It is predicted that 28,000 data protection officers (DPOs) will be needed to achieve GDPR compliance when the law comes into effect on 25th May 2018. A key factor behind this is that the EU GDPR doesn’t just apply to EU countries (and to the UK, post-Brexit), but to every business that handles data belonging to EU citizens.
If you’re an HR professional, chances are you’re already wrestling with this recruitment conundrum: there is inevitably a shortage of talent, plus a decision to make about the best way to get the job done.
But what exactly is the role of a DPO and what professional skills should they have?
A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). DPOs are responsible for managing an organisation’s data strategy and implementation to ensure compliance with the GDPR. They report directly to the highest level of management and are allowed independence within the business so they can operate as impartially as possible.
When to appoint a data protection officer
You are required to appoint a DPO if you are a public authority, process large volumes of personal data or data relating to criminal offences. If you aren’t mandated to appoint a DPO you may choose to appoint one anyway. However, if you decide you don’t need a DPO, make sure you record this decision to help demonstrate compliance with the GDPR principle of accountability.
You can outsource your DPO, hire from outside or appoint an existing employee to the role, which can be full or part-time depending on your requirements. If appointing a split role, make sure the professional duties of the employee are compatible with the duties of the DPO; and don’t lead to a conflict of interests. For example, it wouldn’t be acceptable for a DPO to have a split role in marketing or HR as both departments operate as data processors.
The role of the DPO
This will obviously vary depending on company sector, size and so on but, in general, the DPO:
- Monitors compliance with the GDPR and other data protection laws, policies, awareness-raising, training and audits
- Advises your business on carrying out data protection impact assessments (DPIAs)
- Is the point of contact for the Information Commissioner’s Office (ICO)
- Interfaces with employees to inform them how their data is being used, their rights to have their personal data deleted, and what measures the company has put in place to protect their personal information.
Essential skills of a data protection officer
As a fairly new role, there’s been some controversy and confusion over exactly what qualifications and experience a DPO should have. Some believe the role sits with IT, others that it’s very much a legal role. Either way, here are the key requirements outlined by the ICO. A DPO should:
- Have experience and expert knowledge of data protection law
- Be able to provide effective and proportionate insight on a level relevant to the type and level of personal data protection required for your business
- Have good knowledge of your industry or sector
For help with GDPR training, you can find out more about Me Learning’s online courses – click here.