Hiring a DPO: What you need to know
A 2016 study found that, once the EU GDPR enters into force, 75,000 Data Protection Officers (DPOs) will be required across the globe. Although the appointment of a DPO is already established practice in Germany, hiring a DPO is a relatively new – and daunting – endeavour for many businesses. What are the roles and responsibilities of a DPO? What skills should the right candidate have? And should a DPO be a permanent employee or independent adviser?
- Roles and responsibilities of a DPO
With their expert knowledge of EU GDPR legislation and national data protection laws, DPOs need to make your organization aware of the obligations in relation to controlling and/or processing personal data. Cultivating an awareness of and ensuring GDPR compliance can be explored in the training of your teams – a crucial step in ensuring compliance from the ground up as the responsibility for compliance does not rest solely on the DPO’s shoulders. Considering the rise of unintended threats brought on by the regulation, a well-informed workforce, trained in GDPR best practices, is non-negotiable.
The DPO also needs to assign responsibilities to relevant team members, advise the organization on the steps it needs to take to be EU GDPR compliant and monitor compliance throughout the year. Last but not least, DPOs are the point of contact between the organization and supervisory authority. Their ability to execute this responsibility successfully relies on several specialised skills.
- Hard and soft skills beneficial to compliance success
1. Legal knowledge: In addition to a detailed understanding of the legislation and potential pitfalls of non-compliance, the DPO should also have expert legal knowledge. This knowledge should be supported by acute analytical skills to ensure compliance where necessary, especially considering the evolving nature of the digital landscape.
2. Communication skills: As the contact point between the supervisory authority and company, it is crucial for the DPO to be an excellent communicator. Being proficient in the primary language of the country where the supervisory authority is located is highly advantageous.
3. IT and business knowledge: It is integral for the DPO to have a clear understanding of how the business works, its IT infrastructure and the role personal data plays in the business strategy.
- Permanent appointment or on contract basis?
The costly overhead of appointing a highly skilled, highly specialised DPO whose professional skills tick all the boxes can result in an arduous recruitment process and even the possibility of companies sidestepping this requirement. It is important to note that companies whose core operations involve the large-scale monitoring of data subjects or large-scale processing of special categories of personal data are mandated by the GDPR to appoint a DPO. This would require a DPO with a high level of expertise in the above-mentioned professional requirements. However, companies can appoint a staff member or an external individual based on a service contract to assume the responsibilities of a DPO. Most importantly, the DPO should be 100% independent, have zero conflicts of interest and report only to the highest management level.
Whilst employing a DPO is a recommended (sometimes mandatory) step towards compliance, adhering to EU GDPR best practices is the responsibility of every team member. Learn how to make EU GDPR compliance part of your organization’s culture with Lobster Ink and PwC Legal Switzerland’s practical EU GDPR compliance training for Managers and Associates. Inquire today.