How to hire the right DPO?
With the new General Data Protection Regulation (GDPR) going into effect, more and more job advertisements for the position of Data Protection Officer (DPO) have been popping up. Already in 2016, a study by the International Association for Privacy Professionals indicated that 28,000 DPOs would be needed to meet the GDPR requirements. Not surprisingly, few people fulfil the criteria required for this profile, which leads to a significant shortage of qualified individuals. As a result, two questions arise: How, under these circumstances, can my organisation choose a good DPO given this market shortage? And, what should we look for in the first place?
DPO competences required by the GDPR
First of all, make sure to check the legal requirements for a DPO. The GDPR states that the DPO shall have expert knowledge of data protection law and practices (see Article 37.5). This provision actually gave rise to the question of whether or not the DPO needs to have a legal background. The GDPR is not clear on this; and, given that security is a substantial and intrinsic part of data protection, many former chief information security officers and others with backgrounds in IT are converting and embracing this new career.
Expert knowledge with regard to the law is not, however, something one can acquire easily through a couple of data protection trainings or courses. The same holds true for the expertise needed to perform the tasks required of a DPO, such as advising the controller on compliance issues and monitoring compliance with the GDPR, or cooperating with the national supervisory authority. To learn more about the responsibilities of a DPO, check out this article: The role of the DPO in light of the General Data Protection Regulation.
The GDPR has 99 articles and 173 recitals, so monitoring and advising on compliance is anything but a light side activity. While some issues are of a more technical nature, like having adequate security in place, others are 100% legal: Do you have a legal basis for your data transfers to a third country? To answer this question, one needs to understand what a data transfer and a third country are in the first place, what legal options the GDPR provides for such a transfer, and why one option is best suited for your organisation while others are not. Also, check out the article 3 steps for data transfers according to GDPR to see what is important for data transfers in and outside of the EU.
Things could not get more legal, except perhaps when it comes to data protection policies, data subjects’ rights, cooperation with the national data protection authority, etc. What does this mean in terms of choosing the right DPO? Be aware of, and ask for, solid legal qualifications. Especially in cases where your data processing activities are particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
What about other skills? How important are soft skills?
Imagine the following scenario: your DPO needs to find a way to implement a highly intricate new law within your organisation without stopping your ongoing business processes. Good communication skills and the willingness to collaborate will be essential for explaining legal concepts, such as data protection by design, to the people tasked with implementing them. Equally important for the successful accomplishment of this comprehensive compliance mission, if not more so, will be leadership and initiative.
What about the often-discussed strong IT skills? I invite you to think about whether or not curiosity might be a more valuable asset for doing the job. A DPO needs to oversee and “sign off” on adequate security. Obviously, he will not do this mission alone; rather, he will fall back on the IT team for that. He will, of course, need at least basic IT literacy, but more important is the curiosity to understand an organisation’s security landscape, and the points of convergence between law and IT in the bigger landscape of data protection compliance. At the end of the day, however, the DPO will need to be the type of person who can push for things to get done, and who is also willing to take responsibility for the solutions or practices he/she proposes.
‘More haste, less speed’
Given the high market demand, as well as the shortage of DPOs, in addition to the very specific profile requirements for this function, organisations might rush into their hiring process, content with a candidate who fulfils the conditions even slightly. Or, they may choose a mature IT professional to also fulfil the new data protection legal attributions.
A mix of a legal focus with an additional IT background would be the ideal basic skillset of a DPO. However, such a combination of knowledge remains rather rare for now. While more and more of such mixed profiles are expected to emerge on the market, in the meantime, the right DPO should be recruited from within the legal community. At the same time, organisations should be wary of the numerous “GDPR experts” who have suddenly emerged along with the new regulation, and make sure that during the hiring process, their expertise is thoroughly verified. Also, keep in mind that the DPO must not only act independently, but also shall not be dismissed or penalised by the controller for the performance of his tasks. In practice, this means that getting rid of an ineffective and/or inadequate DPO might be harder than expected, so controllers might be warier of hasty decisions, and for good reason.
To learn details on how to perform this job, see this free online training: GDPR Data Protection Officer Course.