Top Considerations When Choosing a DPO (Data Protection Officer)
We asked 18 privacy and security experts what companies should look for when choosing a Data Protection Officer.
The General Data Protection Regulation (GDPR) went into effect in Spring 2018, replacing the Data Protection Directive, which was created back in 1980, as the overarching guiding rule pertaining to the protection of personal data of EU citizens. But the GDPR has far-reaching effects, impacting not only businesses based in the EU, but any business worldwide that controls or processes data of EU citizens. One requirement under the GDPR is that businesses that process or store a large volume of personal data are required to appoint a Data Protection Officer (DPO).
The role of the DPO is complex, serving as the point of contact between the organization and supervisory authorities as well as being responsible for educating employees on compliance requirements and training staff responsible for data processing. The DPO also conducts regular security audits and makes recommendations to foster compliance with both regulations and best practices.
Obviously, the introduction of the GDPR resulted in a widespread demand for qualified Data Protection Officers, but as it's a new role – and a rather unique one, at that – there's an unsurprising shortage of professionals with the chops to fill the DPO shoes. Beyond the shortage of qualified DPOs, many companies face uncertainty in the recruiting and hiring process. What skills are required of a DPO? Can you simply promote an existing IT employee to the role? What about someone from the legal department? If you're hiring externally, what characteristics should you look for in a DPO candidate?
To aid companies in their search for a qualified DPO, we reached out to a panel of privacy and security experts and asked them to answer this question:
"What are the top considerations when choosing a DPO?"
Meet Our Panel of Security Pros & Privacy Experts:
Read on for expert tips and advice from our pros on the most important considerations to weigh when choosing a DPO.
Rita Heimes is Research Director at the International Association of Privacy Professionals, where she also serves as the in-house Data Protection Officer. Rita is an attorney and academic with many years of experience in the fields of privacy, information security, and intellectual property law.
"The top five things to look for in a DPO are..."
1. Solid understanding of the GDPR, on paper and in practice. First and foremost, the DPO has to be comfortable with both the content of the GDPR and its interpretations. It's not enough to know what the law says; the candidate also needs to have a grasp on what the law means in practice. How do you operationalize things like the right to be forgotten or the right to data portability?
2. Ability to interpret complex regulatory requirements and provide useful advice.
3. Good communication skills, both with external counterparts (such as regulators), as well as with internal stakeholders. GDPR compliance is a team sport involving IT, Marketing, Operations, and many other departments.
4. Ability to train staff on data protection awareness. It's possible there aren't readily available candidates with that kind of operational background, given the mad dash for data protection and privacy talent the GDPR has engendered. Therefore, it's helpful to look at the GDPR's main mandates for the role: advise the company on GDPR compliance, work with the local regulator, and train the organization's staff for data protection awareness.
5. Self-confidence and sound awareness of the organization's operations and industry. Is the candidate comfortable reporting to the highest levels of the organization and pushing back on high-level ideas for data use? Is the candidate savvy enough to understand the nuances of working with a regulatory body and getting clarification on compliance without raising red flags? Is the candidate the kind of person comfortable educating big groups of people and simplifying complex ideas? These are the prime considerations for any HR manager looking to fill a DPO role. Those so-called soft skills may be as important any knowledge or experience in the marketplace.
Lily Li is the owner of Metaverse Law, a southern California law practice dedicated to helping businesses comply with privacy and cybersecurity laws. Ms. Li is a graduate of Duke University School of Law and holds the CIPP/E and CIPP/US certifications from the International Association of Privacy Professionals.
"The most important considerations in choosing a DPO are..."
1. Do you want to hire someone in-house or outsource the DPO role? There are pros and cons to both approaches. One on hand, an in-house DPO may be more familiar with your business operations and have greater access to management. This may be infeasible, however, due to the costs of on-boarding a new employee or conflicts of interest with assigning the DPO role to a current staff member. On the other hand, an outsourced DPO may have greater insight into how other companies are implementing GDPR solutions and be able to gather additional external resources (i.e., IT, insurance, and audit) to aid the company. For companies in the United States, it may be prudent to have multiple individuals occupy the DPO role – one local and accessible to the company, and one located in Europe and familiar with the regulatory authorities overseas.
2. Is the DPO familiar with privacy laws in Europe and other jurisdictions? Regardless of whether the company decides to choose a lawyer as a DPO, the DPO should be familiar with both the text and practical application of privacy laws. This experience may come from a variety of areas, such as previous legal experience in privacy and cybersecurity, privacy law certifications, or a background in compliance and risk management.
3. Does the DPO have a conflict of interest? The GDPR requires all DPOs to be independent resources for the company. Consequently, companies should refrain from assigning DPO roles to individuals that have conflicts of interest. For example, a company should not assign the DPO role to an in-house or external counsel that is involved in potential or actual litigation or regulatory action against the company. In addition, a company should not assign the DPO role to the chief IT or security manager of the company, as the DPO will be required to provide frank advice on the adequacy of the company's IT and security systems.
Matt Middleton-Leal has worked for many organizations, specializing in areas such as risk management, identity and access management, and network and database security. In the Netwrix blog, Matt shares insights on how to achieve greater levels of security and compliance.
"If you decided to hire a Data Protection Officer, you need to look for candidates that have the following skills..."
1. Legal background. According to GDPR article 37, the data protection officer (DPO) shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. Ideally, a DPO should be a licensed lawyer that has sufficient knowledge of not only GDPR, but other privacy laws that matter for his clients.
2. IT security experience. Ideally, a DPO needs to have practical experience in areas of cyber security. This means that a candidate has dealt with real security incidents and can provide helpful guidance on risk assessments, countermeasures, and data protection impact assessments, which is critical for organizations that are subject to GDPR.
3. Good communication skills. A good DPO needs to have good communication skills and interact with all teams that are involved in compliance processes (e.g., IT managers, external auditors, organization’s IT security teams, and others). As mentioned in the Article 39, one of the main tasks of DPO is to inform and advise the controller or the processor where necessary, as well as handle requests and complaints from data subjects. Finally, he has to have an experience in cooperating with supervisory authorities and act as a contact point on issues related to data handling and processing.
Ian McClarty has over 20 years of executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Solutions.
"If you ask someone to list the top considerations for hiring a Data Protection Officer and they provide you with a list of technical skills or subject matter knowledge..."
You’re being shortchanged. Technical skills are the barrier to entry; they aren’t the primary consideration in picking a hire. GDPR is an enormous, untested law. No audit facilities currently exist. Nobody knows precisely what GDPR compliance looks like.
This leaves anyone trying to hire a DPO with the unenviable task of finding someone who is enough of a realist to know that any and all skills they bring to the position are less crucial than the ability to negotiate reasonable solutions in an uncertain regulatory environment (which, of course, isn’t easy).
The right candidate will face pushback from every internal department they interact with: IT sees GDPR as an unnecessary burden on their project schedule. Sales and marketing see it as an unreasonable infringement on their ability to do their jobs. Security bemoans the fact that the law conflicts with other regulatory burdens they’re already shouldering. Legal ends up scratching their heads at the fact that the law is as clear as mud.
Into this swamp strolls the DPO. This person must be experienced enough to interact with all departments throughout the organization. This person must have the strength of character to know when to stand firm and when to concede. Most critically, this person must be balanced enough to weigh your organization’s compliance obligations against the effects those obligations have on your bottom line.
Finding this person isn’t easy. Perhaps there is someone in your organization already who qualifies. If not, you have to be very lucky with interviews of outside candidates to find the right person for the job.
Erik Stroman is a GDPR analyst working as part of Project Consulting Group's data protection/privacy and regulatory compliance practice team. They perform a large number of GDPR assessments for domestic and international companies ranging from Fortune 500 to mid-market, as well as provide GDPR compliance implementations, data mapping, document revisions, and DPO outsourcing services.
"An organization's DPO is their steward of data protection and data privacy..."
And works to facilitate a culture of data protection throughout the company and build enterprise wide compliance. While the introduction of GDPR brought international visibility to the idea of a formal Data Protection Officer position, the concept has existed in several EU member countries for some time.
One of the top considerations when choosing a DPO is:
1. Does your organization meet the GDPR criteria that requires you to have a DPO? Any organization which falls in scope of EU GDPR should review Article 37 of GDPR, which provides three criteria for when a DPO is required. Determining the organization's regulatory obligation based on these criteria should be the preemptive first step in choosing a DPO. Filling the position is mandatory when a controller or processor:
- Is a public authority (e.g., government agency/utility company)
- Engages in systematic monitoring on a large scale (e.g. location, behavioral, loyalty programs)
- Processes sensitive personal data or data related to criminal convictions/offences on a large scale
If a DPO is not required by GDPR, many organizations will choose to have an employee act in the capacity of a DPO without officially designating them with the title. This keeps the organization free from the requirements imposed by officially designating a DPO, while still allowing the position holder to facilitate data protection and data privacy activities.
Working in the IT security channel market as a technical consultant for many years, Chris has worked with some of the largest security vendors, distributors, resellers, and customers. Chris is certified as a GDPR practitioner under the IT Governance IBITGQ program and is a co-founder of IT security solutions and consultancy provider Advanced Cyber Solutions Ltd.
"There are two criteria which I think should be at the top of any list when considering the appointment of a DPO..."
1. A thorough understanding of the regulation. This might seem an obvious requirement. However, there are so many GDPR and DPO courses available now, without any form of centralized accreditation, that the quality of teaching is questionable. There are those who believe that only those with deep experience of data protection over their career should be able to fulfill this role; however, this simply isn't viable and is often a message crafted by those who want to promote their own services. Instead, a demonstrable understanding of the regulation is fine.
2. An understanding of how to apply the GDPR in practice. While knowing about the regulation itself is great, the DPO is expected to be able to advise their appointed organization on how to comply with respect to their activities. Having some knowledge of how that business functions operationally is key. For example, if the DPO is appointed to a recruitment company, then the DPO should have some experience or understanding of the operational aspect of a recruitment business.
Jackie Rednour-Bruckman is the CMO of MyWorkDrive.
"Companies should choose a DPO (Data Protection Officer) who..."
- Has a strong background in network security
- Is up to date on all governance compliance requirements and regulations
- Is a great negotiator and savvy while researching vendors, providers, platforms, and tools
- Is able to conduct high level researched meetings with legal, IT, and stakeholders like CEO, CFO, etc.
- Is experienced in the sector and industry you are in (Government, Financial, Healthcare, E-commerce, etc.)
- Is experienced in disaster recovery and best practices for data integrity
- Can execute a solid strategy that will keep costs lower while still maintaining a clear path on total data leak prevention
Robb Hecht serves as an Adjunct Professor of Marketing at New York City's Baruch College where he leads students into the future of customer first digital marketing technology principles.
"When digital marketers hear the new title Data Protection Officer they immediately cringe because..."
It has the feeling of someone coming on board to put restrictions on innovative campaign approaches.
It's actually the opposite. Now that GDPR has rolled out in Europe and the US, the initial reaction has been stifling, but when we get through this transition consumers are going to feel more trust in building relationships with brands that protect and reward their data. Data is a consumer's identity and if a brand can guarantee to a user that their data is secure and valuable to that brand, that brand has an advantage over competitors. Hence, companies should hire a DPO who values the voice of the consumer and can articulate that voice across the corporate organization, not only outlining what digital campaigners can't do, but also coming to the table with innovative data building relationship ideas so that agencies and client brands can develop strategies that empower customer relationships, rewarding their data relationship with their brands.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security, and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
"It is now time to focus on the..."
Finer points of the recent GDPR regulation and put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner. Larger companies should have a Data Protection Officer (DPO) in place, and SMEs should assign equivalent responsibilities to a senior employee, retaining outside expert help when needed.
While the DPO role will be new for many businesses, it is well established in the public sector and has matured in the US, where companies understand the value of a function that can help protect them from data protection-related incidents. A DPO does not necessarily have to be a full-time role or require the recruitment of a new employee. The GDPR allows the DPO to be an external party subcontracted for the purposes of fulfilling this role. Equally, a DPO can be employed mutually by multiple organizations. An individual can take on the role of a DPO in addition to other duties, as long as they have the qualifications, resources, and reporting lines to meet the requirements of the GDPR.
At the ISF, we anticipate that most organizations will need to designate a DPO, with the International Association of Privacy Professional's (IAPP) research suggesting a requirement for up to 75,000 new DPOs worldwide. This likely shortage of qualified individuals, coupled with the length of typical corporate hiring cycles, means that an organization that has yet to designate a DPO should either start recruitment now; identify an internal candidate and start training them; or seek external expertise to fulfill the role requirements.
Geoff Forsyth is the CTO of PCI Pal and has spent the last 20 years designing, developing, and implementing a wide range of internet services – including the award-winning CallScripter contact center software package. A Fellow of the British Computer Society, Geoff is responsible for all technical infrastructure systems, ISO compliance, and IT security.
"The DPO position requires advanced knowledge around GDPR (and other relevant data protection laws)..."
As well as a deep understanding of the business and the data it handles, ensuring that they know how to manage the latest threats to the business and can maintain compliance. Businesses can assign the responsibility of DPO to a current employee or hire an external adviser to take on the role.
It is important to remember, however, that assigning a DPO does not mean that person is responsible for data protection compliance entirely on his or her own. Security should be a company-wide policy that is understood and upheld by all; a DPO will merely be in charge of overseeing any necessary changes and helping to make sure all employees are aware of their responsibilities.
Prakash Balebail is the founder and CEO of Estuate Software Pvt. Ltd, a global IT services company headquartered in Milpitas, CA. He has been in the IT industry for over two decades now, and has gained some expertise across several areas including IoT implementation and consulting.
"Having a Data Protection Officer is becoming more and more crucial for data-driven businesses today..."
The rising number of cyber-crimes and the enforcement of laws such as GDPR make it a necessity to appoint a DPO who can look after the privacy of business data and ensure compliance with critical regulations. There are some key aspects to consider while appointing a DPO. The officer should have a thorough knowledge of worldwide data protection rules, regulations, and practices. He should come with a decent experience in handling data privacy measures at an enterprise level. He must be agile and spontaneous enough to steer the company through troubled waters in case of a data breach/security incident.
Andy Sambandam is the CEO of Clarip, a data privacy software company.
"It is important that the search for a Data Protection Officer go beyond..."
The basic legal requirements contained in GDPR. The DPO must be truly committed to putting the customer first and able to advocate enthusiastically for the consumer and data minimization in the face of internal organizational mandates for increased profits and data-driven decision making.
The DPO should also be someone who has a legal background and strong understanding of technology. It is first and foremost a compliance function which requires the ability to interpret the law. Additionally, the position requires the ability to understand the complex data flows within an organization, both inside and outside of technology, in order to fulfill many of the DPO responsibilities.
A common mistake that businesses make is to assume that a person with a background as a Chief Information Security Officer (CISO) will have the right skills and experience to serve the role as DPO or joint DPO-CISO. Although security is an important component of GDPR, it is only one piece of the overall law. Individuals with a security background are often narrowly focused on external threats and often do not have the legal or customer service skills needed to fulfill the many responsibilities of this important role.
Dan Desko is a Shareholder and a leader in the IT Audit, Cybersecurity, and Risk Advisory services practice at Schneider Downs. He is responsible for managing and leading a team of IT audit, security, and risk professionals with diverse experience and skill sets for a wide range of clients across multiple industries.
"Our firm has experience helping clients implement their GDPR practices, including selecting a DPO or acting as the outsourced DPO for organizations..."
Based on this experience we would recommend the following top considerations when choosing a DPO:
- One of the top considerations for a DPO is having a deep understanding of GDPR and even a potential legal background in the privacy arena. The addition of privacy and security related certifications is a strong quality to have as well.
- While the GDPR is new, there are a number of professional organizations that have started GDPR working groups and knowledge-sharing mechanisms. The DPO should be heavily involved in these forums. In addition, a strong plus for a DPO candidate would be one that has relationships with various local supervisory authorities.
- The DPO should have a deep understanding (or ability to quickly learn) of the business practices of the organization, including how and why the organization uses data in the manner it does, who the main users of the data are, etc. Without being able to identify the data an organization collects and how it uses that data and why, the DPO will never be able to effectively do their job.
Sean Si is the CEO and Founder of SEO Hacker, Qeryz, Sigil, and Workplays. Sean is a start-up, data analysis, and urgency junkie who spends his time inspiring young entrepreneurs through talks and seminars.
"Since the General Data Protection Regulation (GDPR) sent companies into a frenzy on how to comply with the Data Privacy Regulations..."
And how they should choose their DPO or Data Protection Officer properly, the GDPR has set the following qualifications for a Data Protection Officer:
- Expert knowledge of data protection law and practices, which is determined based on the complexity of your data processing activities
- The ability to fulfill the statutory responsibilities
However, these qualifications set by the GDPR are not enough. There are skills needed by a Data Protection Officer that are not within the boundaries of the qualifications they have set. In addition to the GDPR’s qualifications, companies should look for DPOs that have:
- The skills, experience, and knowledge for data privacy and information risk management
- Excellent relationship management skills
- The ability to persuade or negotiate
- The capability to function and operate at a company’s highest standard
All of these should be possessed by a company’s DPO because it is up to them to ensure that the company is complying with the GDPR’s standards and avoid penalties or sanctions.
Amy Nihad is an Information Security Specialist for KTSecure – a London-based company specializing in end-to-end Cyber Security solutions. You can find her blogging for their site and leading big projects for clients.
"Choosing the right DPO is key to correctly implementing GDPR in your company..."
Choose the wrong person, and everything could be for nothing.
The main consideration for your DPO should be the fact that they meet the requirement of “independent, an expert in data protection, adequately resourced, and report(ing) to the highest management level” as required by law. Unfortunately, this in itself can be a challenging task, and hence it might make more sense to employ an external company. Alternatively, you could have an employee train up to this position, but this isn’t something that should be taken lightly.
The second most important factor when choosing a DPO is to select someone that is department-independent. That is, they have a good overview of the company and aren’t necessarily tied to one department. The advantage of this is that they are likely to get a more rounded view of what needs to be handled and will be less likely to focus on things only relevant to their department.
The third important factor when choosing the DPO is the long-term view. Select someone that has been with the company for a few years, and will likely stay on longer. While this isn’t mandatory, GDPR comes with a lot of paperwork, and handovers can lead to numerous issues. Lastly, remember that it’s not always necessary to appoint a DPO. Therefore, you shouldn’t appoint one just for the sake of having one.
KJ Dearie is a product specialist and privacy consultant for Termly.
"As you search for the right DPO for your company, there are three big areas you should consider: affiliation, qualifications, and cost..."
1. Affiliation: One of the first questions you should ask yourself is whether you want to hire someone from inside or outside of the company. In other words, are you looking for an internal or external DPO? When considering which type of DPO is right for you, there are a few things to keep in mind. For instance, Article 38 of the GDPR stipulates that the DPO’s tasks – even those that may be unrelated to their duties as a DPO – must not lead to any conflicts of interest with their data protection responsibilities. For this reason, hiring an internal DPO can be risky, as conflicts of interest or biases are more likely to occur. On the other hand, an internal DPO will have a more intimate knowledge of your company’s data practices, and may be less expensive than hiring through an external firm – although the costs of training and certifying that employee will need to be factored in. As for external DPOs, not only is there a reduced possibility of conflict, but you won’t be forced to shoulder the cost of training. Plus, data-protection liability will partially reside outside of your company. While both types of DPOs have their pros and cons, weighing these is an important step in your hiring process.
2. Qualifications: Like with any position you’re looking to fill, qualifications are key. Not only should your chosen DPO have extensive knowledge of data privacy laws, regulations, and recommended practices, but they should also be well-equipped to handle inquiries about your company’s data-handling activities. Consider the following questions while vetting potential candidates:
- What are their licenses and certifications?
- How much training have they had as a DPO?
- How well-versed are they on the GDPR?
- Are they knowledgeable of other data protection laws like the ePrivacy Directive?
- What’s their experience with data protection practices, such as performing data audits and data protection impact assessments (DPIAs)?
While your candidate should have knowledge, training, and experience at the time of hiring, it’s also essential to find someone who’s ready and willing to continue to advance their data privacy expertise as the field rapidly develops.
3. Cost: Lastly, the ugly reality of hiring a DPO is that they can be expensive. Since the GDPR became enforceable, the demand for DPOs has skyrocketed, while the number of qualified DPOs remains limited – making them a precious commodity. DPO rates are estimated to be around 100-200 Euros/hour for non-lawyers, and 300-500 Euros/hour for those that are licensed attorneys. Additionally, you’ll need to weigh the costs of training an internal DPO versus hiring an external DPO from an agency or firm. This boils down to how much experience you’re willing to sacrifice for savings, or vice versa. Ultimately, how much you spend on your DPO should largely hinge on how much you need one. If you’re a high-risk data-handler, it’s well worth it to spend a bit more on a DPO, rather than face the penalties of the GDPR.
Mads Hennelund is a Consultant working for the Danish consultancy Nextwork A/S. He is an expert on digital transformation and a frontier in data branding, which is about strategy and positioning, business development, HR, data ethics and management in a hyper-digital world. He holds a master’s degree in Business Administration & Philosophy from Copenhagen Business School in Denmark.
"When choosing a DPO, it is key that you find someone with..."
Expert knowledge of GDPR legislation, both in words and in spirit. Also, the DPO should have (or be able to gain) a thorough insight into your industry and how personal data flows into different parts of the business all the way along the value chain. A good DPO should have a solid business mindset and be able to link data protection compliance and internal policies to performance management as well as internal and external communications. For example, appointing KPIs to business departments and employees that take into account compliance, internal policies, and data ethics is critical for implementation of good processes and procedures for managing personal data.
Looking at the world that's coming with changing consumer attitudes and behavior as well as emerging industries within data protection and privacy enablement, consumers and end-users will be able to determine very quickly whether the particular company that he or she is transacting and sharing data with is creating the proper 'value-universe' in which compliance with data protection laws and certain data-ethical standards are integral parts of the 'package' as a whole – along with transparency, understandability, and convenience, etc. Thus, the future DPO might very well be a Strategic DPO: Integrating data protection across organization from operations through HR, branding, marketing, sales, and customer service, making sure that data protection along with other critical data success factors becomes a superior capability, enabling the company or organization to utilize more personal data that can be used for product innovation, better customer service, and marketing. In other words, building a strategic competitive advantage.
Nate Masterson is the Financial Manager for Maple Holistics, a company dedicated to natural and cruelty-free personal care. Backed by an education in finance, Nate has been able to pursue both his professional and leisurely passions by working with Maple Holistics on becoming a leader in e-commerce. Originally from Riverdale, New York, Nate now works for Maple Holistics at their headquarters located in Farmingdale, New Jersey.
"In the wake of GDPR, companies need to be sensitive to..."
Data collection protocol more than ever and the future it may hold for all American businesses. While GDPR is strictly a European regulation, American companies need to be mindful of what this could mean for regulation in the States. A DPO should have a vision of what data regulation compliance will mean in the next five to ten years. The last thing a company wants to do following new legislation is to be crippled and have to give up hard-earned data. Data Protection Officers should have a strategy to use GDPR as a starting point for company policy, so that when legislation does limit data collection, your business can move forward as though its business as usual.