Based on surveying data protection officer job postings, companies are trying to fill DPO positions with junior associates with only a few years of experience. Many are treating the DPO as merely an IT role with no legal experience or as a compliance role with no real or risk IT experience. But what does the General Data Protection Regulation in fact require and what do those requirements mean for the DPO's job skills? It may be useful to summarize the necessarily skills into a listing usable to identify qualified DPO candidates, which you'll find at the bottom of this article.
GDPR's requirements for DPOs:
Risk/IT: Recital 77 and Articles 39.2 and 35.2 require DPOs to offer guidance on risk assessments, countermeasures and data protection impact assessments. DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications.
These skills should be founded upon wide-ranging experience in IT programming, IT infrastructure, and IS audits. While compliance checklists may be helpful, the DPO position first and foremost requires an experienced professional. Because risks constantly evolve, DPOs must demonstrate awareness of changes to the threat landscape and fully comprehend how emerging technologies will alter these risks. Providing guidance is like the lawyer skill of giving advice, using client-relationship skills to ensure controllers continue to seek such advice even if not in agreement and at the earliest phase.
DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result.
Legal expertise/independence: Recital 97 and Articles 37.1, 37.5, and 38.5 specify "a person with expert knowledge of data protection law and practices" to assist the controller or processor, to be "bound by secrecy or confidentiality," and "perform their duties and tasks in an independent manner."
DPOs must know data protection law to a level of expertise based upon the type of processing carried out. This signifies that DPOs should be licensed lawyers knowledgeable of not only the GDPR and other relevant EU legislation (e.g. E-Privacy Directive) but also privacy and related laws in all jurisdictions their organization does business or outsources operations.
Confidentiality is second nature to the legal profession. DPOs must have experience acting in an independent manner, indicating a need for a mature professional with client relationship and audit experience to handle the delicate task of discovering gaps, encouraging gap mitigation, and ensuring compliance without taking an adversarial position.
Cultural/global: DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result. Think of the simplified example of an organization with a retail presence in Europe, contract manufacturers in China, IT outsourcers in India, and headquarters in the U.S. DPOs should be based in the EU but globally focused.
Leadership/broad exposure: Article 38.2 requires, "The controller and processor shall support the DPO ... by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge." DPOs will need to have leadership and project management experience, to be able to request, marshal and lead the resources need to carry out their roles. They also must be able to critically assess themselves for knowledge gaps and request training in those areas.
DPOs should have broad business experience to know the industries of the data controller and processor well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.
DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects' rights.
Self-starter/board-level: Article 38.3 requires, "The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks ... The DPO shall directly report to the highest management level of the controller or the processor." DPOs have to be self-starters, with the competence and skills to carry out the role without guidance and to know where to find necessary information. DPOs must also have board-level presence and be able to deal with experienced business people who will not know the intricacies of DPO functions. Licensed external auditors such as CPAs/CAs, who audit compliance with laws, standards, and practices, are independent of the auditee, and report to the board, would have this type of experience.
Common touch/teaching: Article 38.4 allows data subjects to contact the DPO "with regard to all issues related to processing of their personal data and to the exercise of their rights." DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects' rights. DPOs must also have skills in both legal training and awareness raising, to ensure all data subjects are aware of their rights and responsibilities and to help train others to assist data subjects on specific requests.
No-conflicts/credibility: Article 38.6 allows DPOs to fulfill other tasks as long as "any such tasks and duties do not result in a conflict of interests." DPOs who are members of the data controller's organization may not perform roles that conflict with their DPO role. For example, a DPO also overseeing information-security has a conflict when their security risk assessments and treatments are evaluated under their DPO role. DPOs should be dedicated or the role outsourced to an independent external DPO.
Article 39.1 states that DPOs are required "to cooperate with the supervisory authority ... [and] act as the contact point for the supervisory authority on issues relating to processing." A prior relationship with the data protection authority is helpful, or DPOs must be able to establish instant credibility based on their wide experience, knowledge, credentials and relationship skills.
Summary of DPOs Required Job Skills
- Significant (5-10 years) experience in EU and global privacy laws, including drafting of privacy policies, technology provisions and outsourcing agreements
- Significant (5-10 years) experience in IT operations and programming, including attainment of information security standards certifications and privacy seals/marks
- Significant (5-10 years) experience in information systems auditing, attestation audits and the assessment and mitigation of risk
- Demonstrated leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects
- Demonstrated negotiation skills to interface successfully with DPAs
- Demonstrated client relationship skills to continuously coordinate with controllers and processors while maintaining independence
- Demonstrated communication skills to speak with a wide-ranging audience, from the board of directors to data subjects, from managers to IT staff and lawyers
- Demonstrated self-starter with ability to gain required knowledge in dynamic environments
- Demonstrated record of engaging with emerging laws and technologies
- Experience in legal and technical training and in awareness raising
- Experience in dealing successfully with different business cultures and industries
- Professionally licensed as a lawyer and in information security and privacy, including ethical requirements for competence, confidentiality and continuing education
- EU resident and independent of real and perceived conflicts
This view was verified against publications from the Network of DPOs for EU Institutions and the Article 29 Working Party . The former specified at least seven years of relevant experience, including knowledge of the institution and its data protection practices. It also included the following personal and interpersonal skills: "Personal skills: integrity, initiative, organization, perseverance, discretion, ability to assert himself/herself in difficult circumstances, interest in data protection and motivation to be a DPO. Interpersonal skills: communication, negotiation, conflict resolution, ability to build working relationships." The latter extended DPO roles to the Internet of Things.
The decision lies with each organization, to find these required DPO skills in either a single person or several people, to locate them internally or outsource the role, and to manage this function under the CPO or let it operate independently. The requirements should now be clear, the telling will be how each organization chooses to implement its own DPO role and affect the likelihood of full compliance with the GDPR.