What Background Makes a Good DPO?

 

By Yunique Demann, Associate Director Risk – Data Privacy

The enactment of the EU General Data Protection Regulation (GDPR) formalized the role of the Data Protection Officer (DPO) role to ensure there was senior leader in the organization who was responsible and accountable for driving the privacy program and upholding the rights of data subjects and their data.

The role of the DPO is to implement a data protection strategy that aligns with GDPR and other privacy laws that supports business objectives and reduces risk. The DPO oversees the development, implementation and maintenance of data privacy and data protection policies and ensures the organization processes personal data of data subjects (employees, customers, and other individuals) in a compliant way that reduces the potential for data breaches and protects the data throughout its lifecycle with that business. DPOs should operate independently, with full support from executive management all the way through to the board.

As the need for privacy professionals increases, the pool of qualified individuals with the knowledge and capabilities comes largely from two groups: privacy lawyers/legal privacy professionals and the IT privacy professional from an IT and/or security background. The privacy lawyer focuses on privacy laws and provides legal guidance and direction on compliance with those laws. IT/security privacy professionals have a good understanding of the law and can also provide guidance on implementation of privacy requirements. They usually have a deeper understanding of the security and risks factors associated with compliance based on their closeness with the business and can provide guidance on technologies, process and procedures that support the security of processing.

Both roles are effective and approach privacy from a different perspective, and both can function in the role as a Data Protection Officer (DPO). An effective DPO does not need to come from a legal background but a good understanding of law is a mandatory requirement for understanding privacy requirements.

There is another role that can become a DPO – compliance officer – but he or she must demonstrate independence when overseeing the privacy function. Under GDPR, the DPO must be free from conflicts of interest. In a recent case, the Belgian Data Protection Authority fined an organization €50,000 for failing to ensure the DPO was free from a conflict of interest. Therefore, in meeting requirements specific to GDPR, although the DPO may fulfill other tasks, the tasks related to compliance must not result in a conflict of interest.

The career trajectory for a privacy professional also can evolve into becoming Chief Privacy Officer (CPO). The person in this role should be comfortable with owning the privacy program as it pertains to developing policies and liaising with IT/security and vendor management. In this role, the IT privacy professional may have a head start, but this in no way excludes the privacy lawyer from creating these relationships and gaining the necessary knowledge.

With the introduction of ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification, privacy professionals have a new opportunity to assess their privacy-related skills against a new globally recognized standard. CDPSE is the latest credential from ISACA for those who participate in the design, implementation and management of technology solutions that store, process and transport personally identifiable information (PII).

Having a formal certification provides the external validation that those performing in the function as a DPO are qualified and meet a recognized criterion for managing a privacy program. IAPP and now ISACA are leading the way in developing internationally recognized certifications in this area, although there are multiple country regulation-specific certifications for privacy around the world.

As someone who has come from a security background, I have found my background has been a complement to my current role as a DPO and has helped me collaborate with the IT and security teams in supporting the privacy program. I choose to pursue additional post-graduate qualifications for navigating the different privacy laws and gaining legal skills. The certifications available now can better equip privacy professionals with the skills and knowledge they need to excel in their DPO roles.

Editor’s note: This post originally appeared on the ISACA Now blog. For more on ISACA’s new technical privacy certification, visit www.isaca.org/cdpse.