Project Management

What Background Makes a Good DPO?

From the The Critical Path Blog
by , , ,
Welcome to The Critical Path--the home for community happenings and events on! This is where you'll find community news, updates, upcoming events, featured member posts and more. We'll also be showcasing hot topics in the project management arena and bringing you interviews with industry experts. The Critical Path is our primary way of getting news out to members, so be sure to check back for updates!

About this Blog


View Posts By:

Marjorie Anderson
Kimberly Whitby
Laura Schofield
Heather McLarnon

Past Contributors:

Carrie Dunn
Danielle Ritter
Kenneth A. Asbury
Craig Dalrymple
Rebecca Braglio
Kristin Jones

Recent Posts

Join Us for the PMIEF 30th Anniversary Celebration!

What Background Makes a Good DPO?

Virtual Experience Series Delivering Value, Creating Change & Advancing the World™

Shared Ownership in Projects. The Team Performance Domain.

Register for our next “Discover PMI - Ask Us Anything!" Webinar- featuring PMI Events!

Categories: communication

By Yunique Demann, Associate Director Risk – Data Privacy

The enactment of the EU General Data Protection Regulation (GDPR) formalized the role of the Data Protection Officer (DPO) role to ensure there was senior leader in the organization who was responsible and accountable for driving the privacy program and upholding the rights of data subjects and their data.

The role of the DPO is to implement a data protection strategy that aligns with GDPR and other privacy laws that supports business objectives and reduces risk. The DPO oversees the development, implementation and maintenance of data privacy and data protection policies and ensures the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way that reduces the potential for data breaches and protects the data throughout its lifecycle with that business. DPOs should operate independently, with full support from executive management all the way through to the board.

As the need for privacy professionals increases, the pool of qualified individuals with the knowledge and capabilities comes largely from two groups: privacy lawyers/legal privacy professionals and the IT privacy professional from an IT and/or security background. The privacy lawyer focuses on privacy laws and provides legal guidance and direction on compliance with those laws. IT/security privacy professionals have a good understanding of the law and can also provide guidance on implementation of privacy requirements. They usually have a deeper understanding of the security and risks factors associated with compliance based on their closeness with the business and can provide guidance on technologies, process and procedures that support the security of processing.

Both roles are effective and approach privacy from a different perspective, and both can function in the role as a Data Protection Officer (DPO). An effective DPO does not need to come from a legal background but a good understanding of law is a mandatory requirement for understanding privacy requirements.

There is another role that can become a DPO – compliance officer – but he or she must demonstrate independence when overseeing the privacy function. Under GDPR, the DPO must be free from conflicts of interest. In a recent case, the Belgian Data Protection Authority fined an organization €50,000 for failing to ensure the DPO was free from a conflict of interest. Therefore, in meeting requirements specific to GDPR, although the DPO may fulfill other tasks, the tasks related to compliance must not result in a conflict of interest.

The career trajectory for a privacy professional also can evolve into becoming Chief Privacy Officer (CPO). The person in this role should be comfortable with owning the privacy program as it pertains to developing policies and liaising with IT/security and vendor management. In this role, the IT privacy professional may have a head start, but this in no way excludes the privacy lawyer from creating these relationships and gaining the necessary knowledge.

With the introduction of ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification, privacy professionals have a new opportunity to assess their privacy-related skills against a new globally recognized standard. CDPSE is the latest credential from ISACA for those who participate in the design, implementation and management of technology solutions that store, process and transport personally identifiable information (PII).

Having a formal certification provides the external validation that those performing in the function as a DPO are qualified and meet a recognized criterion for managing a privacy program. IAPP and now ISACA are leading the way in developing internationally recognized certifications in this area, although there are multiple country regulation-specific certifications for privacy around the world.

As someone who has come from a security background, I have found my background has been a complement to my current role as a DPO and has helped me collaborate with the IT and security teams in supporting the privacy program. I choose to pursue additional post-graduate qualifications for navigating the different privacy laws and gaining legal skills. The certifications available now can better equip privacy professionals with the skills and knowledge they need to excel in their DPO roles.

Editor’s note: This post originally appeared on the ISACA Now blog. For more on ISACA’s new technical privacy certification, visit

Posted by Kimberly Whitby on: July 30, 2020 03:06 PM | Permalink

Comments (1)

Please login or join to subscribe to this item

Please Login/Register to leave a comment.


"If they have moving sidewalks in the future, when you get on them, I think you should have to assume sort of a walking shape so as not to frighten the dogs."

- Jack Handey