How to choose the right DPO, it sounds interesting…

You already know that you probably need a Data Protection Officer (aka DPO) for your company (if you don’t, you should read this). The question is now

How to choose the right DPO

Choose the right DPO

DPO – Courtesy of the IAPP

 

Let’s start from the basics and see what the experts say. In this case, the best source is clearly the European Data Protection Board (EDPB) and its papers, especially the «wp243_DPO_Guidelines«.

Level of Expertise

Based on the art. 37.5, GDPR, a DPO should be designated on the basis of his/her professional qualities. Unfortunately, the concepts of «expertise» and «professional qualities» are not defined by the GDPR, but we can imply that the expertise is determined by:

  1. on the one hand, the time the DPO has been working in the privacy field;
  2. on the other hand, the material expertise on a specific sector.

In my case, I’ve been supporting companies for almost twenty years in sectors like: health, financial, public institutions, hotels and travels agencies, manufacturing, real estate… Name it: I probably got it 😉

 

Professional qualities

Talking about Professional Qualities and according to the mentioned art. 37.5, a deep knowledge of the European Privacy Laws should be mandatory. Being a lawyer with privacy-related certifications is quite reassuring but, as suggested by the EDPB, it should be integrated with the knowledge of the business sector. Otherwise, how could a DPO be efficient and effective in performing his/her tasks if he/she doesn’t know how the company works?

Also, a sound understanding of the information systems and data security should be demanded.

Definitely, counting on the following certifications is a huge advantage:

CISA

CIPP/E

CIPP/US

CDPSE

 

Ability to fulfill its tasks

A DPO must ensure a clear independent position in the organization. Integrity and professional ethics are expressly mentioned by the EDPB as the core values for a successful DPO, whose «primary concern should be enabling compliance with the GDPR«. 

There are no certifications nor academic titles that can guarantee the professional integrity. At the end of the day, the value of a DPO is based on the ability of guarantying that:

  • personal data are processed lawfully;
  • data subjects’ rights are ensured;
  • data protection by design and by default principles are embedded in the organization;
  • processing activities are properly recorded;
  • undesired data breaches are notified and communicated.

 

The Contract

You can hire a DPO as an employee (as long as you maintain all the mentioned conditions) or you can contract one in a so-called modality «DPO as a Service«. If you need a template where the controller defines:

  • how to avoid and eventually solve possible conflicts of interests; and
  • how the tasks and responsibilities are clearly defined,

drop me an email and I will send you one (for free, in Spanish).