News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | With mandatory DPOs looming, answering business FAQs: Part one Related reading: Thoughts on behavioral advertising, Meta and privacy

rss_feed

You all know the deadline by now. The EU’s General Data Protection Regulation will apply from 25 May 2018. This means that organizations must have implemented all the requirements it imposes by that date. Your to-do list is long, the deadline is tight, and team capabilities are limited.

The appointment of privacy officers is also part of the to-do list, if your processing falls under the criteria. According to the latest IAPP study based on conservative assumptions, we will need at least 24,000 DPOs to meet the private-sector needs, in addition to 4,000 in the public-sector. This means, in the coming months, hundreds of companies will be rushing to the same employment market to find their perfect DPOs. In our DPO recruitment practice, we already observe a movement in the DPO employment market due to the GDPR, and this movement will take the shape of a “war for talent” as the deadline gets closer.

Many companies have no experience working with professionals whose sole responsibility is privacy. Exceptions are big multinationals or companies operating in a European country where it is mandatory – i.e. Germany – or advantageous to have a DPO – e.g. France, Sweden. There is no uniformity across Europe with respect to a DPO’s tasks or profile as can be seen in a 2012 CEDPO paper.

This time it is different.

The GDPR does not only bring an obligation to appoint DPOs, but it also tells us about the main tasks, the job-holder profile, the reporting line, and the modus operandi of this professional.

To shed more light on this issue, we selected some of the practical questions we hear from businesses on a daily basis. Until further clarification is available from the Article 29 Working Party or from the DPAs, we would like to share some food for thought which may inspire your work (and may also give you some comfort that you are not alone!).

Here we go.

When shall we appoint our DPO?

Since the GDPR will apply at the end of May 2018, you won’t be penalized for the lack of a DPO until then. However, appointing a DPO earlier can bring some benefits.

First, you will have an extra pair of hands to help with the GDPR preparations. Second, you will not have left your DPO search until the last moment when the talent hunt is in full gear! Also take note of recruitment lead times: “Time-to-approve” is your internal headcount approval process; “time-to-recruit” is needed to reach out to the potential candidates and the whole recruitment process; and “time-to-start” is the period between an offer acceptance and the actual start date.

European countries have strict labour laws and long notice periods. It is not unusual to wait for a good candidate for two to three months as of the offer signature. So, act timely!

The CPO and the DPO – is it the same thing?

There are some similarities but yet there are differences.

The chief privacy officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program – defining the organization’s privacy vision, developing a strategy and selecting the right governance model, developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program.

The European DPO role as described in the GDPR seems to be more operational than this.

They can co-exist within the same global privacy office, which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists develop policies, procedures, and tools applicable across the whole organization, while generalists – regional privacy managers, local DPOs – act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the GDPR.

What is the job holder profile here?

In any recruitment process, the ideal candidate requirements are a combination of hard and soft skills. Hard skills may include domain knowledge, work experience or languages, while soft skills could include leadership, communication, and negotiation. Together these skill sets form the set of qualities to perform the job. It is no different for the DPO role. The GDPR does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks. 

What type of knowledge?

Our DPO must be knowledgeable about data protection law. In our view, this cannot be limited to the GDPR as there are other privacy-related EU regulations and Member State laws where there is an interaction with the GDPR – telecom laws and employment laws, for example. This view is strengthened by one of the DPO tasks, which is “to monitor compliance with the Regulation and other regional/local privacy provisions…”

Knowing laws, though, is not enough.

Our DPO also needs to know about the operational aspects. These can include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts, and breach management. 

What “level” of knowledge should we expect from our DPO? 

The Regulation asks us to seek “expert” knowledge. However, looking at the Recitals, we understand that it is up to us to define the level of expertise in relation to our type of processing and the level of protection it requires. This would mean that companies which face greater risks – because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example – must look for someone who has a high level of expert knowledge in law and practices.

On the other hand, if the processing is limited in type, scale or geography, then it could be fine to recruit someone who has a lower level of expert knowledge. The use of word “expert” here is very confusing as it – by default – refers to somebody who is very knowledgeable. Plus, it sounds weird to say “little-level expert knowledge.” But you’ve got the point: You need to decide on the level of expertise you need from a DPO.

Another listed quality here is the “ability to fulfill the tasks.” Which skills can enable a person to fulfil all the listed tasks?

Obviously, one’s domain knowledge and previous experience would definitely enhance this ability. However, there are other qualities that are equally important to perform the job well. We are looking for a professional with superb interpersonal skills at all levels of the organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his or her point clear; someone who is able to work in a structured way under minimum supervision; someone who is good in risk-assessment, has strong PR skills, with a good command of languages – as the DPO is expected to be in direct communication with data subjects and the DPAs – and finally someone tactful enough to find the fine balance between a trusted advisor and an internal watchdog.

photo credit: Scrabble - Application via photopin (license)

Editor's Note:

This is the first in a two-part series of Perspectives posts on the hiring of data protection officers in the EU. Stay tuned for the second installment in which Gonca Dhont answers many more questions about DPOs, including where they reside within an organization, and much more.  

Author
Headshot Gonca Dhont Nonmember Contributor
11 Comments

If you want to comment on this post, you need to login.

  • comment Julie Glover • Jun 8, 2016 
    Thank you, Gonca!  This is a very useful and practical analysis.
  • comment chris Jangelov • Jun 9, 2016 
    Just one question. You talk about "an additional one-year grace period after the 2018 deadline". I have not been able to find any sorce for this. Would you please explain what this grace period comprises and point me to a source?
Looking forward to part two.
Thanks!
  • comment Sam • Jun 9, 2016 
    Hi Chris - this was an editorial miscue on my part. In the Council compromise draft, the one-year grace period was included and I mistakenly thought it made it through to final draft when editing this piece. I have changed the piece and apologize for the misinformation.
  • comment chris Jangelov • Jun 9, 2016 
    Thanks. Glad we found it! My mind is at ease :-)
  • comment Daniel Pradelles • Jun 15, 2016 
    Good article but seems to me that there is one point forgotten here... in the GDPR there is no mention of CPO, only DPO and unfortunately it is currently compared (too much ?) to the specific implementatoin done in the country having the largest base of DPO :-).
Then we may say that de facto what the regulation refers to is to a certain extent a "C-DPO" without clearly addressing the "C".
My personal view is that the acronym "DPO" should refer to a "Data Privacy Organization" and not specifically "one Officer" and indeed such organization must ne managed by a senior directeur or higher having the title of "C-DPO" and a team of collaborators handling the "operational" aspects of the role. The size of the DP organization, the profile of the members should be left to the company as it will highly depend on the size, business sector, structure, history, managing culture, overall culture of the specific company.

But the starting point for the C-DPO is to be positionned at a highest level with appropriate resources to have a strategic role and a "driving"  influence on the company Personal (or not personal ?) Data Governance. The adequate balance between the operation side, the strategic side and resources should be defined by the company, it could be one person for small & medium enterprise but for this person  to be "strategic" is a fundamental which cannot be left aside.
This more accurate definition of the acronym "DPO" should be done as quickly as possible before the enforcement date in order , for public and private organization, to build, train, grow the efficient "CDPO" they need.
  • comment Robert McWilliams • Jun 15, 2016 
    Thank you for these useful FAQs, Gonca. Obviously, for the great majority of organizations covered by the GDPR, the logical location for their DPO is Europe. But do you think some organizations (those without a significant presence in Europe, but processing Europeans' personal data) may choose to locate their DPO in their HQ country? I am thinking particularly of the US.
  • comment Andrew Sanderson • Jun 16, 2016 
    @robert mcwilliams: as I understand it, GDPR applies to processing of personal data by any "controller or processor not established in the EU" that "offers goods or services  ... to data subjects in the EU" [article 3, 2(a)];
and Article 27 'representatives of controllers or processors not in the EU' adds:
(1) where article 3(2) applies, the controller or processor shall designate in writing a representative in the EU.
Representative is defined in 4(17) as 'represents the controller or processor with regard to their respective obligations under this Regulation'.
Part of the DPO role is acting as local contact for data subjects [38, (4)]; another part is 'cooperate with the supervisory authority' [Article 39, 1(d)] so presence in the local timezone may be an issue.
It doesn't explicitly join up, but it looks like the DPO should be EU-based.
  • comment Robert McWilliams • Jun 16, 2016 
    Thank you, Andrew Sanderson. Clearly the "representative" must be in the EU. If the DPO is a different individual, I guess their location (non-EU HQ country v EU) would offer different advantages for different aspects of the role; the EU being better for the externally facing aspects, and the HQ country more efficient for internally facing tasks (training, monitoring, etc). I am thinking mainly about businesses without a significant EU office, and there may not be many of them that fall under the mandatory DPO requirement.
  • comment Gonca Dhont • Jun 16, 2016 
    Robert – this is a good question, one we hear many times from businesses with/without physical presence here in Europe.  I have covered this point in the second part of this series, so stay tuned!  But let me briefly share what I think. Even if the job candidate perfectly matches the required knowledge, experience and skill set, yet I see 2 issues here: 1) acceptance/integration of a remote DPO within the European organization (it would be different if we were speaking of a remote HR, Marketing or Finance pro; a DPO is a brand new function for many companies ) 2) as Andrew said - direct interaction with the data subjects and the local authorities will be required which may have to go beyond e-mail / phone communication for the latter.
  • comment Robert McWilliams • Jun 17, 2016 
    Thank you, Gonca, and for part two also. This has been a very useful discussion.
  • comment Stuart Ritchie • Jun 19, 2016 
    @Daniel: interesting points. I'll confine myself to your comments on merging CPO and DPO. I have to say when I first looked at this last year my instinctive response was similar. However, after inquiring into model law and jurisprudence (notably Germany from a lay perspective), re-reading the Recitals, and comparing against the regulation of individuals in some industry sectors, I arrived at the view that such a merger would simply paint a big "sue-me" sign on the enterprise. 

If we think of the DPO as a statutory office (which, after all, it is), we'll have the right mind-set (noting that the required standards of independence, competence, and qualifications often may be far higher than that for a company officer, along with the incurred risks).
Related Stories
Thoughts on behavioral advertising, Meta and privacy
Many companies are facing uncertainty following the Court of Justice of the European Union's finding that Meta's personal data processing, when collected from third-party services and linked with personal data collected on Facebook for behavioral advertising, can neither be based on contractual nece...
Read More queue Save This

Related Stories
Recent Comments