Generally, any increase to regulations sees a decrease in support from companies. It’s well known: businesses just want to do business and any new law is seen as an obstacle. Moreover, if this legislation involves strengthening security measures, it becomes difficult to align the company objectives with the requirements of legal compliance.
It’s up to the Data Protection Officer (DPO) to strike this delicate balance. Their role is to inform and advise the person responsible for processing, their sub-contractors and staff, about the measures to adopt in terms of personal data protection. Their objective is to lead their employer so that they comply with the laws in effect and maintain this over the long term. The DPO also protects the company from taking too many risks by recommending impact analyses before every new project involving personal data processing. Lastly, the DPO cooperates with the supervisory authority and is their point of contact, so that everyone involved can exercise their rights. From the point of view of someone within the organisation, it’s the DPO who drafts or revises the orders, rules, and policies linked to personal data protection processes.
To become a DPO, it’s important that you have legal and IT skills, as well as good people skills.
When it comes to IT, you need IT risk management, a good general understanding of the IT system (development, infrastructure, auditing), its technological development and the impacts for the organisation. You should also have a good understanding of security technologies and cybercrime threats.
In terms of legal skills, it’s essential to understand the different laws on data protection (national and international). A DPO should be able to undertake impact analyses and identify compliance gaps. Writing skills are also necessary for drafting contractual clauses, rules or notices for clients or other stakeholders.
When it comes to soft skills, a DPO needs to be a very good communicator, capable of simplifying complex notions and passing on the message to every level of the hierarchy. Experience in project management as well as a good knowledge of the organisation’s area of work, are also indispensable.
Internal or external?
This is a big debate amongst Privacy professionals… Although the law explicitly states that this role can be outsourced, I would say that the size of the company, its complexity, and its international presence are all criteria to consider before deciding on an internal or external DPO.
However, one thing is essential for obeying the law: the DPO needs to be able to work independently to avoid conflicts of interest. On a practical level, this means that the DPO cannot carry out roles that would lead them to determine the purpose and means of the processing. Therefore, it would be a mistake to add this role to areas like human resources, IT, marketing, security, finances, or operational management. For organisations that don’t have the resources to designate a full time DPO, outsourcing can be an interesting avenue. With this in mind, it’s important to establish the service mandate and to define the responsibilities of the designated person.