to demonstrate compliance and to maintain security of processing. In both cases, the GDPR says the “appropriate” measures should “take into account the nature, scope, context and purposes of processing as well as the risks” to data subjects.This obligation is likely to require DPOs to provide guidance on risk assessments, DPIAs, and best practices to mitigate risks.
For these reasons, it’s helpful if your DPO has a strong background in privacy and security risk assessment. A background in IT programming, IT infrastructure, and Information System audits would also be useful in order for the DPO to provide meaningful and useful guidance in risk mitigation.
Knowledge of data protection law and practices
Article 37.5 requires the DPO to be a person with “expert knowledge of data protection law and practices.” A DPO should certainly be very familiar with the GDPR and its application in practice, as well as other relevant data protection law and practice. This includes overseas data protection laws in any country where the organization has any presence.Recital 97 provides some guidance around how to determine the necessary level of expert knowledge according to:
- The data processing operations that are carried out
- The protection required for the personal data processed by the data controller or the data processor
The GDPR doesn’t require the DPO to be a qualified lawyer or have any formal legal qualifications.
Ability to work independently
Recital 97 states that the DPO should not have any conflicts of interest and be able to perform their duties and tasks in an independent manner — the DPO should be able to carry out their duties as they see fit, with no influence from the board of directors or other people within the organization. This necessitates a level of seniority, independence, and the ability to assert themselves.The DPO is allowed to perform other functions within the organization, but cannot perform roles that conflict with the DPO role — such as when determining the purposes and means of data processing. An example of this would be where an Information Systems manager may want to scan everyone’s email for data loss prevention purposes, but the DPO may consider that this is not appropriate from a GDPR perspective. If you combined the Information Systems manager and the DPO into a single role, there would be an obvious conflict. The DPO must be able to be completely independent within the role.
The DPO is also bound by secrecy and/or confidentiality considerations concerning the performance of their task, in accordance with applicable law.
Ability to work autonomously
Article 38.3 of the GDPR requires the data controller and data processor to “ensure that the DPO does not receive any instructions regarding the exercise of those tasks” and goes on to say, “[T]he DPO shall directly report to the highest management level of the controller or the processor.”The GDPR provides no guidance in defining “the highest management level,” but presumably the DPO should report to the board of directors, and directly to a board member.
The European Data Protection Board guidance on DPOs states that:
“If the controller or processor makes decisions that are incompatible with the GDPR and the DPO's advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions. In this respect, Article 38(3) provides that the DPO ‘shall directly report to the highest management level of the controller or the processor’. Such direct reporting ensures that senior management (e.g. board of directors) is aware of the DPO’s advice and recommendations as part of the DPO’s mission to inform and advise the controller or the processor. Another example of direct reporting is the drafting of an annual report of the DPO’s activities provided to the highest management level.”Because the DPO cannot receive instructions regarding the exercise of their tasks, the person must operate entirely autonomously, which, again, requires seniority and a high level of expertise.
Ability to communicate effectively
Article 39.1 requires the DPO to cooperate with the supervisory authority and act as the contact point for the supervisory authority on issues relating to processing. The DPO must therefore be able to communicate effectively with regulatory authorities.A DPO of a group of companies or otherwise covering multiple jurisdictions may not be able to speak the language of each supervisory authority it needs to deal with. In this case, having a DPO who speaks the language of the main market(s) is at least recommended.
In addition, the DPO can, ideally speak the language of the data subjects in order to handle requests and complaints from data subjects.
Because Article 39 requires the DPO to train staff within their organization, the person also must have good communication skills in this regard.
Ability to negotiate adeptly
The DPO may be in charge of negotiating data processor agreements with suppliers and — because you want the person to achieve the best outcome for you without souring the relationship with the supplier — must therefore be a skilled negotiator.Maintain cultural awareness and sensitivity
Because the DPO is likely to deal with data controllers, data processors, and, potentially, data subjects from different countries around the world, the person needs to have cultural awareness and sensitivity in these dealings.Demonstrate leadership
Because the DPO is likely to be in a senior position within the organization, and because the position necessitates leading (or influencing) a diverse set of stakeholders, the DPO is likely to need solid leadership skills.Ability to embrace change
Because risks are always changing and technology is ever evolving, a good DPO should be aware of the changing environment. Additionally, the DPO should be prepared to take quick action in embracing the changes that are necessary to respond to those risks.Display business and interpersonal acumen
The DPO should have broad business experience and a good understanding of the industry of the data controller and processors so that they can understand how data protection can be integrated into the organization’s business functions as smoothly as possible.In addition, the DPO will likely benefit from having these personal skills:
- Integrity
- Initiative
- Organization
- Perseverance
- Discretion
- Assertiveness in difficult circumstances
- Able to resolve conflicts
- Able to build working relationships