Should the DPO be appointed based on the same qualifications as the administrator of IS?
The requirements for data protection officers set by GDPR are similar to those previously set for the administrator of information security (IS), but they are not identical. According to Art. 36a(5)(2) of the Act on the Protection of Personal Data, a person appointed to the position of administrator of information security should have appropriate knowledge in the field of personal data protection. However, GDPR in Art. 37(5) stipulates ,,The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.
The level of expert knowledge required from the DPO in not explicitly specified anywhere, but according to the Guidelines of the Article 29 Working Party on Data Protection Officers (WP 243), it should be commensurate with the nature, complexity and amount of data processed within the unit. A higher level of knowledge should be required, for example, in the case of exceptionally complicated processing operations, processing large amounts of special categories of data, entities regularly transferring data to third countries.
The data protection officer should have appropriate knowledge of national, European and sectoral regulations and practices in the field of personal data protection, as well as a thorough understanding of the GDPR. At the same time, the DPO should have sufficient knowledge about: processing operations, IT systems and safeguards used by the controller, the sector in which the controller operates, administrative procedures, and the functioning of the unit.
Evaluating the skills to perform tasks requires considering the nature and scope of the officer's tasks, several of which are new compared to the requirements for the the administrator of information security. According to the GDPR, the officer will have, among others, the obligation to identify individual obligations imposed by GDPR on the data controller (including management and all persons processing data) and the data processor (including management and all persons processing personal data), to inform about them and to advise on these obligations. Special substantive preparation will be required to provide the data controller and data processor with recommendations on data protection impact assessments (more about the role of the officer in the data protection impact assessments in the Guidelines of the Article 29 Working Party on Data Protection Officers (WP 243) and in the Guidelines of the Article 29 Working Party on the data protection impact assessments). A new, important task will be the obligation to act as a contact point for the supervisory authority and a contact point for data subjects (Art. 38(4) GDPR).
The Article 29 Working Party in the Guidelines on Data Protection Officers regarding the skills to perform the officer's tasks indicates that his/her priority should be to ensure compliance with the regulation. Therefore, the DPO is to play a key role in fostering the "data protection culture" and helps to implement essential elements of the GDPR, in particular new obligations such as data protection by design and by default, records of processing activities, and notification and communication of data breaches.
The importance of expert knowledge in the field of law and practices has been further emphasised by the obligation of data controllers and data processors to provide the data protection officer with resources necessary to maintain a high and current level of knowledge (Art. 38(2) GDPR). Although the General Data Protection Regulation strongly emphasises the knowledge and professionalism requirement for the DPO, it does not regulate the rules or procedures for verifying compliance with this requirement. Nevertheless, certificates, diplomas, and other documents certifying the knowledge and experience of the officer will undoubtedly in most cases be an important qualification criterion and an argument in favour of the person appointed to perform this function.