Guidance on appropriate qualifications for a Data Protection Officer (GDPR)

Article 37.5 of the GDPR provides that a Data Protection Officer “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article39.”

The GDPR does not define the professional qualities required or prescribe the training a DPO should undergo to be qualified to undertake the role. This allows organisations to decide on their DPO’s qualifications and training tailored to the context of the organisation’s data processing.

The appropriate level of qualification and expert knowledge should be determined according to the personal data processing operations carried out, the complexity and scale of data processing, the sensitivity of the data processed and the protection required for the data being processed.

For example, where a data processing activity is particularly complex, or where a large volume or sensitive data is involved (i.e. an internet or insurance company), the DPO may need a higher level of expertise and support.

Relevant skills and expertise include:

  • expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
  • understanding of the processing operations carried out;
  • understanding of information technologies and data security;
  • knowledge of the business sector and the organisation; and
  • ability to promote a data protection culture within the organisation.

For example, a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.

Taking into account the scale, complexity and sensitivity of their data processing operations, organisations should proactively decide on the qualifications and level of training required for their DPO.

In undertaking such an assessment, organisations should be aware that there are various training options that may be pursued. Some training courses are one-day sessions, while some are online only. Others lead to academically accredited certificates such as diplomas from national law societies. There are also other professional training programmes which are recognised internationally and that offer professional qualifications that require an ongoing commitment to training in order to maintain the professional qualification.

The Data Protection Commission recommends that the following non-exhaustive list of factors be taken into consideration when selecting the appropriate DPO training programme:

  • the content and means of the training and assessment;
  • whether training leading to certification is required;
  • the standing of the accrediting body; and
  • whether the training and certification is recognised internationally.

In any case, a DPO should have an appropriate level of expertise in data protection law and practices to enable them to carry out their critical role.