What sort of person should you be appointing as your DPO, and how should you go about the process?
As the General Data Protection Regulation (GDPR) requires certain organisations to appoint a Data Protection Officer (DPO), we have unsurprisingly seen many businesses taking the steps needed to ensure they will be compliant come 25
th
May 2018.
To tackle GDPR effectively, you need to ensure that you have the right person in the position of DPO to deal with all matters of data protection, ensure you are and continue to be compliant, and develop an ethical culture of data processing within your business. We outline some of the key things you should be looking for from a candidate, and how to go about interviewing them.
Creating the role
It goes without saying that you’ll be looking for someone with an expert knowledge of data protection laws and practices. A successful candidate needs to have a thorough understanding of GDPR, and ideally previous data protection laws as well. The guidelines for GDPR don’t specify any formal qualifications needed to become a DPO, and in our opinion actual hands on experience is as important as qualifications if you are to get the right candidate.
In an ideal world you’d be able to recruit somebody with 5-7 years of experience, who can demonstrate that they have created data privacy policies and programs and embedded these within a business, as well as carrying out data privacy impact assessments. In the current climate this could be difficult though, as the demand for DPOs far outweighs the amount of available DPOs out there, so you may need to carefully consider the level of experience needed for the role you are hiring.
Of course, for larger firms you are going to need somebody with a good level of experience, but depending on the level of risk facing your business you may be able to start with somebody less experienced and invest in that person within the role. Be prepared to resource some external support though to ensure you are still getting the advice you need to ensure compliance.
When it comes to setting out the duties for the role, it’s going to very much depend on the size of your business. If you have decided that you require a dedicated DPO, then the duties need to be comprehensively focused around data protection. The person needs to be able to set strategy, create policies and make them relevant to your business, understand how to evaluate risk within your business from a data point of view, and educate your employees (and potentially customers) on matters of data protection. They should be able to respond quickly to subject access requests, data breaches and complaints, and continually monitor policies and the effectiveness of your data privacy programs.
In addition, there are going to be a variety of characteristics you’ll be looking for from a DPO, including strong communication skills, the ability to organise well, a keen attention to detail and the capacity to work independently and impartially to name but a few.
Interviewing a candidate
To find the right person to fill a hugely important role within your organisation, you will need to make sure that you get the interview process right and that you’re asking the right questions to assess a candidate’s suitability.
Essentially what you’re trying to find out is how much hands-on data privacy experience they’ve had in terms of establishing policies, implementing programs, and rolling out training within a business.
It would be wise to keep an open mind and be prepared not to find somebody who can tick every single box you’re looking for, as it’s unlikely you’ll be able to find a candidate who has experience of everything on your wish list. Consider what the absolute deal breakers are, but give yourself some flexibility. Look at the person in front of you and consider how much they could bring to your team and business on a whole.
Some things you may want to try and find out about the candidate during the interview process include:
- What is their understanding of current security and technology issues and how they relate to Data Protection?
- What are their interpersonal skills like?
- Are they a business enabler? (To test this, you could ask for examples of times that they have added value to a project, brought innovative ideas, or made a process more efficient.)
The one area that is crucial to almost every aspect of the DPO role is that they can relate well to people right across your business. You need to find somebody who can engage constructively and let people know that they are on their side, so find ways to test this in a candidate. You could find someone who knows the law inside and out, but if they can’t communicate it to the wider business then this could create a poor relationship with the DPO role and data privacy in general.
