The demand for Data Protection Officers (DPOs) has risen by an incredible 700% since the GDPR came into effect. Given it is a highly specialist role, many companies are choosing to outsource the responsibility to skilled consultancies or contractors. In this article, we discuss how to become a DPO and what the role entails.
What is a DPO?
The role of DPO is all about compliance. Your job is to ensure that the organisation processes data in accordance with the laws surrounding data security and data privacy.
The DPO is completely independent. Unlike most roles in an organisation, which act in the best interests of the business, the DPO is expected to do what’s right by the data. To perform the role adequately, you should have access to any resources you need and have the full support of the Board.
As DPO, the GDPR assigns you 6 key tasks:
- To oversee subject access requests.
- To keep the business and its people informed of their legal obligations.
- To monitor compliance.
- To perform Data Protection Impact Assessments (DPIAs).
- To be the point of contact for the Information Commissioner’s Office (ICO).
- To cooperate with the ICO on matters relating to data.
Why do organisations need DPOs?
For companies processing the personal data of EU or UK residents, there is a legal requirement under GDPR to appoint a DPO if:
- You process large volumes of personal data as a core business activity.
- You are a public authority.
- You process ‘special’ category data.
However, given data is now a highly valuable asset in most businesses, it is best practice to nominate a person who is tasked with monitoring compliance to ensure people are doing the right thing with data.
What makes a good DPO?
Although legislations such as GDPR do not specifically list the qualities of a good DPO, it does highlight how the person requires ‘expert knowledge of data protection’. Therefore, it makes sense for you to possess key technical skills in:
- Risk: experience in privacy and security risk assessment, which is founded on skills like IT programming and IT infrastructure.
- Legal: knowledge of data protection and privacy laws and practices that affect their business, industry, country and operations.
Additionally, there is a broad range of softer skills that will help you to get ahead in the role:
- Leadership: experience presenting to the Board, the ability to co-ordinate efforts between business functions, and training/coaching skills to raise awareness.
- Communication: to be approachable, have the language to speak to the average citizen through to Board level, and the ability to communicate with external stakeholders.
- Confidence: to feel comfortable pushing back on ideas – even at Board level – if they are not in line with the regulations.
What training and experience do you need to become a DPO?
Again, the regulations do not dictate the specific qualifications required to take on the role of DPO, but from the scope of the role, and insistence that ‘significant’ experience is required, clearly it wouldn’t suit a junior person.
In particular, if you’re new to the role of DPO, it’s worthwhile considering a professional qualification:
Certified Information Privacy Professional/Europe (CIPP/E): equipping DPOs to ensure compliance and data protection success in Europe.
Certified Information Privacy Manager (CIPM): learn how to establish, maintain and manage an enterprise-wide privacy programme across its entire lifecycle.
Which UK companies provide DPO services?
Many companies choose to outsource the role of DPO rather than hire in-house. For some it’s about finding a cost-effective way to meet their regulatory requirements, others seek greater insight into how the wider market addresses the GDPR, and a few want to leverage the additional resources an external provider brings – like an independent audit.
Run a Google search on the keywords ‘outsourced DPO’ or ‘DPO-as-a-service’ and you’ll be presented with a wall of options. But in our experience, the companies we hear about most often are:
However, we believe that our approach is slightly different. At CyPro, our consultants have a minimum of 10-years’ experience, have worked across a range of industries and are skilled in both data protection, IT and cyber security. This allows our consultants to think broadly and advise on data protection solutions that are compliant and meet the requirements of the business and IT.
Believe you have what it takes to be a DPO?
Contact us and let’s discuss how to become a DPO at CyPro and make a difference with our clients in the role of virtual DPO.