Professional Qualities of the Data Protection Officer (DPO)

Context:

Article 37 of the GDPR states that “The Data Protection Officer (DPO) shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”

Article 39 requires that the DPO fulfils the following tasks:

  • Advising on data protection and the GDPR
  • Monitoring compliance with the GDPR
  • Training of staff
  • Data protection audit
  • Advice and oversight of the data protection impact assessment
  • Be the contact point for the supervisory authority

Considerations:

There are a number of areas of “skill” that the DPO must have in order to meet the regulatory requirement. These include:

  • Experience in data security
  • Systems audit experience
  • Knowledge of EU data protection laws
  • Experience of training staff
  • Knowledge of your organisation

How to:

To demonstrate the qualities of the DPO, look for:

  • A recognised certification. This could be in security, compliance or Governance, Risk and Compliance (GRC)
  • Membership of a professional body; most require some demonstration of experience and ability before membership is allowed
  • Demonstrable and referenceable experience of having acted in a similar or related role previously

Common Scenarios:

The DPO is appointed from an existing, internal member of staff

  • Assess which areas of skill the prospective candidate already has. If there are areas of skill which the candidate does not currently possess conduct a risk assessment to decide what the potential exposure is to the organisation. If the organisation can accept those vulnerabilities then put in place a training plan to bring skills up to the required level.

The DPO is recruited externally

  • As part of the recruitment process, check that the candidate has the required skills. Following recruitment put in place training to ensure that the new employees gains an understanding of your organisation.

It is worth noting, that in any scenario, the organisation is required to give the DPO to correct level of support and resources needed to fulfil their role.

References:

  • GDPR Recitals: 97
  • GDPR Articles: 37(5)

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts