The EU GDPR (General Data Protection Regulation) requires certain organisations to appoint a DPO (data protection officer) to comply with the Regulation.
However, a shortage of DPOs means many organisations appoint staff to act as DPOs without the proper level of expertise, experience or qualifications.
The GDPR stipulates that DPOs should have appropriate experience and qualifications to fulfil the role.
What do data protection officers do?
A DPO is an independent data protection expert who is responsible for advising an organisation on how to comply with its legal requirements concerning data processing.
Their tasks include:
- Advising staff on their use of personal data;
- Monitoring the organisation’s data protection policies and procedures;
- Advising management on whether DPIAs (data protection impact assessments) are necessary;
- Serving as the point of contact between the organisation and its supervisory authority; and
- Serving as a point of contact for individuals on privacy matters.
A complete list of the DPO’s responsibilities is outlined in Article 39 of the GDPR.
What skills and experience are required?
DPOs must have a strong understanding of data protection law and regulatory requirements.
They also need good communication skills, as they’ll be working with an organisation’s staff and management, as well as with its supervisory authority.
Perhaps surprisingly, you don’t need a formal qualification to become a DPO. However, training courses such as our Data Protection Officer (C-DPO) Training Course are highly beneficial for those who want guidance on how to perform the necessary tasks.
Can an organisation’s employee be a DPO?
Yes. The position can be filled internally or externally on either a full-time or part-time basis.
Be careful when appointing internally, though – particularly if the employee is maintaining their current position.
The GDPR stipulates that a DPO must work independently and without instruction from their employer, as well as being free from any conflicts of interest.
An employer should not provide guidance on investigating complaints, what results should be achieved or how to interpret data protection law.
Similarly, DPOs can’t have competing objectives, where business objectives could be prioritised over data protection.
There are circumstances in which an employee can take on the DPO’s responsibilities alongside their own without a conflict of interest, but we suggest avoiding the risk.
Even if you are confident that there is no problem, job roles and responsibilities often evolve, and a conflict of interest might arise without you noticing.
Can organisations share a DPO?
Yes. It’s an ideal alternative to assigning one of your employees as DPO, allowing you to avoid the possibility of a conflict of interest while still not having to appoint a full-time, salaried DPO.
Whether you outsource the role or not, you must be careful about the DPO’s requirements. Many organisations aren’t legally required to appoint a DPO but appoint someone to fill the role because it helps their overall GDPR compliance practices.
However, ‘DPO’ is a clearly defined job role, and if someone fills that position, they must fulfil the tasks that come with that.
If you want expert help but don’t need a DPO specifically, it’s advisable to consider them a ‘GDPR Manager’ or ‘Data Privacy Officer’.
Steps to becoming a data protection officer
The route to becoming a DPO depends on how much experience you have with the GDPR.
If you’ve already taken a GDPR Foundation training course, you can gain everything they need from our four-day Certified Data Protection Officer (C-DPO) Training Course.
Meanwhile, if you’ve completed the GDPR Foundation and Practitioner training courses, you only need to take the Certified Data Protection Officer (C-DPO) Accelerated Training Course.
DPOs with two years’ experience can skip the training step and sit the exam.
If the exam is passed, the DPO will be certified by IT Governance for two years, with the option of renewing their certification after that. The DPO must demonstrate at least one year of further DPO experience to be able to recertify.
A version of this blog was originally published on 7 August 2018.