The level of qualifications and expertise required by a data protection officer (DPO) are not strictly defined in the new European General Data Protection Regulation (GDPR).
This makes appointing a DPO quite difficult. Many people attending our Certified EU GDPR training courses are extremely keen to understand the requirements of the regulation, including the appointment of a DPO.
According to the Regulation itself, a DPO should have an appropriate level of expertise, professional qualities, and be able to fulfil their tasks.
Level of expertise
The level of expertise required of a DPO can vary depending on the complexity and amount of data your organisation processes. However, as the DPO is key to ensuring that your company avoids the astronomical fines imposed by this Regulation, looking for a candidate with a certain level of seniority is a good starting point.
They should have significant and evident experience in EU and global privacy law, the ability to draft robust privacy policies and knowledge of outsourcing agreements. A candidate with a legal background or qualification may be well suited to this role. As we live in an age dominated by technology, experience in IT operations can also be useful.
As the GDPR is not just an IT issue and can affect many aspects of your business, your DPO may be required to work with various departments in order to achieve compliance. Therefore, leadership skills and the ability to work well as part of a group will be crucial for your DPO to be successful in their role.
Your DPO will also be the point of contact for your customers or the public should they have any inquiries. Therefore, strong communication skills and a level of public relations know-how can also be a useful professional quality.
As with any position you are looking to fill, knowledge of the business sector you operate in as well as an understanding of how your business operates would be advantageous, but is not necessarily essential.
If your organisation is a public authority or body, your DPO should also have a sound knowledge of administrative rules and procedures.
Ability to fulfil their tasks
As the DPO is essentially a compliance officer who is required to act independently, the ability to fulfil tasks and work off their own initiative is crucial. They can in no way be instructed on how a certain result can be achieved; they must have the ability to create a set of data protection goals and decide how best to achieve them.
Where the appointment of a DPO is not mandatory, it is encouraged by the regulation as a matter of good practice and to demonstrate compliance. As this role is new to many organisations in Ireland, finding a suitable candidate who has all the attributes may be a challenging task Whether recruiting externally or assigning the role to an existing member of staff training them on how to achieve full compliance with the GDPR will be essential.