Choosing the right DPO
Choosing the right DPO: it sounds interesting…
Since you already know that you need a Data Protection Officer (aka DPO) for your company (if you don’t, you should read this), you need to answer the question:
Now, let’s start from the basics and see what the experts say. In this case, the best source is clearly the European Data Protection Board (EDPB) and its papers, especially the «wp243_DPO_Guidelines«.
Level of Expertise
Based on the art. 37.5, GDPR, a DPO should be designated on the basis of his/her professional qualities. Unfortunately, the concepts of «expertise» and «professional qualities» are not defined by the GDPR, but we can imply that the expertise is determined by:
on the one hand, the time the DPO has been working in the privacy field;
on the other hand, the material expertise on a specific sector.
As an illustration, I’ve been supporting companies for almost twenty years in sectors like: health, financial, public institutions, hotels and travels agencies, manufacturing, real estate… Name it: I probably got it 😉
Professional qualities
Firstly, when talking about Professional Qualities and according to the mentioned art. 37.5, a deep knowledge of the European Privacy Laws should be mandatory. Being a lawyer with privacy-related certifications is quite reassuring but, as suggested by the EDPB, it should be integrated with the knowledge of the business sector. Otherwise, how could a DPO be efficient and effective in performing his/her tasks if he/she doesn’t know how the company works?
Additionally, a sound understanding of the information systems and data security should be demanded.
Definitely, counting on the following certifications is a huge advantage:
CISA
CIPP/E
CIPP/US
CDPSE
CIPM
Ability to fulfill its tasks
In the first place, a DPO must ensure a clear independent position in the organization. Integrity and professional ethics are expressly mentioned by the EDPB as the core values for a successful DPO, whose «primary concern should be enabling compliance with the GDPR«.
Although, there are no certifications nor academic titles that can guarantee the professional integrity, the real value of a DPO is based on the ability of guarantying that:
- personal data are processed lawfully;
- data subjects’ rights are ensured;
- data protection by design and by default principles are embedded in the organization;
- processing activities are properly recorded;
- undesired data breaches are notified and communicated.
Choosing the right DPO: The Contract
Finally, you can hire a DPO as an employee (as long as you maintain all the mentioned conditions) or you can contract one in a so-called modality «DPO as a Service«. If you need a template where the controller defines:
- how to avoid and eventually solve possible conflicts of interests; and
- how the tasks and responsibilities are clearly defined,
Choosing the right DPO is a big deal: drop me an email and I will send you one (for free, in Spanish).