The EU’s General Data Protection Regulation (GDPR) requires organizations that operate in a member state to appoint a data protection officer (DPO). The GDPR data protection officer’s role is basically that of a compliance-focused data coordinator, ensuring that the organization’s processing of personal information is not going to infringe on the rights and freedoms of the data subjects.
There is definitely a lot of confusion over this new position. First of all, who is required to have one? All EU public bodies and authorities must have one along with any company processing data involving medical matters or criminal offences, but beyond that things become less clear.
Private companies are only required to appoint a data protection officer if they engage in “core activities” that require “large scale” and “systematic” monitoring of data subjects. The size of an organization doesn’t matter as much as the volume of personal data it is handling.
The “Guidelines on Data Protection Officers” supplement adds some much-needed specificity. “Core activities” are those that are “inextricable” to the company’s primary functions. This doesn’t necessarily include support activities like payroll, which means that a company does not necessarily need a data protection officer just to oversee the internal personal data of employees. The supplement unfortunately does not add a specific definition of “large-scale”, but it does at least lay out the criteria that will be used to determine scale:
The number of data subjects;
The number of data items;
How long the data is retained; and
The geographical range of processing.
Small businesses will likely not need one unless they have a focus on handling and processing personal data as a core service.
So what does a GDPR data protection officer need to know to step into this role and be effective? That’s the other part that is a bit confusing. The job goes beyond simply learning the GDPR regulations and checking organizational data processing policies against them. That is certainly something expected of a data protection officer, but they will also need some significant experience in both IT and risk management at minimum. There are also a number of ancillary skills that are important to success in the role.
Three areas of significant experience are absolute requirements for this position:
Knowledge of how GDPR regulations and all applicable national data protection law apply to the organization’s data processing practices;
Significant experience with IT security audits and threat assessment; and
Strong communication skills across a variety of organizational positions and departments.
The most important fundamental on the list is significant experience as an IT security professional, with ideally at least a few years in the field. Since organizations are held responsible under the GDPR for many types of security breaches, the data protection officer has to be abreast of the latest threats and best practices and ensure that the organization is implementing all appropriate measures.
The ability to monitor and ensure compliance with GDPR regulations (as well as the data protection laws of all territories the company is operating in) may initially seem more of a “follow the checklist” approach, but it isn’t an appropriate task for just any inexperienced junior IT worker to step into. Depending on the volume and complexity of the data processing, the organization may find they need someone with formal legal training and credentials with an information security focus to handle this role. The data protection officer will at the very least need deep and demonstrable familiarity with the laws and regulations as they pertain to the organization’s data processing activities.
One often-overlooked item for this job is the ability to effectively communicate with nearly all of the different departments and roles within an organization. The data protection officer will have to be able to distill sometimes complicated IT and regulatory concepts to get them across to staff, provide training, and will also be in communication with both public authorities and the general public regularly. Perception of credibility by the EU supervisory authorities that the data protection officer will be in communication with is crucial.
Another item that job listings seem to be commonly missing is that if the data protection officer has any other role in the company, it cannot create a conflict of interest with their duties as regards compliance with the GDPR. This is why an independent officer is needed rather than folding their duties into the existing security or information processing operations of the IT department. An employee basically cannot be in a situation where they are being evaluated by management both on their work toward the company objectives and their work in GDPR compliance.
Finally, it’s extremely important for a GDPR data protection officer to be able to take initiative and work independently. These are desirable qualities for many different types of jobs, but they’re crucial for this particular one. The GDPR specifically requires that these officers ” … not receive any instructions regarding the exercise of … tasks” and “directly report to the highest management level” under Article 83.3.
Working as a GDPR data protection officer
Since some companies do not yet fully understand what this role entails, you’ll see current listings on job boards asking for a lot less than this as minimum requirements. You’ll likely see different job descriptions in the near future as these companies run into trouble by slotting underqualified IT candidates into these roles.
While this level of expert knowledge of data protection law and practices may not be necessary for each and every data protection officer position out there, the GDPR requirements make it clear that the absolute ideal candidate for the role is a lawyer with at least a few years of current experience in cybersecurity and information privacy.
They should also have some demonstrable experience in distilling complicated technical concepts for members of the C-suite and in communicating as a “brand ambassador” as the primary GDPR point of contact.
That is admittedly a somewhat rare combination of qualities, but candidates who fit the bill will enjoy the benefit of being in high demand and fielding lucrative offers as private companies gradually realize how complex this position actually is.