The implementation of the General Data Protection Regulation (GDPR) is one of the biggest news in the cybersecurity and business landscapes this year.
Software developers, service providers, online business owners — any organization that collects and manages the private information of EU citizens are required to have a GDPR compliance strategy.
This involves obtaining unobstructed access to all data sources, governing how personal data is shared, and establishing layers of protection that will keep information safe from unauthorized access, from pseudonymization to data encryption.
As per the GDPR rule, organizations are also required to appoint a data protection officer (DPO) who will oversee compliance efforts.
In this post, we will discuss the 5 important qualifications you need to look for in a DPO. But first, a little introduction.
Who is a DPO?
According to the EU GDPR Information Portal, a DPO “must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.”
Keep in mind that violating the GDPR will cost your organization up to 4 percent of your global revenue or a whopping €20,000,000 of annual turnover, whichever is higher. Clearly, selecting a DPO professional is not a decision you should rush.
Aside from knowing the ins and outs of GDPR compliance, the DPO is also in charge of identifying data protection risk factors. They must step in for the interests of EU citizens whose private information is kept online — also referred to as data subjects.
A DPO can also be a current staff member or an outsourced service provider.
If you’re in the process of hiring a protection officer for your organization, here is a simple checklist of competencies that will help you choose the right candidate:
1. Knowledgeable with other rules related to the GDPR
In addition to expertise with the GDPR rule, a DPO must also be highly knowledgeable when it comes to the other cybersecurity regulations and data privacy laws — not only in the EU but in every region you do business or outsource your operations. This includes the creation of privacy policy drafts and outsourcing agreements.
Today, there are many services that provide outsourced DPO professionals that are heavily screened for their regulatory and GDPR compliance knowledge. With how tricky GDPR can be, it pays for businesses to work with DPO professionals to ensure that they aren’t tripping wires all over the place and remain compliant with the regulations.
2. Working knowledge of cybersecurity
To have a more productive relationship with your DPO, they must also be capable of conducting risk and data protection impact assessments. It’s also preferable if they have hands-on experience with the fundamental cybersecurity practices that protect data subjects.
Keep in mind that cyber threats constantly evolve to take advantage of the attack vectors present in today’s systems. Just because a candidate has demonstrated a working knowledge of the GDPR provisions, doesn’t mean they can contribute to the detection of security gaps in your organization.
3. Able to do their duties independently
A DPO must be able to stay unbiased and truthful when fulfilling their tasks. More importantly, they must have the resolve to defend and make a push for their recommendations even if their superiors might go against them.
Remember, a DPO is expected to work independently without having to rely on instructions from their employer. The GDPR states that they should always report straight to the top management level of the company.
Since the GDPR prioritizes customers over data-responsible organizations, the propositions of DPOs may sometimes conflict with the company’s best interests. That’s why they must be hardened self-starters that don’t wait for support or the management’s “go signal” before they perform their role.
4. Can communicate well
The GDPR enables data subjects to contact an organization’s DPO for all concerns regarding the privacy and usage of their personal data. This means your DPO must be an effective communicator that not only fully understands how data is processed in your organization, but also has the ability to relay information to customers in a professional and approachable manner.
The ability to dilute complex and technical jargon into simpler words is also a key skill since a DPO may occasionally have to handle customer complaints. Other members of your organization may also need to consult your DPO about data privacy and GDPR-related issues.
When choosing a DPO, pay attention if they’re more oriented towards relationships than processes. If you are to trust this DPO to function well with your team, they must be willing to hold more in-depth conversations with the board of directors, data subjects, your IT team, and so on.
5. Can quickly adapt to different communication styles and cultures
Finally, a DPO must be comfortable communicating with processors and controllers from other countries.
This is especially true if your organization caters to international data subjects, maintains business relationships with foreign entities, or outsources from other jurisdictions. Mannerisms, languages, traditions — all of these factors matter to the success of your communications organization-wide.
A multilingual candidate is a compelling choice, but only if the languages they speak are the languages you need. It also helps if they can demonstrate their negotiation skills, which should come in handy in case they need to discuss and conclude arrangements with Data Protection Agencies (DPAs).
Do you need to hire a DPO?
Article 37 of the GDPR states that organizations who are either processors or controllers of data are required to hire a DPO under the following circumstances:
- The core processes or services of the organization require the constant, large scale, and systematic processing of data.
- The core processes or services of the organization involve special categories of data — including data that relates to criminal offenses and convictions.
- You process data as a public authority.
Conclusion
Finding a DPO is one of the challenges you must overcome if you so much as collect email addresses from EU citizens for your website’s weekly newsletter. But as long as you know the exact qualities you need to look for, it’s only a matter of time before you find the perfect fit for your needs.
Do you already have a DPO in your team? What advice can you give other organizations who are yet to find theirs? Tell us about it in the comments below!
