- Security TWENTY
- Women in Security
If you’re looking to hire a Data Protection Officer (or you’re considering a new career in data protection as a DPO), this list of ten must-have skills for DPOs may prove helpful. Many company executives believe that they can hire a fairly junior IT specialist or assign the office manager (or another existing generalist staff) to fulfil the role of DPO. This is not the case. The DPO needs to be appropriately qualified, or else you could be in breach of the GDPR.
1. Experience in Privacy and Security Risk Assessment
A DPO is required to “have due regard to the risk associated with processing operations”. This obligation is likely to require DPOs to provide guidance on risk assessments, Data Protection Impact Assessments (DPIAs) and best practices to mitigate risks.
For these reasons, it’s helpful if your DPO has a strong background in privacy and security risk assessment. A background in IT programming, IT infrastructure, and Information System audits would also be useful in order for the DPO to provide meaningful and useful guidance in risk mitigation.
2. Knowledge of Data Protection Law and Practices
The DPO should be a person with “expert knowledge of data protection law and practices.” A DPO should be very familiar with the GDPR and its application in practice, as well as other relevant data protection law and practice. This includes overseas data protection laws in any country where the organisation has any presence.
The GDPR doesn’t require the DPO to be a qualified lawyer or have any formal legal qualifications.
3. Ability to Work Independently
The DPO should not have any conflicts of interest and should be able to perform their duties and tasks in an independent manner. The DPO should be able to carry out their duties as they see fit, with no influence from the board of directors or other people within the organisation. This necessitates a level of seniority, independence, and the ability to assert themselves.
4. Ability to Work Autonomously
Organisations are required to “ensure that the DPO does not receive any instructions regarding the exercise of those tasks”. In addition “the DPO shall directly report to the highest management level.” The GDPR provides no guidance in defining “the highest management level,” but presumably the DPO should report to the board of directors, and directly to a board member.
Because the DPO cannot receive instructions regarding the exercise of their tasks, the person must operate entirely autonomously, which, again, requires seniority and a high level of expertise.
5. Ability to Communicate Effectively
The DPO is required to cooperate with supervisory authorities and act as the contact point for the supervisory authority on issues relating to processing. The DPO must therefore be able to communicate effectively with regulatory authorities. A DPO of a group of companies or otherwise covering multiple jurisdictions may not be able to speak the language of each supervisory authority it needs to deal with. In this case, having a DPO who speaks the language of the main market(s) is at least recommended. In addition, the DPO can, ideally speak the language of the data subjects in order to handle requests and complaints from data subjects.
Because the DPO is also required to train staff within their organisation, the person also must have good communication skills in this regard.
6. Ability to Negotiate Adeptly
The DPO may be in charge of negotiating Data Processor Agreements with suppliers and — because you want the person to achieve the best outcome for you without souring the relationship with the supplier —must therefore be a skilled negotiator.
7. Maintain Cultural Awareness and Sensitivity
Because the DPO is likely to deal with data controllers, data processors, and, potentially, data subjects from different countries around the world, the person needs to have cultural awareness and sensitivity in these dealings.
8. Demonstrate Leadership
Because the DPO is likely to be in a senior position within the organisation, and because the position necessitates leading (or influencing) a diverse set of stakeholders, the DPO is likely to need solid leadership skills.
9. Ability to Embrace Change
Because risks are always changing and technology is ever evolving, a good DPO should be aware of the changing environment. Additionally, the DPO should be prepared to take quick action in embracing the changes that are necessary to respond to those risks.
10. Display Business and Interpersonal Acumen
The DPO should have broad business experience and a good understanding of the industry of the data controller and processors so that they can understand how data protection can be integrated into the organization’s business functions as smoothly as possible.
GDPR For Dummies by Suzanne Dibble LLB, CIPP/E (Published by John Wiley & Sons) is available for purchase on Amazon. Visit https://www.amazon.co.uk/GDPR-Dummies-Computer-Tech/dp/1119546095.
About Suzanne Dibble
Suzanne Dibble is a business lawyer who has advised multi-national corporations, private equity-backed enterprises and household names. Since 2010 she has focused on helping small businesses with their day to day business law requirements. Her GDPR For Dummies (published by Wiley, 2020) follows her Facebook group, GDPR for Online Entrepreneurs. In this social media group on the topic of the GDPR, Suzanne has been able to help small business owners, charities and others. Visit https://suzannedibble.com/.