Article 37(5) of the GDPR states:
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The WP29 Guidelines provides:
The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.
Relevant skills and expertise include:
- Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
- Understanding of the processing operations carried out
- Understanding of information technologies and data security
- Knowledge of the business sector and the organisation
- Ability to promote a data protection culture within the organisation
The Information Commissioners Office (ICO) offers similar guidance, stating that although the GDPR does not stipulate the exact qualities a DPO must have, the person or external specialist appointed must have the credentials required, which are:
Proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.
In addition, the ICO states that,
Although not mandatory, it is an advantage for a DPO to have a strong knowledge of the industry or sector they are operating in.
In the article The Role of the DPO – What you need to know, authors Anita Bapat and James Henderson discuss that is currently not clear what level of knowledge a DPO will be required to hold. They go on to predict that uniform standards are likely to develop as time goes on.
We would expect common standards to be developed in due course, possibly including EU-wide certification programs for individuals to demonstrate they have the appropriate knowledge of data protection law to perform the role of DPOAnita Bapat & James Henderson, Hunton & Williams
Back in 2013, Lisa Jackson, Solicitor and Data Protection Practitioner with Leman Solicitors in Ireland2 states that the position of DPO would lend itself well to someone with a legal or compliance background.
However, whilst knowledge of data protection law is clearly essential, a DPO, especially in a large organisation, may struggle to perform their duties without a background in IT.
Take the case of a personal data breach, Article 33(1) of the GDPR directs that:
The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Furthermore, under Article 34(1):
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Given the fact that one of the DPOs key tasks under Article 39(2) is:
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
As you can see, it would be hard to imagine how a DPO could provide the controller with the information required to meet breach disclosure deadlines without a competent knowledge of IT systems, data mapping, and the skills to locate the source of a data breach.
Although the task of locating the breach and identifying data subjects affected are likely to be performed by the IT department, the DPO must have a rudimentary understanding of the concepts in order to communicate effectively to the controller or processor, the ICO, all the affected data subjects, and any other stakeholders.
The same applies to carrying out effective Data Protection Impact Assessments (DPIA).