The GDPR recognises the data protection officer (DPO) as a key player in facilitating regulatory compliance, with their appointment mandatory for all public authorities and many private organisations. Even where the GDPR does not specifically require the appointment of a DPO, it is highly encouraged by the European Article 29 Working Party (WP29) as a matter of good practice and to demonstrate compliance.
The GDPR does not specify the precise credentials a DPO is expected to have. As clarification, the WP29 in its recent published guidelines defines certain minimum requirements regarding the expertise and skills of the DPO:
Level of expertise – understanding how to build, implement and manage data protection programs is essential, with the guidelines stating the more complex, or high-risk, the data processing activities are, the greater the expertise of the DPO will need to be.
Professional qualities – DPOs do not have to be lawyers, but must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. From a practical perspective, DPOs must have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.
Ability to fulfil task – the DPO should demonstrate integrity and high professional ethics and, as a primary concern, enable compliance with the GDPR.
Competition for DPOs will likely be strong in light of the current shortage of privacy professionals. With this in mind, organisations should be now ascertaining whether they will be required to appoint a DPO and, if so, plan how best to procure external services or recruit, train and resource the position.
Organisations to whom the requirements do not apply may still choose to appoint a DPO, but must remember that, if they do, the same GDPR requirements will apply to their appointment, position and tasks.
If they choose not to appoint a DPO, then it is recommended by the WP29 to document the reasoning behind that decision.
Watch the recording of our recent webinar ‘Appointing a data protection officer (DPO) under the GDPR’ to learn more about the requirements for appointing a DPO, their responsibilities and where their role sits in an organisation. Watch now >>
Certified GDPR training courses
Our ISO 17024-accredited GDPR Foundation and Practitioner training courses provide the specialist knowledge and skills needed to deliver GDPR compliance, fulfil the role of a data protection officer, and achieve a recognised data protection qualification. Learn more and book >>