So, the released GDPR requires you to appoint a Data Protection Officer (DPO). Who do you pick? There are a couple of answers. The right answer will come down to how complicated your data processing and collection operations are, and how subject they are to change.
The DPO is an internal authority on data protection and data privacy. They need to understand the GDPR, all other relevant data protection regulations and become intimately familiar with how data flows throughout your organisation. The DPO needs to be capable of operating independently. They need the business acumen required to speak with your board, but they also need to serve as a contact point for the public and liaison with technical, legal, risk, and compliance teams.
The position can be filled in-house or through third-party partnerships. Depending on your organisation, you may need a full-time DPO with a support team, or only require several hours of active DPO oversight every month. Either way, your DPO needs to be available at all times. Their contact information needs to be available to the public and relevant regulators. Their advice should be sought out for any new project that involves the use of personal data.
Why It’s Important to Take Choosing a DPO Seriously
The DPO essentially operates as an independent regulatory representative and public advocate within your organisation. Making the right choice is critical. You cannot dismiss or penalise your DPO once appointed for fulfilling their obligations under the GDPR. You are also prohibited from providing your DPO with instructions on how to undertake their job. This includes criteria on when and how to undertake assessments, or recommendations on the interpretation of data privacy law.
A DPO’s advice is not binding, however, it is prudent to document why the suggestions of a DPO have been overruled.
Failure to comply with the DPO requirements set out in the GDPR may result in fines of up to €10 million or 2% of global turnover, whichever is greater. Failure to comply with the data protection requirements of the GDPR can result in fines of up to 4% of annual turnover or €20 million, whichever is greater. It is critical to take the DPO seriously.
This article will explain the professional qualifications required of a DPO, and walk you through some of the options available to adequately fulfil this obligation of the GDPR.
- You cannot dismiss or penalise a DPO for undertaking their responsibilities.
- You are not allowed to restrict or control the nature of a DPO’s investigations.
- Failure to comply with the DPO requirements set out in the GDPR may result in fines of up to €10 million or 2% of global turnover, whichever is greater.
- Failure to comply with the data protection requirements of the GDPR can result in fines of up to 4% of annual turnover or €20 million, whichever is greater.
Are There Technical Qualifications to Consider When Choosing a DPO?
The short answer is no. There are no qualifications currently required to be a DPO. But that doesn’t mean you shouldn’t think about it. Being a DPO can be a technically challenging job. You certainly want someone with experience and a skillset that matches the complexity of your data operations.
The most relevant certifications are probably a combination of the IAPP Certified Information Privacy Professional Credential - Europe (CIPP/E) and Certified Information Privacy Manager (CIPM). There is also the ISO 17024-certified GDPR Foundation and Practitioner Training Course.
The GDPR, however, simply states that a DPO is to be appointed “on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.” Advanced knowledge of the industry or sector is definitely advisable. Your organisation is required to provide the DPO with training opportunities should they be necessary.
What is the Right Background for Your Business’ DPO?
One argument is that the most qualified people to carry out the role of DPO are experienced privacy and technology-focused lawyers or Information Security (IS) auditors. Another option is to hire a less technically skilled person with advanced management skills that can liaison with the necessary technical staff to fill any gaps in their knowledge.
Data protection touches every aspect of your business that controls, uses or collects data. This means that a key part of being a DPO is the ability to function as a team, take advice and process new information.
The DPO’s main role is to help you meet other regulatory requirements. This means that it is unwise to skimp on professionalism. Ideally, your DPO will already have significant and broad experience. Training is helpful, but it is never as good as having on-the-job skills.
For most data-heavy companies, the role of DPO probably brings together positions already filled by aspects of your compliance, risk and legal teams. It simply places the ultimate responsibility for oversight on one person and puts legal requirements on the level of diligence required.
What is important is that your DPO has the skills to do their job. This means the ability to understand data protection regulations and the ability to build, implement and manage data protection programs. The more complex and risky your operations are, the greater expertise your DPO will require.
- Technology focused lawyers and Information Security auditors will have many of the skills required by a DPO.
- People with advanced management skills can supplement their technical deficiencies through team building.
- Data-heavy companies probably already have the functions of a DPO spread between their compliance, risk and legal teams.
- The more complex your data operation, the more experienced your DPO needs to be.
Who Should Be DPO: In-House, New Recruit or Third-Party?
You can choose someone already employed by your business to be the DPO. That person is allowed to keep some or all of their current responsibilities. New recruits can be assigned tasks outside the specific job requirements of the DPO. However, the DPO must be provided with the resources necessary (including time) to adequately tend to their responsibilities outlined by the GDPR.
In-House DPOs and Conflicts of Interests
No DPO can be assigned other tasks that conflict with their priorities as DPO. That means that they cannot be put in a position where data protection could take a secondary role to business interests. This restriction basically covers any responsibilities that involve determining the purpose or means of processing personal data, or the undertaking of processing itself. This is likely to cover most people in high management positions or operational IT roles.
The issue with having a dual-role DPO is making sure that you truly have the best talent filling this position. The DPO is not a small job. Even if the particularities of your organisation mean that you do not require regular input from your DPO, getting quality advice when it is needed is key to remaining compliant. Although the DPO is a regulatory requirement itself, they are there to help you stay in line with the other data protection regulations applicable to your organisation. It is in your best interest to have a top quality candidate assume the responsibilities of DPO.
If you require even close to full-time DPO oversight, it is recommended that you either re-allocate someone from your existing staff to solely take over the responsibilities of DPO, or hire someone new.
- Your DPO can be appointed in-house, and that person is allowed to keep some or all of their current responsibilities.
- Dual-role DPOs have to be provided with sufficient resources (including time) to adequately meet the requirements expected of them as DPO.
- Your DPO cannot be assigned tasks that create a conflict of interest. Data protection cannot take second priority to business interests.
- If you appoint a dual-role DPO, you may find it hard to acquire the best talent without falling prey to conflicts of interests.
A DPO can have staff. For organisations requiring significant DPO oversight, the role can involve a lot of delegation. However, there can be, and must be, only one DPO. That person is ultimately responsible for the smooth operation of the DPO’s functions, even if that means delegating tasks.
Should You Choose a Third Party DPO for Your Business?
For companies that don’t require regular input from a DPO, partnering with a firm that offers ‘DPO-as-a-service’ is a good way to achieve quality results without redundantly putting someone on your permanent staff. Third-party resources can also be brought in to help meet the requirements of an in-house DPO.
Doing either can alleviate the burden on internal staff of carrying out occasional audits or particularly intensive DPIAs (Data Protection Impact Assessments). It can also help demonstrate the independence of the DPO. It remains, however, the responsibility of the organisation to make sure that SLAs for the contracted DPO meet sufficient criteria and are appropriately carried out. Liability for compliance remains with the organisation(s) acting as processor or controller of personal data.
A single person can be DPO for multiple organisations. However, they must diligently carry out their responsibilities to an appropriate level of service. This means always having open lines of communication to all relevant organisations, even if practically their advice is only engaged occasionally.
- Third parties offer a great way to bring in high-quality DPO advice if it is only needed occasionally.
- Third parties can also be brought in to aid an in-house DPO for particularly intensive projects.
- The ultimate responsibility for compliance remains on you — make sure your SLAs are up to standards.
Summary: Who Should Be DPO? Someone Who Knows What They Are Doing
The role of DPO has existed in German law for more than 10 years. But, it is an entirely new concept in most locations. The novel nature of the position has created debate about the background best suited for the occupation. The variable degree of responsibility across organisations and sectors adds to the confusion. A corporate IT lawyer seems like the obvious choice, but that isn’t necessarily the case. What is important is that your DPO has expertise in EU and national data protection law, specifically the GDPR, and the ability to understand the flows of data throughout your organisation.
Another question is what department the DPO should sit in. Should it be compliance, risk, legal, IT? Ultimately, that doesn’t matter as much. The important thing is making sure there is no conflict of interest and to provide clear lines of communication to the board/higher levels of management. Ultimately, the DPO is an independent function.
The thing to understand about the DPO is that to do the job well, a candidate really requires experience in everything. Approaching it as simply an IT role, or simply a compliance role, won’t be sufficient. In addition to understanding where you fall short of compliance, the DPO is expected to make technical recommendations about how to improve operations.
Personability is a less obvious factor that you should consider when hiring a DPO. They will be expected to act as a public liaison for data requests at all times, and will be front and centre in the event of a breach. Having a DPO who can double as a public representative and hold press conferences could help retain your brand’s reputation in the event of catastrophic failure.
A DPO will also likely be dealing with data processors and controllers from all around the world and need to effectively communicate with most of the departments throughout your organisation. It is the DPO’s responsibility to conduct general staff training exercises and update the board on data protection liabilities.
Someone who is easily able to slide in and out of many different and variable social circumstances will be more adept at fulfilling some of the responsibilities of the DPO. However, this consideration should not take precedence over a solid understanding of compliance law and the use of data throughout your organisation and sector. The DPO’s primary responsibility is to prevent failure through appropriate and practical recommendations to achieve data protection compliance.