What does it take to be a DPO?
The EU General Data Protection Regulation (GDPR) requires certain organisations to appoint a data protection officer (DPO). The duty to appoint a DPO was introduced as part of the enhanced focus the GDPR places on accountability of covered organisations.
DPOs should be an expert in data protection law and practice and assist organisations to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects and the supervisory authority.
In addition to the EU, other jurisdictions also have mandatory DPO requirements, including Canada, Singapore, New Zealand and the Philippines.
But what does it take to be a DPO?
The role of the DPO
Before looking at the skills required, it is important to understand the role of the DPO.
The primary role of the DPO is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules.
The DPO must be an integral part of the organisation, ideally placed to ensure compliance.
According to the latest guidance from France’s privacy regulator, the CNIL, the DPO is like the “orchestra conductor” of the management of personal data in the organisation .
They should not work in a vacuum, but be fully integrated into the operational activities of their organisation. The DPO is an essential link in data governance, in conjunction with the CISO (Chief Information Security Officer) and the IT (information technology) department.
The hierarchical position of the DPO must bear witness to this, and their resources must be adapted, so that they can fully accomplish their job and their role of compliance coordinator. The organisation must offer staff and resources to support the DPO to carry out her duties. Access to resources also includes training facilities.
Independence of the DPO
The DPO should be able to perform her duties independently. The GDPR expressly provides that the DPO shall not receive any instructions regarding the performance of her duties and that there must not be a conflict of interest between the duties of the individual as a DPO and her other duties.
DPOs are allowed to fulfil other tasks for the organisation if they “do not result in a conflict of interests.”[1] In-house DPOs may perform roles that conflict with their DPO role. For example, a DPO also overseeing information security has a conflict when their security risk assessments and treatments are evaluated under their DPO role. Ideally, DPOs should be full time in their role or the role is outsourced to an independent external DPO to overcome the possibility of conflicts.
To avoid conflict, the EU Data Protection Supervisor recommends that
- a DPO should not also be a controller of processing activities (for example if she is head of Human resources)
- the DPO should not be an employee on a short or fixed term contract
- a DPO should not report to a direct superior (rather than top management)
- a DPO should have responsibility for managing her own budget.
What does a DPO do?
The specific tasks of each DPO will depend on the organisation they work in.
Generally however the DPO has an advisory and support role at several levels:
- bringing their expertise to management so that it can ensure compliance of processing; and
- disseminating the personal data protection culture and rules to all the individuals who process personal data within the organisation.
Some of the activities in which the DPO is likely to be involved include:
- draft decision to create or upgrade existing processing (particularly to ensure compliance with the principles of data protection by design and by default);
- considering the need for a data protection impact assessment (DPIA) and the actual completion of one;
- drafting or keeping of a record of processing activities;
- drafting and updating of internal data protection rules or policies;
- personal data breach, in order to advise on the measures to be taken as well as on the notification to the authority and to the data subjects.[2]
Importantly, the DPO is not responsible for the compliance of the organisation. Nor is the DPO responsible for the compliance of the organisation, keeping the records, carrying out impact assessments, or notifications of data breaches. The role of the DPO is to provide information, advice and oversight.
The DPO is also not personally liable in the event of a breach. It is the organisation that is responsible for compliance with the GDPR. It is impossible to transfer to the DPO, by delegation of authority, the liability incumbent on the data controller or the obligations specific to the data processor.
If the DPO’s recommendations are not followed, the data controller or the DPO can usefully document the decisions that have been taken as well as, if applicable, the reasons why the DPO’s opinion was not followed.
What skills and expertise should a DPO have?
The GDPR requires that a DPO should have expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.[3]
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. [4]
Recommended relevant skills and expertise include:
- expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- understanding of the processing operations carried out;
- understanding of information technologies and data security;
- knowledge of the business sector and the organisation;
- ability to promote a data protection culture within the organisation. [5]
More specifically, DPOs should have the following skills and expertise:
- Risk/IT: DPOs must offer guidance on risk assessments, countermeasures, and data protection impact assessments (DPIAs).[6] This requires that DPOs be experienced in in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications. DPOs must also be aware of the changing threat landscape and emerging technologies and risks.
- Legal Expertise/Independence: The DPO must be “a person with expert knowledge of data protection law and practices” to assist the controller or processor.[7] Accordingly, DPOs must know data protection law to a level of expertise appropriate for the type of processing carried out. DPOs must also understand the requirements to be “bound by secrecy or confidentiality,” and “perform their duties and tasks in an independent manner.” These skills may be met by a lawyer or by another professional who is accustomed to acting as an independent expert, and meeting confidentiality obligations.
- Cultural/Global: DPOs should have experience in dealing with different ways of thinking and doing business, and be alert to cultural differences and translation difficulties as they are likely be dealing with controllers and processors from different countries and regulatory environments.
- Credibility: DPOs are required “to cooperate with the supervisory authority … [and] act as the contact point for the supervisory authority on issues relating to processing.” A prior relationship with the Data Protection Authority is helpful, or DPOs must be able to establish instant credibility with DPAs based upon their wide experience, knowledge, credentials, and relationship skills.[8]
Where should the DPO be located?
The GDPR does not set a requirement for the DPO’s location. However, in EU cross-border processing situations, the DPO must be designated with the lead authority.
Overall, the DPO must be easily reachable by data subjects and the DPA. The CNIL therefore recommends that the DPO be located in the European Union, whether or not the data controller or data processor is established in the European Union.
If the organisation does not have an establishment in the European Union, DPOs may be established outside the European Union, provided that they can effectively perform their duties.
New DPO Guidance from France
France’s Data Protection Authority, the CNIL issued new guidance in March 2022 which highlights important aspects to take into consideration when appointing an internal or external DPO. The advice is relevant to the appointment of a DPO in any country in the covered by the GDPR.
The guidance covered the location of the DPO (see above) and refers to DPO independence and resources.
The CNIL says there is no typical profile for a DPO, or educational requirement. Around 28% of DPOs in France have an IT background, 28% legal, and the remaining 43% come from administration, finance, compliance, audit, etc.
In France, more than 80,000 organisations had designated a DPO in 2021.
The guidance, issued on 15 March
[1] Article 38(6) GDPR.
[2] CNIL Privacy Guide GDPR: Data Protection Officers
[3] Article 37(5) GDPR.
[4] Article 29 Working Party, Guidelines on Data Protection Officers (DPOs).
[5] Article 29 Working Party, Guidelines on Data Protection Officers (DPOs).
[6] Articles 35(2), 39(2) and Recital 77 GDPR.
[7] Articles 37(1), 37(5), 38(5) and Recital 97 GDPR.
[8] Article 39(1) GDPR.