When you think of May 2018, what comes to mind? Maybe a loved one’s birthday celebration, a special anniversary—or, when the European Union’s General Data Protection Regulation (GDPR) was finalized. The GDPR changed how organizations handle personal data in many ways, but one important innovation is its mandate that most companies operating in Europe appoint a Data Protection Officer (DPO).
This left privacy professionals everywhere asking the question: What is a DPO?
With organizations now being required to appoint an individual to oversee information privacy and data security functions, it’s important to understand what role a DPO plays, when appointment of a DPO is required, and what qualifications are necessary for a DPO. In this article, we’ll explore each of these topics.
What Role Does a DPO Play?
A data protection officer has a complex, challenging role, as they’re involved in all issues within an organization related to the protection of personal data.
For an organization operating in the EU, a global organization conducting business with the EU, and/or an organization handling personal data of EU citizens, a DPO is—first and foremost—responsible for the organization’s adherence to data protection laws and regulations. And yes, this means the role exists outside of Europe as well.
The DPO is also responsible for communication with the supervisory authority as the primary point of contact, advising the organization on GDPR mandates and how to remain compliant, performing privacy assessments internally, and other tasks related to data protection.
For those of you who like to get down to the nitty-gritty, Article 39 of the GDPR goes into more detail on the distinct tasks a DPO is responsible for.
DPOs Within An Organization
The data protection officer should function autonomously within the organization, with a level of independence mandated by the GDPR. An organization’s DPO shouldn’t receive any instruction regarding exercise of their tasks.
DPOs are to report to the highest level of management—often the C-suite executives or board of directors—of the data controller or data processor. Quick definition for you here: a controller is the entity responsible for determining the purpose and means of data processing, and the controller engages with a processor to do its data processing on its behalf.
Additionally, it isn’t required that the DPO be an employee at the organization. Outside vendors are often utilized for the DPO role.
DPOs that are employees can hold other roles within their organization as well. In these cases, it’s important that the secondary roles don’t conflict with their job responsibilities as DPO, which is especially important for smaller organizations to pay close attention to. For example, in smaller organizations, you may see someone in the chief information security officer (CISO) role also acting as the DPO.
When Is Appointment of a DPO Required?
Now that we’ve covered the role of a data protection officer, let’s discuss when appointment of a DPO is required for an organization.
A DPO is appointed by a controller or processor, and supervisory authorities often play a role in overseeing DPOs.
There are three instances, outlined in Article 37 of the GDPR, in which a DPO must be appointed to oversee an organization’s information privacy or data security functions:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Let’s take a closer look at how some of these terms are defined. “Core activities” are operations that are necessary to achieve the controller’s or processor’s goals. “Regular and systematic monitoring” refers to the tracking and profiling of individuals, both online and offline. “Large scale” can either be defined by the number of data subjects or the amount of data being processed; however, there’s no specific threshold set for these.
In addition to the three instances outlined above, a DPO must be appointed if it’s required under member state law. For example, in Germany, a DPO must be appointed if an organization has nine or more employees involved in the automated processing of personal data, or 20+ total employees in the organization. Likewise, in Spain, controllers that are insurers, or financial or educational institutions must appoint a DPO.
At the end of the day, due to the complexities around appointment of a DPO, an organization may be better off appointing a DPO, even when it’s not required. And to make for an easier appointment process, a related group of corporate entities, such as subsidiaries, can appoint a single DPO.
What Are the Necessary DPO Qualifications?
A data protection officer must be chosen based on their professional qualities and expert knowledge of data protection law and practices. They must be able to complete the tasks outlined above.
How can you demonstrate this knowledge and expertise? While certainly not the only means of doing so, one way is by getting certified by the International Association of Privacy Professionals (IAPP). The IAPP has determined the combined Certified Information Privacy Professional/Europe (CIPP/E) and the Certified Information Privacy Manager (CIPM) qualifications will prepare you to be a successful DPO.
The CIPP/E certification will equip you with comprehensive GDPR knowledge, perspective, and understanding, while CIPM certification will prepare you to manage a privacy program across your organization.
To earn your CIPP/E and CIPM certifications, you’ll first need to receive a passing score on the certification exams, which is no walk in the park.
Preparing for IAPP Certification Exams
The IAPP offers several helpful resources and study materials online, many of which can be accessed for free. This is a great place to start, but privacy professionals will often look beyond IAPP materials to prepare for the certification exams.
At Privacy Bootcamp, we offer comprehensive, self-guided, online test preparation for the IAPP exams—study at your own pace, on your own time. Our CIPP/E and CIPM course material, developed by privacy and data protection experts, comes with guided e-Study Modules, digital flashcards, practice questions, interactive exercises, a quick reference “cheat sheet,” and a live-exam environment, which mimics the actual testing application so you can practice under real-life exam conditions.
We also offer a combination discount, where students receive 10% off our standard price when they purchase two or more courses at the same time—perfect for those looking to become DPO qualified. With proper preparation for the CIPP/E and CIPM exams, you’ll be one step closer to this dual IAPP certification that can help you stand out as a privacy professional and be considered for a data protection officer role.