While the General Data Protection Regulation (GDPR) states that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law’, it does not define in detail thequalifications needed to fulfil the role.
However, various data protection authorities (DPA) have stipulated requirements, for example, the Irish Data Protection Commission (DPC) published guidance that includes:
- expertise in national and European data protection laws;
- an understanding of the processing operations carried out;
- understanding of IT and data security;
- knowledge of the business sector and organisation; and
- an ability to promote a ‘data protection culture’ within the organisation.
In addition to the above, the French DPA, the CNIL, states that the DPO must not have a conflict of interest with other assignments while the Dutch DPA, the AP, advises not to ‘perform functions in which [they] would bear (operational) responsibility for data processing, as is usually the case with positions such as head of finance, strategy, marketing, IT, HRM or chief information security officer.’
In Germany the requirement to appoint a DPO is stricter than as set out in the GDPR. A DPO is mandatory where more than 20 people are employed to deal with automated processing or where a business processes data commercially to transfer it or for market research purposes. They are also bound by professional secrecy when dealing with data subjects.
Where a data processing activity is particularly complex or where a large volume or sensitive data is involved such as an internet or insurance company, the DPO may need a higher level of expertise and support. This is where an external DPO service becomes a key advantage.
An external DPO also offers a wide range and depth of expertise. The DPC guidance explains that ‘a DPO may need familiarity with sector-specific data protection practices… to adequately perform their duties.’ The CNIL specifies ‘good industry knowledge’ as one of the required skills for a DPO and the UK DPA, the ICO, states that ‘it would be an advantage for your DPO to have a good knowledge of your industry or sector’. An external DPO service, with experience across a range of business types and working with multiple clients, is more likely to possess this sector-specific knowledge than a single individual. A firm such as HewardMills, provides access to a multidisciplinary team with experience across multiple jurisdictions and which can operate in multiple languages.
Dyann Heward-Mills, CEO of HewardMills, explains: “finding the right combination of qualifications for a DPO can be challenging. It is also important to distinguish between the CPO and the DPO, the former building the organisation’s privacy programme and the latter providing an oversight and regulatory role. An external DPO allows organisations to get the right balance of skills and maintain the independence needed for the position.”
In summary, a DPO needs to have expertise in data protection laws, deep sectoral knowledge and be sufficiently independent. HewardMills is made up of a range of practitioners who collectively possess all these characteristics. If you would like to know more, please contact us here.