The data protection officer (DPO) is a relatively new position for many companies. The role, responsibility, and reporting structure of a DPO are largely defined by the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR was adopted on April 14, 2016, and became enforceable beginning May 25, 2018. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation.
The GDPR’s requirement for the creation of a DPO within certain companies has created a demand in the market for individuals with the necessary skillset and experience. Even if a DPO is not required by GDPR, many organizations will choose to have an employee act in the capacity of a DPO without officially designating them with this title. This keeps the organization free from the requirements imposed by officially designating a DPO, while still allowing the position holder to facilitate data protection and data privacy activities.
For small and mid-sized businesses (SMB) the responsibilities of a DPO may be added to those of an existing well-qualified employee rather than the creation of a new position requiring a new hire. For larger organizations, a full-time position is often created for this essential role.
Steps to becoming a data protection officer
A combination of both education and experience are needed to become a data protection officer. A commonly requested combination of education, experience, career path, and professional certifications is outlined below:
- Education A BA or BS degree in information security, computer science or a similar field. Alternatively, a bachelor’s degree or J.D. or the equivalent work experience in privacy, compliance, information security, auditing, or a related field will often be considered.
- Career path Promotion to DPO can reasonably be sought after 10+ years of experience in the various privacy disciplines (e.g., privacy program and policy, privacy law, information governance, incident response, information security, training, and awareness, etc.).
- Professional certifications One or more International Association of Privacy Professionals (IAPP) certifications such as CIPP/U, CIPP/EU and/or CIPM may be required. ISACA certifications in governance and risk management (e.g. CRISC, CGEIT, etc.) can sometimes be preferred.
- Experience Desired work experience may include 5+ years in privacy and/or compliance-related risk management positions. Often consideration will be given to other relevant fields (i.e., finance, business administration, information technology, etc.) as long as the candidate can demonstrate relevancy to this information security-based role.
What is a data protection officer?
The data protection officer is the steward of data protection implementation and data privacy strategy within an organization. They are charged with facilitating a culture of data protection throughout the company. They ensure enterprise-wide compliance. While the introduction of GDPR brought international visibility to the idea of a formal DPO position, the concept has existed in more than a few privacy-conscious organizations for some time.
A DPO manages organizational data protection and, as stated earlier, this enterprise leadership role is required for GDPR compliance for certain companies. The appointment of a DPO is mandatory for public authorities and companies processing large amounts of special categories of personal data.
The language of GDPR indicates that the size of an organization is not what compels the need for a DPO, but rather the size and scope of data handling. Unfortunately, GDPR does not specifically define what is to be considered “large-scale” data handling. While there are no exact guidelines around the scale of data handling, it is generally accepted that most small businesses will not be required to hire a DPO unless their core focus is data collection or storage.
According to the GDPR, the DPO should directly report to the highest management level. This requirement does not dictate that the DPO must be directly managed at this level, but they must have direct access to senior managers who are making decisions about personal data processing. This structure helps to facilitate the DPO’s mandate to advise senior management on these matters. The GDPR offers DPOs some level of protection from being laid off. This protection is provided to ensure DPOs are not fired for simply doing their job.
To ensure that the DPO can remain independent and free from pressure exerted to satisfy competing agendas within the organization, a company should not assign the DPO role to legal counsel that is involved in potential or actual litigation or regulatory action against the company. In addition, a company should not assign the DPO role to the chief IT or security manager of the company, as the DPO will be required to provide frank advice on the adequacy of the company’s IT and security systems.
Data protection officer skills and experience
First and foremost, the candidate for the position of DPO must be able to display a solid understanding of the GDPR. Even if not looking for a candidate that possesses a mastery of GDPR per se, an understanding of this de-facto standard for data privacy requirements is what many employers will use to measure suitability for this position. A growing number of employers are looking for DPOs for the express purpose of meeting GDPR requirements.
Article 37 of the GDPR states, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks…” Many experts agree that a DPO should be a licensed lawyer that has sufficient knowledge of not only GDPR but other privacy laws that are important to the employer. At a minimum, a legal background is helpful for understanding and interpreting the complex legal requirements surrounding data privacy. In addition to knowing what the various laws and regulations say, a DPO must also have knowledge about how these laws are interpreted and applied in case law.
The risk associated with data privacy can be enterprise and industry dependent. It is important that the DPO enjoys a good understanding of the enterprise’s business operation and the data handling needs of that specific industry. Experience within that organization and that industry are important qualifiers. The inherent benefits of employing a DPO with this specific company and industry knowledge applies significant pressure on senior management toward the acquisition of an in-house DPO rather than outsourcing that role.
While technical skills are not considered to be a primary requirement, a DPO should have practical experience in the area of cybersecurity. The candidate should have dealt with real security incidents that will enable them to provide helpful guidance on risk assessments, countermeasures, and data protection impact assessments. Although security is an important component of GDPR, it is only one piece of the overall law.
Individuals with a security background are often narrowly focused on external threats and often do not have the legal or customer service skills needed to fulfill the many responsibilities of this important role.
What do data protection officers do?
The data protection officer ensures, in an independent manner, that an organization appropriately applies the laws protecting personal data. DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any supervisory authorities (SAs) that oversee activities related to data.
A DPO is an organization’s data protection and privacy evangelist. This often means that the DPO can be placed in a position that may be at odds with the key performance indicators and agendas of other company department leaders. Success in this position requires an individual to be both strong-willed as well as able to negotiate with and find common ground among other leaders.
Data protection officer job description
The successful candidate will have a deep understanding of GDPR and a legal background in the privacy arena. They will have verifiable security or privacy-related professional certifications. The candidate will have one or more IAPP or ISACA certifications. Existing relationships with authorities having jurisdiction in matters of data protection and privacy are desirable.
The candidate must be able to demonstrate an ability to learn quickly. This role will require the ability to quickly grasp company practices and policies that relate to the consumption and dissemination of personally identifiable information (PII).
The DPO candidate must have a proven track record in one or more of the areas of data protection, privacy advocacy, cybersecurity, information security, and regulatory compliance.
Data protection officer responsibilities include:
- Providing in-house legal advice on privacy, privacy by design, data-sharing, and transfer of data.
- Engaging in the drafting, negotiating and reviewing of any commercial agreement containing protected information.
- Advising and drafting data protection-related documentation including contract due diligence for either GDPR or CCPA.
- Providing guidance and support on various new compliance reporting/data tracking requirements and updating internal codes of conduct.
- Familiarity with all applicable privacy laws.
Outlook for data protection officers
The field of data protection and privacy rights is booming. Data protection officers are in high demand. Since this is a new role for many organizations, there is often a lack of clear direction in establishing hiring requirements for a new DPO. This results in an environment where a candidate with the ability to instruct a company on what is needed, what the role should include, and even the value the DPO can bring to the organization is highly sought after.
By every indication, the need for DPOs will continue to grow significantly for the foreseeable future.
How much do data protection officers make?
ZipRecruiter lists the average salary for data protection officers at $85,696 USD and reports annual salaries as high as $156,500
The U.S. Bureau of Labor Statistics (BLS) reports that the 2018 mean annual salary for compliance officers (a closely related specialty to data protection officer) was $72,520.