The GDPR (General Data Protection Regulation) turns five years old this month, and in that time organisations’ approach to information security has changed dramatically.
Among the less advertised but nonetheless key requirements has involved the appointment of DPO (data protection officer). These are independent experts who are responsible for advising organisations on their data protection obligations with respect to the GDPR and member states’ national laws.
They are not always mandatory, but the support they give for personal data processing and compliance practices makes them a highly valued part of an increasingly complex data protection landscape.
Unfortunately, the expertise it takes to become a DPO, coupled with their demand, means that organisations often struggle to find suitable candidates to fill the role. However, this presents an ideal opportunity for those looking to advance their career in the information security field.
What does a DPO do?
A DPO is an independent data protection expert who is responsible for advising an organisation on how to comply with its legal requirements concerning data processing.
Article 39 of the GDPR states that the DPO’s tasks should include:
- Informing and advising the organisation, and the employees who carry out processing, of their obligations under the GDPR and other relevant EU or member state data protection provisions;
- Monitoring compliance with the GDPR and other relevant EU or member state data protection provisions;
- Advising on the organisation’s policies relating to data protection, including how the organisation assigns responsibilities;
- Raising awareness and training staff involved in processing operations and related audits;
- Advising on DPIAs (data protection impact assessments), and monitoring their performance; and
- Acting as the contact point for the relevant supervisory authority on issues relating to data processing.
What skills and experience are required?
Although the GDPR does not specify the credentials or expertise that DPOs should have, Article 37(5) states that they should be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.
Recital 97 clarifies that “The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
As such, expertise specific to the organisation itself – especially its other legal or regulatory obligations – is also essential, as is knowledge of its specific data protection needs and processing activities.
According to the EDPB-endorsed guidelines, the DPO’s level of expertise “must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.
In other words, organisations that undertake complex personal data processing activities, or that process large amounts of sensitive data, will require a DPO with more expertise than organisations whose processing activities are more limited.
Steps to becoming a data protection officer
Your journey to becoming a DPO will depend on your qualifications and how much practical experience you have.
If you’ve already taken a GDPR Foundation training course, you can gain everything they need from our four-day Certified Data Protection Officer (C-DPO) Training Course.
Meanwhile, if you’ve completed the GDPR Foundation and Practitioner training courses, you only need to take the Certified Data Protection Officer (C-DPO) Accelerated Training Course.
DPOs with two years’ experience can skip the training step and sit the exam.
If the exam is passed, the DPO will be certified by IT Governance for two years, with the option of renewing their certification after that. The DPO must demonstrate at least one year of further DPO experience to be able to recertify.
You can learn more about these training courses and the steps you can take to become a DPO by checking out our learning paths.
Our pathways provide you with a guide to help you decide which training courses and qualifications will help you further your knowledge and career.
The training courses are arranged by subject and within each subject group from foundation to advanced level.
