• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Cybersecurity Guide

  • PROGRAMS BY STATE
    • Alabama
    • Alaska
    • Arizona
    • Arkansas
    • California
    • Colorado
    • Connecticut
    • Delaware
    • Florida
    • Georgia
    • Hawaii
    • Idaho
    • Illinois
    • Indiana
    • Iowa
    • Kansas
    • Kentucky
    • Louisiana
    • Maine
    • Maryland
    • Massachusetts
    • Michigan
    • Minnesota
    • Mississippi
    • Missouri
    • Montana
    • Nebraska
    • Nevada
    • New Hampshire
    • New Jersey
    • New Mexico
    • New York
    • North Carolina
    • North Dakota
    • Ohio
    • Oklahoma
    • Oregon
    • Pennsylvania
    • Rhode Island
    • South Carolina
    • South Dakota
    • Tennessee
    • Texas
    • Utah
    • Vermont
    • Virginia
    • Washington
    • Washington, DC
    • Wisconsin
    • West Virginia
    • Wyoming
  • CERTIFICATIONS
    • Certified Information Systems Auditor (CISA)
    • Certified Ethical Hacker (CEH)
    • Certified Information Security Systems Professional (CISSP)
  • DEGREES
    • associate’s in cybersecurity
    • bachelor’s in cybersecurity
    • master’s in cybersecurity
    • cybersecurity analytics degree
    • MBA in cybersecurity
    • phd in cybersecurity
    • cybersecurity law degree
    • master’s in information security
  • ONLINE PROGRAMS
    • Online Certificate in Cybersecurity
    • online bachelor’s in cybersecurity
    • online IT degree
    • online master’s in cybersecurity
    • Online master’s in information security
    • online phd in cybersecurity
  • CAREER GUIDES
    • Security Engineer
    • Chief Information Security Officer
    • Security Analyst
    • Computer Forensics
    • Security Consultant
    • Digital Forensics
    • Cryptographer
    • Security Administrator
    • Penetration Tester
    • Security Software Developer
    • Security Specialist
    • Security Code Auditor
    • Security Architect
    • Malware Analyst
    • Data Protection Officer
    • Cybercrime Investigator
    • Cryptanalyst
    • Security Incident Responder
  • Experts
  • RESOURCES CENTER
    • Job Guide
    • Veteran’s Guide
    • Women’s Guide
    • Certification Guide
    • Internship Guide
    • Security Clearance Guide
    • Ethical Hacker Guide
    • Coding for Cybersecurity Guide
    • Cybersecurity 101
    • Student Guide to Internet Safety
    • Scholarship Guide
    • Cybersecurity Math Guide
    • Small Business Guide
    • COVID-19 Guide

How to become a data protection officer: A complete career guide

Last Updated: January 4, 2021

The data protection officer (DPO) is a relatively new position for many companies. The role, responsibility, and reporting structure of a DPO are largely defined by the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR was adopted on April 14, 2016, and became enforceable beginning May 25, 2018. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation.

Ad
cybersecurityguide.org is an advertising-supported site. Clicking in this box will show you programs related to your search from schools that compensate us. This compensation does not influence our school rankings, resource guides, or other information published on this site.
Featured Cybersecurity Training

School NameProgram More Info
Georgetown University School of Continuing StudiesMaster of Professional Studies in Technology Management website
UC BerkeleyBerkeley Cybersecurity Boot Camp website
Utica CollegeOnline Financial Crime Certificate website
Southern New Hampshire UniversityOnline BS in Cybersecurity or Online MS in Cybersecurity website
NorthwesternNorthwestern Cybersecurity Boot Camp website
Penn LPS and Penn SEASPenn Cybersecurity Boot Camp website

The GDPR’s requirement for the creation of a DPO within certain companies has created a demand in the market for individuals with the necessary skillset and experience. Even if a DPO is not required by GDPR, many organizations will choose to have an employee act in the capacity of a DPO without officially designating them with this title. This keeps the organization free from the requirements imposed by officially designating a DPO, while still allowing the position holder to facilitate data protection and data privacy activities.

For small and mid-sized businesses (SMB) the responsibilities of a DPO may be added to those of an existing well-qualified employee rather than the creation of a new position requiring a new hire. For larger organizations, a full-time position is often created for this essential role.  

Steps to becoming a data protection officer

A combination of both education and experience are needed to become a data protection officer. A commonly requested combination of education, experience, career path, and professional certifications is outlined below: 

  1. Education A BA or BS degree in information security, computer science or a similar field. Alternatively, a bachelor’s degree or J.D. or the equivalent work experience in privacy, compliance, information security, auditing, or a related field will often be considered.
  2. Career path Promotion to DPO can reasonably be sought after 10+ years of experience in the various privacy disciplines (e.g., privacy program and policy, privacy law, information governance, incident response, information security, training, and awareness, etc.).
  3. Professional certifications One or more International Association of Privacy Professionals (IAPP) certifications such as CIPP/U, CIPP/EU and/or CIPM may be required. ISACA certifications in governance and risk management (e.g. CRISC, CGEIT, etc.) can sometimes be preferred.
  4. Experience Desired work experience may include 5+ years in privacy and/or compliance-related risk management positions. Often consideration will be given to other relevant fields (i.e., finance, business administration, information technology, etc.) as long as the candidate can demonstrate relevancy to this information security-based role.

What is a data protection officer?

The data protection officer is the steward of data protection implementation and data privacy strategy within an organization. They are charged with facilitating a culture of data protection throughout the company. They ensure enterprise-wide compliance. While the introduction of GDPR brought international visibility to the idea of a formal DPO position, the concept has existed in more than a few privacy-conscious organizations for some time.

A DPO manages organizational data protection and, as stated earlier, this enterprise leadership role is required for GDPR compliance for certain companies. The appointment of a DPO is mandatory for public authorities and companies processing large amounts of special categories of personal data.  

The language of GDPR indicates that the size of an organization is not what compels the need for a DPO, but rather the size and scope of data handling. Unfortunately, GDPR does not specifically define what is to be considered “large-scale” data handling. While there are no exact guidelines around the scale of data handling, it is generally accepted that most small businesses will not be required to hire a DPO unless their core focus is data collection or storage.

According to the GDPR, the DPO should directly report to the highest management level. This requirement does not dictate that the DPO must be directly managed at this level, but they must have direct access to senior managers who are making decisions about personal data processing. This structure helps to facilitate the DPO’s mandate to advise senior management on these matters. The GDPR offers DPOs some level of protection from being laid off. This protection is provided to ensure DPOs are not fired for simply doing their job.  

To ensure that the DPO can remain independent and free from pressure exerted to satisfy competing agendas within the organization, a company should not assign the DPO role to legal counsel that is involved in potential or actual litigation or regulatory action against the company. In addition, a company should not assign the DPO role to the chief IT or security manager of the company, as the DPO will be required to provide frank advice on the adequacy of the company’s IT and security systems. 

Data protection officer skills and experience

First and foremost, the candidate for the position of DPO must be able to display a solid understanding of the GDPR. Even if not looking for a candidate that possesses a mastery of GDPR per se, an understanding of this de-facto standard for data privacy requirements is what many employers will use to measure suitability for this position. A growing number of employers are looking for DPOs for the express purpose of meeting GDPR requirements. 

Article 37 of the GDPR states, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks…” Many experts agree that a DPO should be a licensed lawyer that has sufficient knowledge of not only GDPR but other privacy laws that are important to the employer. At a minimum, a legal background is helpful for understanding and interpreting the complex legal requirements surrounding data privacy. In addition to knowing what the various laws and regulations say, a DPO must also have knowledge about how these laws are interpreted and applied in case law. 

The risk associated with data privacy can be enterprise and industry dependent. It is important that the DPO enjoys a good understanding of the enterprise’s business operation and the data handling needs of that specific industry. Experience within that organization and that industry are important qualifiers. The inherent benefits of employing a DPO with this specific company and industry knowledge applies significant pressure on senior management toward the acquisition of an in-house DPO rather than outsourcing that role. 

While technical skills are not considered to be a primary requirement, a DPO should have practical experience in the area of cybersecurity. The candidate should have dealt with real security incidents that will enable them to provide helpful guidance on risk assessments, countermeasures, and data protection impact assessments. Although security is an important component of GDPR, it is only one piece of the overall law.

Individuals with a security background are often narrowly focused on external threats and often do not have the legal or customer service skills needed to fulfill the many responsibilities of this important role.

What do data protection officers do?

The data protection officer ensures, in an independent manner, that an organization appropriately applies the laws protecting personal data. DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any supervisory authorities (SAs) that oversee activities related to data.

A DPO is an organization’s data protection and privacy evangelist. This often means that the DPO can be placed in a position that may be at odds with the key performance indicators and agendas of other company department leaders. Success in this position requires an individual to be both strong-willed as well as able to negotiate with and find common ground among other leaders. 

Data protection officer job description

The successful candidate will have a deep understanding of GDPR and a legal background in the privacy arena. They will have verifiable security or privacy-related professional certifications. The candidate will have one or more IAPP or ISACA certifications. Existing relationships with authorities having jurisdiction in matters of data protection and privacy are desirable. 

The candidate must be able to demonstrate an ability to learn quickly. This role will require the ability to quickly grasp company practices and policies that relate to the consumption and dissemination of personally identifiable information (PII). 

The DPO candidate must have a proven track record in one or more of the areas of data protection, privacy advocacy, cybersecurity, information security, and regulatory compliance.

Data protection officer responsibilities include:

  • Providing in-house legal advice on privacy, privacy by design, data-sharing, and transfer of data.
  • Engaging in the drafting, negotiating and reviewing of any commercial agreement containing protected information.
  • Advising and drafting data protection-related documentation including contract due diligence for either GDPR or CCPA.
  • Providing guidance and support on various new compliance reporting/data tracking requirements and updating internal codes of conduct.
  • Familiarity with all applicable privacy laws.

Outlook for data protection officers

The field of data protection and privacy rights is booming. Data protection officers are in high demand. Since this is a new role for many organizations, there is often a lack of clear direction in establishing hiring requirements for a new DPO. This results in an environment where a candidate with the ability to instruct a company on what is needed, what the role should include, and even the value the DPO can bring to the organization is highly sought after. 

By every indication, the need for DPOs will continue to grow significantly for the foreseeable future. 

How much do data protection officers make?

ZipRecruiter lists the average salary for data protection officers at $85,696 USD and reports annual salaries as high as $156,500

The U.S. Bureau of Labor Statistics (BLS) reports that the 2018 mean annual salary for compliance officers (a closely related specialty to data protection officer) was $72,520. 

Primary Sidebar

  • CERTIFICATIONS
    • CISA
    • CEH
    • CISSP
  • CAREERS
    • Security Engineer
    • Chief Information Security Officer
    • Security Analyst
    • Computer Forensics
    • Security Consultant
    • Digital Forensics
    • Cryptographer
    • Security Administrator
    • Penetration Tester
    • Security Software Developer
    • Security Specialist
    • Security Code Auditor
    • Security Architect
    • Malware Analyst
    • Data Protection Officer
    • Cybercrime Investigator
    • Cryptanalyst
    • Security Incident Responder
    • Chief Privacy Officer
    • Risk Manager
  • RESOURCE CENTER
    • Centers for Academic Excellence
    • Job Guide
    • Veteran’s Guide
    • Women’s Guide
    • Internship Guide
    • Security Clearance Guide
    • Ethical Hacker Guide
    • Coding for Cybersecurity Guide
    • Cybersecurity 101
    • Student Guide to Internet Safety
    • Scholarship Guide
    • Cybersecurity Math Guide
    • Small Business Guide
    • COVID-19 Guide
    • Cybersecurity for K-12 students

  • Home
  • About Us
  • Privacy Policy
  • Terms of Use
  • Experts
  • Online Degree Options
  • Popular Careers
  • Campus Programs


Copyright © 2021 · Cybersecurity Guide · All Rights Reserved

California Consumer Protection Act (CCPA)

Opt-Out Request

If you would like to opt out of the sale of your information as defined under the California Consumer Privacy Act (CCPA), please complete the form below.

By submitting this form, you certify that you are a California resident, that the information is correct and you are the person to whom it relates.

We use cookies to ensure that we give you the best experience on our website. Ok