- Posted by Marie Murphy
- On November 1, 2016
- data protection impact assessment, data protection officer, dpo, eu data protection law, GDPR, Risk Assessment, Staff awareness
When GDPR comes into full effect, Data protection officers (DPO) will both be in demand and difficult to find. As we go to press I had a quick glance around the online recruitment boards. Depending on the board, there are ads for between 16 and 51 open positions in Dublin alone this morning. And that is before the reality of the approaching GDPR deadline has hit most industries.
Extrapolate this figure across Europe, allow for an increase in demand as the realities of GDPR hit home in the next few months and then consider the fact that there is already a shortage of suitable candidates … its definitely time to get your budget in place and your head around appointing a DPO.
GDPR lays down specific requirements for the role of DPO
This is the first of two publications looking at the role of the data protection officer under GDPR. This piece examines the key characteristics of a DPO as required by article 38 of GDPR and what that means for companies recruiting DPOs. The next publication, in November, will examine the duties of the DPO (Article 39).
The EU General Data Protection Regulation(GDPR) requires data processors and data controllers to appoint a data protection officer (DPO) under certain data processing circumstances. Many data processors and controllers who do not fall under the particular circumstances outlined in the GDPR will also decide to voluntarily appoint a data protection officer(DPO) to oversee compliance with GDPR.
There are a few requirements for the data protection officer (DPO) under GDPR. These broadly fall under three headings – knowledge, skills and independence.
What must a DPO know?
The DPO first and foremost must have expert knowledge of both data protection law and data protection practices. This requires a technical knowledge of the law and an operational knowledge of how to apply the law in practice. Key to this will be knowing how to carry out a data protection impact assessment but a DPO should also know how to create and maintain a data protection register and how to manage data classification.
What skills should you look for in a DPO?
The DPO must have the skills necessary to carry out the role. The DPO role is a senior role reporting to the top level of management but also communicating across all departments and all levels of staff. Strong communication skills are a must. The DPO should be able communicate strategically. This will require the DPO to write concise, structured reports and to develop clear briefing materials.
The ability to guide or conduct Data Protection Impact Assessments is central to the role. The right candidate will demonstrate strong analytical skills combined with logic and reasoning. General project management skills won’t go unused. The ability to work independently and experience of working on cross functional teams will be useful. A working knowledge of the business will be needed so that no functions are overlooked or misunderstood. The DPO may be required to audit suppliers (processors or sub processors) data protection activities so some knowledge of supplier management would be desirable.
The DPO is bound to confidentiality in carrying out his or her tasks. So you will be looking for a candidate who is discrete and can keep their own counsel. The office gossip is not a good fit for this role!
Above all the DPO needs to be assertive and authoritative. The organisation needs to sit up and take action when the DPO requires action. So, the DPO must be someone that the organisation will listen to.
How is a DPO independent?
Firstly, there is a requirement to involve the DPO in all issues that relate to data protection in the organisation. The DPO can develop expert knowledge of data handling across all aspects of operations and this ensures that there are no hidden or closed data operations.
The DPO must report to the most senior level of management in the organisation. For example, a DPO might report to the board of a credit union or of a charity or to the Senior VP of a division in a multinational. An organisation cannot give the DPO instruction on how to carry out their tasks nor can he or she be dismissed for doing their job. The independence of this role is protected by law.
The company must give the DPO the necessary resources required in order to carry out their job effectively – this might mean providing a travel budget that is at their discretion to spend and ongoing professional training. Above all the DPO must have access to people and data in order to assess ongoing data operations.
How do you know when you have found the right DPO?
The ideal candidate for a DPO role will need to tick those knowledge and skills boxes. But one thing will set the right candidate apart. The right candidate will demonstrate their independence by coming along to interview with a set of demands for the organisation to meet. He or she will look for practical support such as their own budget, ongoing training and memberships of professional bodies. He or she will be looking for the authority to engage with people and data unhindered. Above all he or she will be looking for reassurance about executive support for the role.
November’s article will examine the duties of a data protection officer as outlined by GDPR.
If you would like more information on hiring the best DPO for your business, please drop me a note. I can provide job descriptions, interview tips, selection advice and I can introduce you to some specialist recruiters.