Qualifications for DPOs

Articles 37-39 of the General Data Protection Regulation (GDPR) detail the requirements around the designation of a Data Protection Officer (DPO), as well as their position and tasks under the GDPR. While, the GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role, the Data Protection Commission (DPC) and the Article 29 Working Party (whose GDPR related guidance was subsequently endorsed by the European Data Protection Board (EDPB)) have issued guidance on this matter. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.

Relevant skills and expertise for the DPO role include:

  • Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
  • In-depth understanding of how their organisation processes personal data;
  • Understanding of information technologies and data security;
  • Thorough knowledge of their organisation and the business sector in which it operates;
  • Ability to promote a data protection culture within the organisation.

Please see our note on qualifications for DPOs for more detailed guidance on this topic.

Guidance on Appropriate Qualifications for a Data Protection Officer (pdf)