TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | What skills should your DPO absolutely have? Related reading: What will mandatory DPOs look like under the GDPR? Germany could tell you



Based on surveying data protection officer job postings, companies are trying to fill DPO positions with junior associates with only a few years of experience. Many are treating the DPO as merely an IT role with no legal experience or as a compliance role with no real risk or IT experience. But what does the General Data Protection Regulation in fact require and what do those requirements mean for the DPO’s job skills? It may be useful to summarize the necessarily skills into a listing usable to identify qualified DPO candidates, which you'll find at the bottom of this article. 

GDPR’s requirements for DPOs:

Risk/IT: Recital 77 and Articles 39.2 and 35.2 require DPOs to offer guidance on risk assessments, countermeasures and data protection impact assessments. DPOs must have significant experience in privacy and security risk assessment and best practice mitigation, including significant hands-on experience in privacy assessments, privacy certifications/seals, and information security standards certifications. 

These skills should be founded upon wide-ranging experience in IT programming, IT infrastructure, and IS audits. While compliance checklists may be helpful, the DPO position first and foremost requires an experienced professional. Because risks constantly evolve, DPOs must demonstrate awareness of changes to the threat landscape and fully comprehend how emerging technologies will alter these risks.  Providing guidance is like the lawyer skill of giving advice, using client-relationship skills to ensure controllers continue to seek such advice even if not in agreement and at the earliest phase.

DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result.

Legal expertise/independence: Recital 97 and Articles 37.1, 37.5, and 38.5 specify “a person with expert knowledge of data protection law and practices” to assist the controller or processor, to be “bound by secrecy or confidentiality,” and “perform their duties and tasks in an independent manner.”

DPOs must know data protection law to a level of expertise based upon the type of processing carried out. This signifies that DPOs should be licensed lawyers knowledgeable of not only the GDPR and other relevant EU legislation (e.g. E-Privacy Directive) but also privacy and related laws in all jurisdictions their organization does business or outsources operations. 

Confidentiality is second nature to the legal profession. DPOs must have experience acting in an independent manner, indicating a need for a mature professional with client relationship and audit experience to handle the delicate task of discovering gaps, encouraging gap mitigation, and ensuring compliance without taking an adversarial position.

Cultural/global: DPOs will likely be dealing with controllers and processors from different countries and therefore business cultures. DPOs must have experience in dealing with different ways of thinking and doing business and have the flexibility to marshal these differences into a successful result. Think of the simplified example of an organization with a retail presence in Europe, contract manufacturers in China, IT outsourcers in India, and headquarters in the U.S.  DPOs should be based in the EU but globally focused.

Leadership/broad exposure: Article 38.2 requires, “The controller and processor shall support the DPO … by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.” DPOs will need to have leadership and project management experience, to be able to request, marshal and lead the resources need to carry out their roles. They also must be able to critically assess themselves for knowledge gaps and request training in those areas.

DPOs should have broad business experience to know the industries of the data controller and processor well enough to understand how privacy should be implemented to integrate smoothly with the way each company designs and markets its products and services and earns its revenues.

DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights.

Self-starter/board-level: Article 38.3 requires, “The controller and processor shall ensure that the DPO does not receive any instructions regarding the exercise of those tasks …  The DPO shall directly report to the highest management level of the controller or the processor.” DPOs have to be self-starters, with the competence and skills to carry out the role without guidance and to know where to find necessary information. DPOs must also have board-level presence and be able to deal with experienced business people who will not know the intricacies of DPO functions. Licensed external auditors such as CPAs/CAs, who audit compliance with laws, standards, and practices, are independent of the auditee, and report to the board, would have this type of experience.  

Common touch/teaching: Article 38.4 allows data subjects to contact the DPO “with regard to all issues related to processing of their personal data and to the exercise of their rights.” DPOs must be able to speak in the language of the average citizen, not in technical or legal jargon, to handle requests and complaints from data subjects. A common touch is helpful to DPOs in their role to protect data subjects’ rights. DPOs must also have skills in both legal training and awareness raising, to ensure all data subjects are aware of their rights and responsibilities and to help train others to assist data subjects on specific requests.   

No-conflicts/credibility: Article 38.6 allows DPOs to fulfill other tasks as long as “any such tasks and duties do not result in a conflict of interests.” DPOs who are members of the data controller’s organization may not perform roles that conflict with their DPO role. For example, a DPO also overseeing information-security has a conflict when their security risk assessments and treatments are evaluated under their DPO role. DPOs should be dedicated or the role outsourced to an independent external DPO. 

Article 39.1 states that DPOs are required “to cooperate with the supervisory authority … [and] act as the contact point for the supervisory authority on issues relating to processing.” A prior relationship with the data protection authority is helpful, or DPOs must be able to establish instant credibility based on their wide experience, knowledge, credentials and relationship skills. 

Summary of DPOs Required Job Skills

  • Significant (5-10 years) experience in EU and global privacy laws, including drafting of privacy policies, technology provisions and outsourcing agreements
  • Significant (5-10 years) experience in IT operations and programming, including attainment of information security standards certifications and privacy seals/marks
  • Significant (5-10 years) experience in information systems auditing, attestation audits and the assessment and mitigation of risk
  • Demonstrated leadership skills achieving stated objectives involving a diverse set of stakeholders and managing varied projects
  • Demonstrated negotiation skills to interface successfully with DPAs
  • Demonstrated client relationship skills to continuously coordinate with controllers and processors while maintaining independence
  • Demonstrated communication skills to speak with a wide-ranging audience, from the board of directors to data subjects, from managers to IT staff and lawyers
  • Demonstrated self-starter with ability to gain required knowledge in dynamic environments   
  • Demonstrated record of engaging with emerging laws and technologies
  • Experience in legal and technical training and in awareness raising
  • Experience in dealing successfully with different business cultures and industries
  • Professionally licensed as a lawyer and in information security and privacy, including ethical requirements for competence, confidentiality and continuing education 
  • EU resident and independent of real and perceived conflicts

This view was verified against publications from the Network of DPOs for EU Institutions (in a paper titled "Professional Standards for Data Protection Officers of the EU Institutions and Bodies Working Under Regulation (EC) 45/2001," now no longer in circulation) and the Article 29 Working Party. The former specified at least seven years of relevant experience, including knowledge of the institution and its data protection practices. It also included the following personal and interpersonal skills: “Personal skills: integrity, initiative, organization, perseverance, discretion, ability to assert himself/herself in difficult circumstances, interest in data protection and motivation to be a DPO. Interpersonal skills: communication, negotiation, conflict resolution, ability to build working relationships.” The latter extended DPO roles to the Internet of Things. 

The decision lies with each organization, to find these required DPO skills in either a single person or several people, to locate them internally or outsource the role, and to manage this function under the CPO or let it operate independently. The requirements should now be clear, the telling will be how each organization chooses to implement its own DPO role and affect the likelihood of full compliance with the GDPR.  

photo credit: Gabi Wi Kelvin Kalvus via photopin (license)


If you want to comment on this post, you need to login.

  • comment Emma Butler • Jan 25, 2017
    I'm afraid I have to completely disagree with several of your assertions in this post. It is absolutely not the case that a DPO has to be a lawyer, that they have to have IT programming or audit skills / experience. It is widely acknowledged, including by regulators, that one person alone cannot possibly fulfil all the obligations and meet all the requirements of the GDPR DPO. To achieve what GDPR requires will need cross-business collaboration led by the DPO. The DPO has always had to rely on technical expertise from other areas, such as IT, internal audit, marketing and legal, and works with these other business functions, rather than providing all the expertise themselves. It is also not the case that the GDPR DPO has to be in the EU. Neither the GDPR nor the Art 29 guidance require this.
  • comment Madelon Smith • Jan 25, 2017
    Thanks, Emma Butler - agreed
  • comment Carey Lening • Jan 30, 2017
    I think that to some degree, those requirements are ideals, rather than requirements. If the estimates are true, there will be 28,000 DPO positions opening up ( And those folks must be EU-based.
    Doing a very quick search of a handful of countries, yields about 600 results on LinkedIn ( . 
    That's nowhere near the numbers needed. Even if you factor all 28 EU countries in, I wager you're left with at least 27,000 positions filled. Something will have to give.
  • comment Leon Ravenna • Jan 30, 2017
    First of all, thank you for taking the time to put these down to review.  With so many DPOs needed it will be a difficult role to fill.  The clock is ticking and resource requirements are stiff.  However, providing ALL the requirements listed takes the available pool of candidates to about 200 globally (maybe).   You are correct that it can't be a junior resource and in fact it may need to be multiple senior level resources with focused skill sets.  I tend to see it being a very, very specialized Lawyer or IT/ Audit with a combination of security, privacy, global understanding and customer service/ negotiation skills.  Unfortunately, that doesn't broaden the field a great deal.  My hat is off to anyone who meets all the stated requirements.  I tend to see the first iteration as multiple specific skill sets working for a senior level resource.  Not ideal, but you aren't going to be able to hire someone who hits all the marks, get them up to speed to then implement before June '18.
  • comment Peter Westerhof • Jan 30, 2017
    I beg to differ from the comments by Butler and Smith. The above title clearly states 'Should Have', not 'Must Have'.
    Referring to the 'MoSCoW-rules' of the DSDM-methodology 'Should Have' should be interpreted as 'would probably be classed as mandatory in less time-constrained development, but the system will be useful and usable without them' [ref. DSDM Business Focused Development, 2nd Ed. 2002, Stapleton ed.]
    Translated for the above requirements I would say "The DPO has at least a 'foundation level' (ref. Cabinet Office & AXELOS) or better, of knowledge and experience and the capability of improving on those to practitioner level".
    Key in my opinion are a helicopter view, the ability to build bridges between experts and the personality to consolidate all necessary input into a time constrained approach and manage that.
    I know for a fact there are ample people qualified.
  • comment Roger Edwards • Jan 30, 2017
    Agreed.  It does not have to be a lawyer, but as the DPO will be the primary contact for the regulatory personnel of the DPAs (many of whom may be lawyers) the data controller just has to be comfortable that the DPO has the professional judgment to balance the duty of candor to the regulator with the recognition that the manner in which company's compliance achievements and challenges are communicated to the regulators will be a major element in determining the nature and amount of any penalties assessed ("good guy or bad guy").  Because the assessment is not likely to be a "check-the-boxes-and-bing-here's-your-fine-amount" exercise the DPO, as appointed leader of the company's compliance effort, must provide candid, revealing, information to the regulator while advocating for the company, all without inadvertently placing the company's efforts in a light that exposes it to the most punitive fine levels for any assessed violations.  Agreed that if a company has the comfort that the appointed DPO will handle that duty in a calm professional manner, and not be at a negotiating disadvantage to the regulator's representatives, then it indeed does not need to be a lawyer.  I don't believe that role of a DPO can be delegated to another individual.
  • comment Greg Albertyn • Jan 31, 2017
    Completely agree...the GDPR in no way suggests the DPO has to be a lawyer. Indeed, the contextual reality of many organizations makes it that a lawyer is not the best choice for DPO.
  • comment Thomas Shaw • Feb 3, 2017
    The PA editor notified me that there were comments, not typical for my PA articles, and asked me to respond.  Let me first thank those who read the article and those who posted thoughtful comments.  Emma, I believe if you read the article again you will find it addresses your two points.  These are the required job skills of the DPO role and it is optimal to have as many as possible in a single individual, for obvious reasons of cost, communication, productivity, and responsibility.  While of course a DPO may rely upon technical skills of others, they must be sufficiently capable in all of these areas to provide an independent assessment.  I did not say the GDPR mandates that the DPO be in the EU, it is just common sense that the person negotiating with local DPAs is co-located in the same geography as the DPA and understands the culture, language, legal cases, and business norms of that member state.  Having practiced around the world I am often humbled by how little I truly understand the thinking and business approaches of the different cultures I work among.
    Leon, I agree currently there are not sufficient people who meet all of these requirements.  I am training technology and privacy-focused lawyers here in the EU but the experience gap itself takes years to fulfill and various more expensive stop-gap measures will likely be used in the early days.  Greg, I firmly believe that given no constraints of time, money, and resource, you want a technology and privacy-focused lawyer in the DPO role and that should be the starting point for organizations in their search.  Based on an organization’s unique individual constraints of time, money, and resources and willingness to accept the risk of significant penalties by under-spending on the DPO position, other choices are clearly possible, as I stated in the article.  As with any area of legal compliance, the most significant factors are the corporate culture and the tone set from the top of the organization.
    I have a number of reasons for believing that a technology and privacy focused lawyer is the ideal candidate for the DPO role, including all the reasons stated in the article plus issues like the advantages of legal privilege, competency and ethical mandates, and avoiding the unauthorized practice of law.  One point I will leave for consideration is that if the DPO is not a lawyer, this means that they are going to be leaning heavily on the corporate counsel but when doing so, are they still sufficiently independent?  Without the DPO’s ability to rely on their own legal, IT, audit, and risk evaluations and not merely accepting those from internal staff, it seems that it would be difficult to maintain the necessary independence and avoid all potential conflicts of interest.  That is why, for example, internal accountants prepare financial statements and licensed external accountants audit and opine on those statements, based upon their own independent professional judgment.  And so should the DPO.
  • comment Richard Cooke • Feb 7, 2017
    Consideration has been given to the selection criteria for a DPO including knowledge, professional qualities and abilities, as part of a wider study into the implementation of the GDPR provisions on the the role of the DPO by the Centre for Information Policy Leadership in their whitepaper 'Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation'  The executive summary states: 'An overarching goal of the recommendations in this paper is to encourage a flexible interpretation of the DPO requirements to make them work for large multinational organisations, as well as SMEs, start-ups, NGOs and public authorities' and that '..the appointment of DPOs should be based on the specific requirements and needs of an organisation in terms of the skills and qualities required to fulfill the role of the DPO.'  The paper is available here: 
    Thomas cites two sources that were used to verify his list.  The Article 29 Working Party reference is vague, but could in the context of this article be the WP 243 'Guidelines on Data Protection Officers ('DPOs')' and 'WP 243 Annex - Frequently Asked Questions'; as reported by the IAPP these are open for comment until 15 February.
    The second is the 'Professional Standards for Data Protection Officers of the EU institutions and bodies working under Regulation (EC) 45/2001' published in 2010. As the title suggests this is concerned with DPOs working for the EU, and the selection criteria has been defined by the Network of DPOs for the needs of the EU institutions and bodies under the Regulation. Whilst it would be difficult to dispute the personal and interpersonal skills criteria, those for experience as defined by time in role (actually 3 or 7 years dependent upon data protection being defined as a 'core business' and also the volume of data being processed) have been drawn up by the Network to identify 'someone well qualified for appointment as DPO in an EU institution or body' and to perform duties as set out in Section 4 of the standard. Organizations should therefore consider their own needs, and based on this make an assessment of the experience and knowledge requirements for a DPO.
  • comment Emma Butler • Feb 13, 2017
    Based on Thomas' reply to my comment I am compelled to comment again. I think it is misleading and dangerous to suggest as you do that DPOs should be lawyers and that they should have all the requirements you list in your article. The 'we need a lawyer' myth is one I have been fighting against strongly in the last 5 years as uninformed hiring managers / companies see 'data protection law compliance' and think 'oh we must need a lawyer to deal with that then'. The CPO for Coca Cola is not a lawyer, neither are the heads of privacy for John Lewis, BT, Royal Mail, nor the head of DP EMEA for Fujitsu, nor the VP for privacy and technology at JP Morgan and I could go on to list hundreds of non-lawyer successful DPOs but you get the idea. I think it is a misinterpretation of the GDPR requirements to extrapolate the list in your article as what a DPO needs. Apart from the fact that you can probably count on one hand the number of people with everything you list, it's a completely unrealistic 'job description' to present, and risks not only disadvantaging good DPOs without all the requirements you list, but risks organisations trying to recruit people who don't exist. I recommend CIPL's paper on the DPO role for a balanced interpretation of the GDPR role based on actual experience of its member companies and its EU head (who was formerly the head of privacy for Accenture).
  • comment Stuart Ritchie • Feb 13, 2017
    Broadly concur with Thomas Shaw, who we should all thank for raising these issues in-our-face. That said, there are serious fundamentals everyone is missing, I imagine because few have seen the elephant in Court if it's screwed up. I have, and foresee a massacre if people recruit in anything but a "professional" manner. 
    The first point is that the number one requirement, set above all others, is professional qualities. On combining perusal of the recitals and general statutory and court interpretation, it is submitted this requires an individual human being with current or former membership of a regulated profession in which misconduct can result in permanent deprivation of livelihood by a professional body - for example, doctors, lawyers, accountants. 
    Alternatively, an individual human being who both can and has already satisfied such a body that they possess professional qualities. Such mechanisms are readily available - for example, the professional ethics examination I was required to pass when cross-qualifying for professional membership of another such body.
    Next, the matter of expertise in law. As it happens, I have some experience in this, having instructed sufficient experts in foreign law that I've had to draft templates to avoid reinventing the wheel. There are three sub-points here: (a) how to avoid instant fail in Court generally with experts in law; (b) the higher Court threshold required for DPOs than for other experts in law; (c) and the extraordinary disaster, unlike with any other expert, that will befall in litigation if the DPO cannot be proved, to the satisfaction of the Court, that the threshold is met.
    (a) In legal practice - private international law - I always would try to appoint a former judge in the relevant subject matter, or a very senior advocate in the subject matter, to be confident of success. A PhD might do the trick, but I'd be less confident. The absolute bare minimum, which I've never been sufficiently desperate to try, would be a LLM specializing in the subject matter. As an expert in law, the CV has to be plausible to a Court of, guess what, lawyers. Which leads to...
    (b) the extra threshold which a DPO has to pass is that generally at least three lawyers in Court, i.e. the two advocates and the judge, will themselves be expert in the same local law of which the controller claims their DPO is expert. They therefore will have considerably greater and innate skepticism, and permit rather more robust cross-examination, of an expert in local law than of other laws. As a conduct matter, experts normally are handled with kid gloves. Yet anyone lacking credibility as an expert, for example the classic "liar-for-hire", can be handled otherwise with the thorough approval of the Court. I have gotten away with handling certain experts, even medical experts, even professors, very roughly indeed.
    (c) Worst of all, the DPO will not be called as an expert in law, but as a witness of fact. So they can be handled without the gentleness accorded to experts. But the real killer (and why they will have to be called as a witness of fact), is that the question of the expertise is sufficient to lose the case for the controller irrespective of the primary pleadings in the case. Why? Because, my friends, a non-expert DPO in and of itself is conclusive of breach of the GDPR, irrespective of the "main" case. Sure it's only a slam-dunk 2% fine per se, but it's the spring-board for much worse, including a more general data subject right fine, followed by class actions. It's going to be an absolute massacre - so much so that I won't be feasting myself. Instead I'm teaching people how to comply now, and when May 2018 rolls around I'll be teaching others how best to feast. Sometimes it's sadistic fun being a lawyer.
    So, as Vladimir said, what is to be done? How do we find these superhuman paragons? We look for professional qualities by way of current or former regulated professionals, or those who've satisfied a regulated professional body. And we look for those with a LLM in a relevant field, or litigators in data protection law (note: traditional defense lawyers are non-optimal, prefer plaintiff lawyers because by definition they're one step ahead). As a stop-gap, proof of embarkation on a LLM ought to be sufficient to establish we're trying and nearly there. Which is huge mitigation. This is not rocket science: if you might be found liable, mitigate your quantum as much as you can. Plenty of universities already offer LLMs in data protection law to non-law honors graduates (including a vital preliminary pass-fail crash course in EU law, sorry but I doubt CIPP/E would cut it for a Court), and those that don't have been gearing up since 2015 to do it. 2 years part-time. And don't be frightened, it's much easier than a law degree or graduate diploma in law. Just get it done. In some countries (such as the UK) you don't even need a post-graduate honors year.
    Finally, abilities (I tend to regard "skills" as BS (business-speak) or HR-speak). I have a laundry-list of a few dozen items (evidenced by training and/or experience, Thomas admirably covers most of these), as well as a laundry-list of SLAs for externals and guidance of internals. However to me the most important of all is: mediation, which I regard as mandatory (Thomas partly covers this in respect of negotiation, which is half-way there). There are many obvious places in the GDPR where, if a DPO lacks mediation ability (plus either training or practical experience), they are bound to fail and fail miserably. 
    Pro tip: don't ever get HR involved in DPO recruitment beyond administrative assistance (not even clerical). You'll end up multiply breaching the GDPR, starting with the job description. If you wouldn't hand over to HR the recruitment of your entire Board, why would you hand them the recruitment of someone far more existentially dangerous? 
    I should say I'm not entirely shooting from the hip here: I've been considering these matters since the 2014 draft, and one of my course modules teaches it, and I've put in an 8-page submission to WP29 on, essentially, this.
    Post-script: I know only a handful of people around the world who could do the full-on EU DPO job almost straight away. They tend to be local lawyers in the continental EU (especially Germany) or second-career lawyers in the USA with an IT background (though the latter need a crash course in EU law because it's sui generis and even more alien to common lawyers as it is to civil lawyers). I'm not available because I'm too busy teaching this stuff (and grabbing suitable others to teach it)! Good luck out there...
  • comment Emma Butler • Feb 15, 2017
    Reply to Stuart Ritchie: wow. Spoken like a litigation lawyer! You have spectacularly missed the point of a DPO and their role. It is not first and foremost about representing the company in court. In fact, if the company is in the position where it's going to court, it has failed in its privacy responsibilities and needs a practitioner DPO sharpish! If you go to court you get in external counsel / a litigator; you hire a DPO for an entirely different role.
  • comment Thomas Shaw • Feb 15, 2017
    Hello Emma, the PA editor notified me again that there were further posts and asked me to reply.  I guess controversy sells.  I have to admit before your reply I was not aware of you but I see now that you are located in a country that will soon not be part of the EU.  I am also guessing you are not a lawyer.  The converse applies to me, just so I guess we are well positioned to see two sides of this.  Most importantly, I want for you and others to understand this point from my article, that these are the JOB SKILLS of the DPO role under the GDPR (not existing legislation).  It would be ideal if one person could fulfill this role but as you and others have noted, there are less of us out there, so organizations will have to undertake various techniques to address these job skills in the interim.  Rather than targeting lawyers, I wish you would comment on the job skills.  If we generally agree on those job skills for the DPO role under the GDPR (not under existing legislation), then it is merely a matter of how each organization fills those roles, one person or several, internal or outsourced.  Which is exactly what I have now said twice, so I am not sure what it is we disagree on.  Feel free to contact me privately and we can continue to work on our mutual consensus for this topic.
  • comment Thomas Shaw • Apr 12, 2017
    I wanted to add a new development.  In my article, I had argued that it made the most sense for the DPO to be located in the EU but one poster objected that the GDPR did not require that.  The Article 29 DP Working Party just released their revised April 2017 Guidelines on Data Protection Officers (DPOs).  In this, they added a new section which stated, although there may be exceptions, that “According to Section 4 of the GDPR, the accessibility of the DPO should be effective. To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union.”
  • comment Tor Valstrøm • Apr 8, 2018
    Dear Thomas Shaw et al,
    First of all thank you for great article with many relevant recommendations on DPO skills.
    As we now have several guidelines on the DPO role both from WP29/EDPB as well as national DPAs I would highly recommend the article wording be updated from "Summary of DPOs Required Job Skills" to "Summary of DPOs Recommended Job Skills"
    As Emma and others have pointed out, it is without a doubt not required for a DPO to be a licensed lawyer, however it may very well be a great asset.
    This statement as a requirement is confusing at best and may even be misleading amongst readers of the article, especially considering the important role iapp is playing for many organisations as a trusted source of information.
    Kind regards to all from Denmark,