Jan van Vliet, VP and GM EMEA of Digital Guardian, discusses what the role of DPO entails and outlines five critical components to look for in potential candidates.
With GDPR now in force, one of its central requirements is for businesses that process or store a large volume of personal data to appoint a Data Protection Officer (DPO). In a short space of time it has created widespread demand for DPOs. However, with it being a new role – and a rather unique one, at that – there’s an unsurprising shortage of suitable candidates.
As a result, many businesses are having to recruit based on a candidate’s ‘compatibility’ with the role, rather than their specific qualifications. But even this can be difficult. After all, what traits and skills does an effective DPO need?
What is the role of a DPO?
The role of the DPO is complex, serving as the point of contact between the business and supervisory authorities, as well as being responsible for educating employees on compliance requirements and training staff responsible for data processing.
Under Article 39 of the GDPR, the DPO’s tasks are defined as:
- Informing and advising the business and its employees about obligations to comply with the GDPR and other data protection laws
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits
- Advising on and monitoring, data protection impact assessments
- Cooperating with the supervisory authority
- Being the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
What to look for in potential candidates
While the responsibilities defined above are varied, they follow a number of central themes, helping to narrow down the skills and traits required in potential candidates. Based on this, below are five of the most important things to look for:
1.A thorough understanding of the GDPR
Any serious DPO candidate must have a thorough understanding of the GDPR, both on paper and in practice. A legal background can be beneficial, although it isn’t strictly necessary. Unfortunately, with the DPO role still so new there aren’t any recognised qualifications associated with it yet, making it harder to gauge someone’s suitability this way. As such, candidates must be able to demonstrate their understanding of the regulation before they should be considered for the role.
2. Experience in data security
While experience in data security and protection isn’t enough in itself to make someone suitable for the DPO role, it is still a key requirement. So much of the GDPR is about understanding how and where data must be protected and the risks associated with it that someone lacking technical security knowledge and experience would struggle to carry out the role effectively.
3. Knowledge of the sector/industry in question
A successful DPO must clearly understand how and where data is being used by the business, which often requires a deeper understanding of the wider sector or industry in which the business operates. While this can be learned on the job it takes time to do so, meaning a pre-existing understanding is always preferable, particularly if the DPO is expected to hit the ground running (which they almost always are).
4. Good communication skills
DPOs must effectively communicate with all parties involved in the process of establishing and maintaining GDPR compliance. This includes both internal groups such as senior management and IT/security teams, and external stakeholders including regulators and independent auditors. Without good communication skills, this will be extremely difficult to achieve.
5. A strong negotiator
Negotiating with security vendors and providers is another pivotal part of the DPO role, meaning strong negotiating skills are a must. Without them, the business is unlikely to secure good deals on the tools and solutions it needs to achieve GDPR compliance, which can quickly become costly.
Six months after the GDPR came into force, many businesses still find themselves struggling to identify suitable candidates for the newly created role of DPO. With universally recognised qualifications not yet established, businesses need a clear view of what traits and skills they’re looking for. While the list of considerations in this article is by no means exhaustive, it provides a solid foundation that businesses can use to find the right person for the job.