How to Become a Data Protection Officer
Those who want to pursue a data privacy career path can consider becoming a data protection officer, or DPO. For many companies today, a DPO is a relatively new position. The reporting structure, responsibilities, and roles of a DPO have been defined by the EU’s General Data Protection Regulation, or GDPR.
The requirement of the GDPR for the creation of a DPO within certain organisations has created demands in the market for individuals with the necessary experience and skill sets. It has also paved the way for the creation of many data protection courses. Many organisations have also chosen employees to act in the capacity without designating them with the DPO title.
For small- and mid-sized businesses, the responsibilities of a DPO tend to be added to those of an already existing well-qualified employee rather than creating a new position that requires a new hire. For larger organisations, a full-time position is often created for this important role.
Steps to Becoming a DPO
Just like most data privacy jobs, a combination of experience and education are required to become a data protection officer. A commonly requested combination of career path, education, experience and professional certifications are outlined below:
- A BS or BA degree in computer science, information security, or similar field. Also, a bachelor’s degree or the equivalent work experience in compliance, information security, auditing, privacy and other related fields is typically considered.
- Career Path. Promotion to a DPO may be on the cards for professionals with a decade of experience in different privacy disciplines like privacy law, information governance, information security, training and awareness, privacy program and policy, etc.
- Professional Certifications. One (or more) IAPP (International Association of Privacy Professionals) certifications such as CIPM, CIPP/E, CIPP/US may be required.
- Work experience. Desired work experience can include five or more years in compliance-related risk management or privacy positions. Often, consideration is given to other fields that are relevant, such as business administration, finance, information technology, etc. as long as the candidate demonstrates relevancy to the information security-based role.
What Data Protection Officers Do
Data protection officers are tasked to ensure that the organisation adheres to the laws that protect personal data appropriately. DPOs are also responsible for educating the company as well as the employees about compliance. DPOs also train staff involved in data processing and conduct routine security audits.
DPOs act as the point of contact between companies and other supervisory authorities (SAs) that are tasked to oversee any activities that are data-related. They are also considered the organisation’s privacy and data protection evangelists. Success in this position requires one to be strong-willed and able to negotiate and find common ground among other leaders.
A DPO needs to have a thorough understanding of the GDPR and a legal background in the privacy arena. They also need to have verifiable privacy-related or security certifications. Existing relationships with authorities that have jurisdiction of privacy and data protection are considered desirable.
Candidates for the position must also be able to demonstrate their ability to learn quickly. The position also requires someone with a quick grasp of company policies and practices that relate to the dissemination and consumption of personally identifiable information (PII).
The candidate needs to also have a proven track record in one (or more) of the areas of privacy advocacy, information security, cybersecurity, data protection and regulatory compliance. Some of the responsibilities of DPOs include but are not limited to:
- Providing in-house legal advice on data-sharing, transfer of data, and privacy by design
- Drafting, negotiating, and reviewing of commercial agreements that contain protected information
- Advising and drafting of data protection related documentation including due diligence for GDPR or related legislation
- Providing support and guidance on various data tracking/new compliance reporting requirements and updating of the internal codes of conduct
- Familiarity with all the applicable laws