How should the qualifications of a candidate for the role of DPO be assessed?
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the GDPR.
The required level of DPO’s expertise is not strictly defined but pursuant to the Guidelines on Data Protection Officers it must be commensurate with the character, complexity and amount of data an organisation processes. A higher level of expertise should be required for example:
- where a data processing activity is particularly complex,
- in case of processing of a large amount of special categories of data,
- in case of entities regularly transferring data to third countries.
The DPO must have expertise in national, European and sectoral data protection laws and practices and an in-depth understanding of the GDPR. At the same time, he/she should also have a good understanding of:
- the processing operations, the information systems and safeguards in place at the controller’s,
- the sector in which the controller operates,
- the administrative procedures and the functioning of the entity.
As for the personal qualities of the DPO that qualify him/her to perform the function, these are: integrity and high professional ethics.
The assessment of a person's competence to fulfil the tasks requires taking into account the nature and scope of the DPO's tasks. Pursuant to the provisions of the GDPR, the DPO will have, inter alia, the duty to identify, communicate and advise on the various obligations imposed on the controller (including management and all persons processing personal data) and processor (including management and all persons processing personal data) under the GDPR. Special substantive preparation is required to provide advice to the controller and processor as regards the data protection impact assessment (for more on the role of the DPO in data protection impact assessment, please see the Art. 29 Working Party’s Guidelines on Data Protection Officers (DPOs) and the Art. 29 Working Party’s Guidelines on Data Protection Impact Assessment). An important task of the DPO is the obligation to act as the contact point for the supervisory authority and the contact point for data subjects (Article 38(4) of the GDPR).
The Article 29 Working Party in its Guidelines on Data Protection Officers (DPOs) with regard to the DPO's ability to fulfil his/her tasks indicates that the DPOs primary concern should be enabling compliance with the GDPR. The DPO is therefore expected to play a key role in fostering a "data protection culture" and to help to implement essentcial elements of the GDPR, such as:
- the principles of personal data processing,
- the data subjects’ rights,
- data protection by design and data protection by default,
- record of processing activities.