In the article below, attorney Thomas Shaw writes on the essential job skills of DPOs under the General Data Protection Regulation (GDPR). He lists the job skills required and suggests the types of professionals best suited to fulfil the DPO role under the GDPR.
Based on surveying data protection officer job postings, companies are trying to fill DPO positions with junior associates with only a few years of experience. Many are treating the DPO as merely an IT role with no legal experience or as a compliance role with no real risk or IT experience. But what does the General Data Protection Regulation in fact require and what do those requirements mean for the DPO’s job skills? It may be useful to summarise the necessary skills into a listing usable to identify qualified DPO candidates, which you'll find at the bottom of this article.
Summary of DPOs Required Job Skills
This view was verified against publications from the Network of DPOs for EU Institutions and the Article 29 Working Party . The former specified at least seven years of relevant experience, including knowledge of the institution and its data protection practices. It also included the following personal and interpersonal skills: “Personal skills: integrity, initiative, organisation, perseverance, discretion, ability to assert himself/herself in difficult circumstances, interest in data protection and motivation to be a DPO. Interpersonal skills: communication, negotiation, conflict resolution, ability to build working relationships.” The latter extended DPO roles to the Internet of Things.
The decision lies with each organisation, to find these required DPO skills in either a single person or several people, to locate them internally or outsource the role, and to manage this function under the CPO or let it operate independently. The requirements should now be clear, the telling will be how each organisation chooses to implement its own DPO role and affect the likelihood of full compliance with the GDPR.
GDPR’s requirements for DPOs:
Risk/IT: Recital 77 and Articles 39.2 and 35.2 require DPOs to offer guidance on risk assessments, countermeasures and data protection impact assessments. DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications.
These skills should be founded upon wide-ranging experience in IT programming, IT infrastructure, and IS audits. While compliance checklists may be helpful, the DPO position first and foremost requires an experienced professional. Because risks constantly evolve, DPOs must demonstrate awareness of changes to the threat landscape and fully comprehend how emerging technologies will alter these risks. Providing guidance is like the lawyer skill of giving advice, using client-relationship skills to ensure controllers continue to seek such advice even if not in agreement and at the earliest phase.
DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result.
Legal expertise/independence: Recital 97 and Articles 37.1, 37.5, and 38.5 specify “a person with expert knowledge of data protection law and practices” to assist the controller or processor, to be “bound by secrecy or confidentiality,” and “perform their duties and tasks in an independent manner.”
DPOs must know data protection law to a level of expertise based on the type of processing carried out. This signifies that DPOs should be licensed lawyers knowledgeable of not only the GDPR and other relevant EU legislation (e.g. E-Privacy Directive) but also privacy and related laws in all jurisdictions their organisation does business or outsources operations.
Confidentiality is second nature to the legal profession. DPOs must have experience acting in an independent manner, indicating a need for a mature professional with client relationship and audit experience to handle the delicate task of discovering gaps, encouraging gap mitigation, and ensuring compliance without taking an adversarial position.
Cultural/global: DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result. Think of the simplified example of an organisation with a retail presence in Europe, contract manufacturers in China, IT outsourcers in India, and headquarters in the U.S. DPOs should be based in the EU but globally focused.
Leadership/broad exposure: Article 38.2 requires, “The controller and processor shall support the DPO … by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” DPOs will need to have leadership and project management experience, to be able to request, marshal and lead the resources need to carry out their roles. They also must be able to critically assess themselves for knowledge gaps and request training in those areas.
DPOs should have broad business experience to know the industries of the data controller and processor well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.
DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights.
Self-starter/board-level: Article 38.3 requires, “The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks … The DPO shall directly report to the highest management level of the controller or the processor.” DPOs have to be self-starters, with the competence and skills to carry out the role without guidance and to know where to find necessary information. DPOs must also have board-level presence and be able to deal with experienced business people who will not know the intricacies of DPO functions. Licensed external auditors such as CPAs/CAs, who audit compliance with laws, standards, and practices, are independent of the auditee, and report to the board, would have this type of experience.
Common touch/teaching: Article 38.4 allows data subjects to contact the DPO “with regard to all issues related to the processing of their personal data and to the exercise of their rights.” DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights. DPOs must also have skills in both legal training and awareness raising, to ensure all data subjects are aware of their rights and responsibilities and to help train others to assist data subjects on specific requests.
No-conflicts/credibility: Article 38.6 allows DPOs to fulfil other tasks as long as “any such tasks and duties do not result in a conflict of interests.” DPOs who are members of the data controller’s organisation may not perform roles that conflict with their DPO role. For example, a DPO also overseeing information security has a conflict when their security risk assessments and treatments are evaluated under their DPO role. DPOs should be dedicated or the role outsourced to an independent external DPO.
Article 39.1 states that DPOs are required “to cooperate with the supervisory authority … [and] act as the contact point for the supervisory authority on issues relating to processing.” A prior relationship with the data protection authority is helpful, or DPOs must be able to establish instant credibility based on their wide experience, knowledge, credentials and relationship skills.