What skills should Data Protection Officers have?

Willem De Beuckelaere, the President of the Belgian Privacy Commission, gave the closing remarks yesterday (26/04/18) at the Cyber Security Coalition’s event in Brussels.

An element of uncertainty in the data privacy industry is the GDPR’s requirement for certain organisations to appoint a DPO. The IAPP has predicted that the world needs 75,000 Data Protection Officers but given the general lack of cyber security skills on the labour market, it’s not clear where these people will come from.

De Beuckelaere highlighted the role’s importance for organisations seeking to achieve GDPR compliance: “The most important tool will be the human tool: the Data Protection Officer. We know today that we need transparency with communication and technology; a legal perspective alone is not enough for compliance in a multidisciplinary world. The person performing the role should be a multidisciplinary expert. I am a lawyer, so I will not do a Shakespeare and say let’s kill all the lawyers, but lawyers should be prepared to step aside and assign duties to communications experts and IT teams”.

De Beuckelaere’s forthright declaration certainly stirred the attention of the audience. His statement was a strong put down for legal professionals selling themselves as omnipotent GDPR authorities.

I asked how he saw this playing out in practice: “What skills should the DPO have? If it shouldn’t be a lawyer, how do you stop lawyers from cannibalizing the profession?”

He responded: “It’s impossible for one person to have all the relevant knowledge necessary to perform the role, what you need is someone who can connect them. I divide the skills into four quadrants: IT, Legal, Internal Communications (project management) and Communications (customer service/public relations). Good ethics are also vital: the DPO needs to be a highly ethical person. Another added bonus is to have someone who understands how the organisation works. I suggest that companies look after their people!” De Beuckleaere later added that he probably should have added another role the DPO needs to take on: that of diplomat!

A follow-up question came from the audience: “So should the DPO be a restricted profession?”

De Beuckelaere: “I don’t know. It’s a very difficult position, hopefully the jurisprudence will give us some guidance. But DPOs should certainly be protected in order to do their jobs”.

So should lawyers really be cut out of the picture? Not entirely, the GDPR is clear that DPOs should have expert knowledge of data protection law, and there are elements of compliance that are impossible without legal expertise. De Beuckelaere’s remarks were presumably intended to encourage organisations into taking a more holistic approach to compliance, rather than hoping the legal department or some magic tool could make it all go away.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *