A Data Protection Officer is an independent expert who advices and ensures that an organization that falls within the ambit of the General Data Protection Regulation (GDPR) complies with the Regulation and other privacy laws. The GDPR stipulates that companies that regularly collect and monitor user data are required to appoint a DPO. Similarly, it is mandatory for organizations that practice large-scale processing of personal data to appoint a DPO. A DPO must have appropriate experience and qualifications to fulfil the role. What makes the role of a DPO challenging is that he/she must possess comprehensive knowledge and understanding of data protection laws and how to achieve compliance with these laws.
Functions of a DPO
Article 39 of the GDPR contains a detailed list of responsibilities of a DPO. Some of their tasks include:
- Advising staff on their data protection responsibilities;
- Monitoring the organisation’s data protection policies and procedures;
- Advising management on whether data protection impact assessments (DPIAs) are necessary;
- Serving as the point of contact between the organisation and its supervisory authority; and
- Serving as a point of contact for individuals on privacy matters.
Roadmap to becoming a DPO
The European Data Protection Supervisor (EDPS) in its paper, Professional Standards for Data Protection Officers, observed that a DPO should also “be encouraged to obtain certifications in data protection and to continue to develop their professional skills and competencies”. One way to do so is through the Certified Information Privacy Manager (CIPM ) and the Certified Information Privacy Professional/Europe (CIPP/E) certification.
The CIPM certification equips privacy and data protection professionals with relevant skills that are needed to establish, maintain and manage privacy and data protection practices in an organization, across its entire lifecycle. A CIPM certification shows that you have extensive knowledge of privacy regulations and you also know how to make them work for your organization. Besides the CIPM certification the (CIPP/E) certification will contribute towards creating a successful DPO as both of these certifications are ISO standard 17024:2012 certified.
The DPO Competency Framework and Training Roadmap (Framework)[i] formulated by the Personal Data Protection Commission, Singapore is also a useful guide that can be referred to, by those looking to become a DPO. It outlines the various competences required by a DPO. They include business risk management, stakeholder management, audit and compliance and data ethics to name a few.
[i] PDPC, DPO Competency Framework and Training Roadmap; PDPC | DPO Competency Framework and Training Roadmap.