GDPR now requires many organisations to appoint a data protection officer, but how do you pick the most suitable candidate for the role?
As the General Data Protection Regulation (GDPR) deadline fast approaches (25 May 2018), many organisations will be preparing to appoint a data protection officer (DPO) in compliance with the new laws, specifically Article 37.
These regulations mark a significant turning point in terms of both the accountability of organisations and the rights of an individual whose data someone wants to process, and a DPO will play a vital role in instigating these changes.
The GDPR states that DPOs “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks [set out in the GDPR]”.
So, while in-depth knowledge of the GDPR and expertise in national and European data protection law is required, the regulation doesn’t specify any particular qualifications that a DPO must have.
This means that the question of what kind of person is the ideal fit for a DPO role in an organisation can seem daunting. What are the top skills that a prospective DPO will need to have?
Knowledge of IT functions
The DPO officer not only has to be well versed in data protection law, but they have to be able to offer guidance on things such as risk assessments and data protection impact assessments. Ultimately, this knowledge will likely have to be gleaned from IT programming know-how, IT infrastructure and IS audits.
This knowledge will have to evolve constantly to keep up with how the landscape of threats evolves so that the DPO can protect companies at every turn from potential breaches.
The DPO is going to serve companies as a consultant for any issues that may arise with regard to personal data rights, so this obviously necessitates both a lot of interaction and instruction.
In companies that handle data, the DPO will be the primary source of knowledge about best practice for compliance – possibly even the single source – and it is in company’s interest (as well as the DPO’s interest) that employees develop a base-level knowledge over time.
It’s not enough for a company’s DPO to have the knowledge; they must be able to convey that knowledge effectively, as well as be prepared to be called on often to provide advice and guidance.
The ability to operate independently
The GDPR requires that the DPO “operates independently and without instruction from their employer over the way they carry out their tasks”.
The clause that specifies that there must be no conflict of interest is vital to the DPO role, and so employers cannot instruct employers on “what result should be achieved, how to investigate a complaint or whether to consult the regulatory authority”.
Employers also cannot influence how a DPO interprets data protection law.
This necessitates that a DPO officer is comfortable working independently, but it’s likely that this element of the role will be more challenging for employers than it will be for the officer themselves, as the recommendations made by a DPO won’t necessarily align with the timeline of a particular organisation.
This also means that a DPO officer must be comfortable with conflict with superiors because it’s possible that DPO recommendations will not always be convenient.
If anything, their implementation could prove troublesome, so any would-be DPO will need to be prepared for the occasional stand-off in which they defend their recommendations, regardless of the potential of a project delay or a loss of revenue in other ways.