OneTrust_Square Banner_300x250_DD_ROS_01_19
CS17_Banner_300x250-COPY
IAPP_Salary-Survey_300x250_FINAL
With mandatory DPOs looming, answering business FAQs: Part one

You all know the deadline by now. The EU’s General Data Protection Regulation will apply from 25 May 2018. This means that organizations must have implemented all the requirements it imposes by that date. Your to-do list is long, the deadline is tight, and team capabilities are limited.

The appointment of privacy officers is also part of the to-do list, if your processing falls under the criteria. According to the latest IAPP study based on conservative assumptions, we will need at least 24,000 DPOs to meet the private-sector needs, in addition to 4,000 in the public-sector. This means, in the coming months, hundreds of companies will be rushing to the same employment market to find their perfect DPOs. In our DPO recruitment practice, we already observe a movement in the DPO employment market due to the GDPR, and this movement will take the shape of a “war for talent” as the deadline gets closer.

Many companies have no experience working with professionals whose sole responsibility is privacy. Exceptions are big multinationals or companies operating in a European country where it is mandatory – i.e. Germany – or advantageous to have a DPO – e.g. France, Sweden. There is no uniformity across Europe with respect to a DPO’s tasks or profile as can be seen in a 2012 CEDPO paper.

This time it is different.

The GDPR does not only bring an obligation to appoint DPOs, but it also tells us about the main tasks, the job-holder profile, the reporting line, and the modus operandi of this professional.

To shed more light on this issue, we selected some of the practical questions we hear from businesses on a daily basis. Until further clarification is available from the Article 29 Working Party or from the DPAs, we would like to share some food for thought which may inspire your work (and may also give you some comfort that you are not alone!).

Here we go.

When shall we appoint our DPO?

Since the GDPR will apply at the end of May 2018, you won’t be penalized for the lack of a DPO until then. However, appointing a DPO earlier can bring some benefits.

First, you will have an extra pair of hands to help with the GDPR preparations. Second, you will not have left your DPO search until the last moment when the talent hunt is in full gear! Also take note of recruitment lead times: “Time-to-approve” is your internal headcount approval process; “time-to-recruit” is needed to reach out to the potential candidates and the whole recruitment process; and “time-to-start” is the period between an offer acceptance and the actual start date.

European countries have strict labour laws and long notice periods. It is not unusual to wait for a good candidate for two to three months as of the offer signature. So, act timely!

The CPO and the DPO – is it the same thing?

There are some similarities but yet there are differences.

The chief privacy officer is the C-level executive in an organization in charge of the strategic management of a corporate privacy program – defining the organization’s privacy vision, developing a strategy and selecting the right governance model, developing and implementing a framework suitable for the entire organization, and finally the performance management of this compliance program.

The European DPO role as described in the GDPR seems to be more operational than this.

They can co-exist within the same global privacy office, which is led by the CPO and composed of a core team of specialists and a bigger team of generalists spread across the organization. Specialists develop policies, procedures, and tools applicable across the whole organization, while generalists – regional privacy managers, local DPOs – act as trusted advisors to their business lines ensuring that the field practices are compliant to corporate standards and the applicable laws, including and foremost with the GDPR.

What is the job holder profile here?

In any recruitment process, the ideal candidate requirements are a combination of hard and soft skills. Hard skills may include domain knowledge, work experience or languages, while soft skills could include leadership, communication, and negotiation. Together these skill sets form the set of qualities to perform the job. It is no different for the DPO role. The GDPR does not list all the qualities but gives a few examples, such as the type of knowledge and the ability to perform the tasks. 

What type of knowledge?

Our DPO must be knowledgeable about data protection law. In our view, this cannot be limited to the GDPR as there are other privacy-related EU regulations and Member State laws where there is an interaction with the GDPR – telecom laws and employment laws, for example. This view is strengthened by one of the DPO tasks, which is “to monitor compliance with the Regulation and other regional/local privacy provisions…”

Knowing laws, though, is not enough.

Our DPO also needs to know about the operational aspects. These can include privacy practices such as impact assessments, handling data subject’s requests, employee monitoring, vendor contracts, and breach management. 

What “level” of knowledge should we expect from our DPO? 

The Regulation asks us to seek “expert” knowledge. However, looking at the Recitals, we understand that it is up to us to define the level of expertise in relation to our type of processing and the level of protection it requires. This would mean that companies which face greater risks – because they are data-driven or they process sensitive data or they rely heavily on outsourcing, for example – must look for someone who has a high level of expert knowledge in law and practices.

On the other hand, if the processing is limited in type, scale or geography, then it could be fine to recruit someone who has a lower level of expert knowledge. The use of word “expert” here is very confusing as it – by default – refers to somebody who is very knowledgeable. Plus, it sounds weird to say “little-level expert knowledge.” But you’ve got the point: You need to decide on the level of expertise you need from a DPO.

Another listed quality here is the “ability to fulfill the tasks.” Which skills can enable a person to fulfil all the listed tasks?

Obviously, one’s domain knowledge and previous experience would definitely enhance this ability. However, there are other qualities that are equally important to perform the job well. We are looking for a professional with superb interpersonal skills at all levels of the organization; an approachable person who enjoys sharing knowledge but at the same time knows when to make his or her point clear; someone who is able to work in a structured way under minimum supervision; someone who is good in risk-assessment, has strong PR skills, with a good command of languages – as the DPO is expected to be in direct communication with data subjects and the DPAs – and finally someone tactful enough to find the fine balance between a trusted advisor and an internal watchdog.

photo credit: Scrabble - Application via photopin (license)

Editor's Note:

This is the first in a two-part series of Perspectives posts on the hiring of data protection officers in the EU. Stay tuned for the second installment in which Gonca Dhont answers many more questions about DPOs, including where they reside within an organization, and much more.  

Written By

Gonca Dhont, CIPP/E, CIPM

11 Comments

If you want to comment on this post, you need to login.

  • Julie Glover Jun 8, 2016

    Thank you, Gonca!  This is a very useful and practical analysis.
  • chris Jangelov Jun 9, 2016

    Just one question. You talk about "an additional one-year grace period after the 2018 deadline". I have not been able to find any sorce for this. Would you please explain what this grace period comprises and point me to a source?
    Looking forward to part two.
    Thanks!
  • Sam Jun 9, 2016

    Hi Chris - this was an editorial miscue on my part. In the Council compromise draft, the one-year grace period was included and I mistakenly thought it made it through to final draft when editing this piece. I have changed the piece and apologize for the misinformation.
  • chris Jangelov Jun 9, 2016

    Thanks. Glad we found it! My mind is at ease :-)
  • Daniel Pradelles Jun 15, 2016

    Good article but seems to me that there is one point forgotten here... in the GDPR there is no mention of CPO, only DPO and unfortunately it is currently compared (too much ?) to the specific implementatoin done in the country having the largest base of DPO :-).
    Then we may say that de facto what the regulation refers to is to a certain extent a "C-DPO" without clearly addressing the "C".
    My personal view is that the acronym "DPO" should refer to a "Data Privacy Organization" and not specifically "one Officer" and indeed such organization must ne managed by a senior directeur or higher having the title of "C-DPO" and a team of collaborators handling the "operational" aspects of the role. The size of the DP organization, the profile of the members should be left to the company as it will highly depend on the size, business sector, structure, history, managing culture, overall culture of the specific company.
    
    But the starting point for the C-DPO is to be positionned at a highest level with appropriate resources to have a strategic role and a "driving"  influence on the company Personal (or not personal ?) Data Governance. The adequate balance between the operation side, the strategic side and resources should be defined by the company, it could be one person for small & medium enterprise but for this person  to be "strategic" is a fundamental which cannot be left aside.
    This more accurate definition of the acronym "DPO" should be done as quickly as possible before the enforcement date in order , for public and private organization, to build, train, grow the efficient "CDPO" they need.
  • Robert McWilliams Jun 15, 2016

    Thank you for these useful FAQs, Gonca. Obviously, for the great majority of organizations covered by the GDPR, the logical location for their DPO is Europe. But do you think some organizations (those without a significant presence in Europe, but processing Europeans' personal data) may choose to locate their DPO in their HQ country? I am thinking particularly of the US.
  • Andrew Sanderson Jun 16, 2016

    @robert mcwilliams: as I understand it, GDPR applies to processing of personal data by any "controller or processor not established in the EU" that "offers goods or services  ... to data subjects in the EU" [article 3, 2(a)];
    and Article 27 'representatives of controllers or processors not in the EU' adds:
    (1) where article 3(2) applies, the controller or processor shall designate in writing a representative in the EU.
    Representative is defined in 4(17) as 'represents the controller or processor with regard to their respective obligations under this Regulation'.
    Part of the DPO role is acting as local contact for data subjects [38, (4)]; another part is 'cooperate with the supervisory authority' [Article 39, 1(d)] so presence in the local timezone may be an issue.
    It doesn't explicitly join up, but it looks like the DPO should be EU-based.
  • Robert McWilliams Jun 16, 2016

    Thank you, Andrew Sanderson. Clearly the "representative" must be in the EU. If the DPO is a different individual, I guess their location (non-EU HQ country v EU) would offer different advantages for different aspects of the role; the EU being better for the externally facing aspects, and the HQ country more efficient for internally facing tasks (training, monitoring, etc). I am thinking mainly about businesses without a significant EU office, and there may not be many of them that fall under the mandatory DPO requirement.
  • Gonca Dhont Jun 16, 2016

    Robert – this is a good question, one we hear many times from businesses with/without physical presence here in Europe.  I have covered this point in the second part of this series, so stay tuned!  But let me briefly share what I think. Even if the job candidate perfectly matches the required knowledge, experience and skill set, yet I see 2 issues here: 1) acceptance/integration of a remote DPO within the European organization (it would be different if we were speaking of a remote HR, Marketing or Finance pro; a DPO is a brand new function for many companies ) 2) as Andrew said - direct interaction with the data subjects and the local authorities will be required which may have to go beyond e-mail / phone communication for the latter.
  • Robert McWilliams Jun 17, 2016

    Thank you, Gonca, and for part two also. This has been a very useful discussion.
  • Stuart Ritchie Jun 19, 2016

    @Daniel: interesting points. I'll confine myself to your comments on merging CPO and DPO. I have to say when I first looked at this last year my instinctive response was similar. However, after inquiring into model law and jurisprudence (notably Germany from a lay perspective), re-reading the Recitals, and comparing against the regulation of individuals in some industry sectors, I arrived at the view that such a merger would simply paint a big "sue-me" sign on the enterprise. 
    
    If we think of the DPO as a statutory office (which, after all, it is), we'll have the right mind-set (noting that the required standards of independence, competence, and qualifications often may be far higher than that for a company officer, along with the incurred risks).

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»