Data Protection – ‘The Knowledge’ – Is your DPO incompetent?
I’ve just completed a Graduate Diploma in Law (GDL). I didn’t have to do this for any particular reason but I have always had a strong belief if you continue to invest in your own personal development throughout life you will become a greater asset. Plus, things are always changing so if you don’t keep learning you’re more likely to fall behind! So having now completed the GDL I’m a lawyer right! I now know all there is to know about the law! Send me into a courtroom so I can defend the innocent and vanquish the foes of justice!! Errr…of course not! But, subject to passing my final exams, the Bar Council and the SRA, have determined I will have the minimum level of knowledge to move to the next stage of legal training – the Practitioner stage. There is then an ‘apprenticeship’ stage (either Training Contract or Pupillage) and then you’re a qualified lawyer (I am summarising, it’s a lot more involved than this!). What I’m trying to get across though is there is a clearly defined route to becoming a lawyer. It is relatively easy for anyone to find out what that route is and what qualifications a lawyer must hold. For a Data Protection Officer, that’s not so clear.
It therefore begs the question “When hiring, how can an organisation determine a candidate has the minimum level of knowledge to act competently in their capacity as a Data Protection Officer?” and “If we don’t already have a Data Protection capability [that’s why we’re hiring someone in] how are we qualified to assess that competence?” The answer to these questions is currently “We can’t [effectively at least]. We are going to have to rely on some form of external support.“
This article looks at the different approaches organisations can take when assessing the competence of potential DPO candidates. There is, of course, no single right way to hire a Data Protection Officer but hopefully, this will go some way to mitigating the risk of hiring someone who is wholly unfit – someone who is going to end up missing something which leads to regulatory censure, administrative fines and loss of business! The approaches discussed are not particularly groundbreaking but are definitely better than winging it!
The General Data Protection Regulation (GDPR) requirement
GDPR does give guidance in terms of what is required of a Data Protection Officer in Article 37(5) where it states “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” Article 39 being the tasks of the DPO. Recital 97 expands stating “the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed“. The Article 29 Working Party Guidance on Data Protection Officers goes a little further adding “DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.“
What does this all mean?
Great, what does this all mean to an organisation trying to hire? The first thing to appreciate is the regulation is high level, suffice to say an organisation must designate their DPO based on the professional qualities, expert knowledge and ability to perform the tasks required of a DPO. How can these individual components be assessed? Well, let’s look at three simple ways organisations can improve the likelihood of getting a competent DPO through the door…
Reliance on Data Protection Qualifications
There are many data protection qualifications available to those aspiring to become a Data Protection Officer – not all are created equal. Qualifications that offer all the following are the qualifications an organisations should rely most upon for gauging the competency of a candidate, the components are:
- Publically available syllabus (so it can be critiqued by a wide range of experts – it’s not a secret or confidential document)
- List of those involved in the creation of the syllabus and their experience (after all you need that syllabus to be developed by experts in the field)
- Summative assessment (e.g. an Exam) to assess learning objectives have been met.
- Independence of qualification body from training providers (it’s imperative the training provider cannot influence the difficulty of the assessments in order to get a higher pass rate.
- Multiple training providers offering the same qualification. (This gives choice and competition, which in turn should improve the quality of teaching)
- Qualification has a re-qualification requirement (to ensure qualification holders maintain a current level of knowledge, not just a single point in time)
- Ongoing resource and support (e.g. research papers and conferences)
- Independently audited to a recognised education standard (e.g. ISO 17024:2012) and have their 17024:2012 certificate published!
From a professional qualifications perspective, the IAPP data protection qualifications (CIPP/E, CIPM, CIPT) offer all the above, which is why they are the most heavily relied upon by employers. There are also rigorous academic qualifications such as the Cyber Security, Privacy and Trust Masters Programme at the University of Edinburgh or the Data Protection Law and Information Governance Postgraduate Certificate at Northumbria University. Holders of one of these academic qualifications are highly likely to have the expert knowledge required of a Data Protection Officer.
Not all qualifications are created equally
If your candidate doesn’t hold one of the above qualifications, that’s not to say they aren’t competent, it’s just less likely they will be able to demonstrate competence. Without access to the syllabus, for example, it would be nigh on impossible to know if their qualification fully covers the substantial body of knowledge a DPO needs to have in their head. The other key thing to bear in mind is that a qualification on its own will never totally demonstrate competence. What a good qualification will do is give you as an organisation the comfort your candidate has the minimum level of knowledge required to act as a Data Protection Officer. What a bad qualification does is make it appear a person has the minimum level of knowledge when they don’t – and you don’t want someone as you DPO who truly believes they are competent [because they hold a bogus qualification] when they are not!
Reliance on a Data Protection expert on your interview panel
Don’t give up on Experts!
Once you have sifted through your applicants to identify those who have (on paper) the minimum level of knowledge, the next stage is to get a shortlist of candidates in for interview to assess competency and cultural fit. If you’re hiring a DPO for the first time then procuring the services of a Data Protection expert to sit on your interview panel is an excellent way to bridge that internal knowledge gap. The format would look like this:
- Three-member panel (Hiring Manager, DP Expert, HR Representative)
- Hiring Manager assesses knowledge of the organisation and its data processing
- HR Representative assesses cultural fit
- DP expert assesses competency to act in the role of a Data Protection Officer
- DP and HR provide their feedback to the hiring manager who then makes a decision on the most suitable overall candidate.
By introducing a third party expert, organisations are more likely to avoid a costly hiring decision by hiring a candidate who has the minimum level of knowledge but doesn’t have the competency to effectively apply that knowledge in hypothetical situations.
Reliance on a third party mentor during the DPO’s probation period
Once a DPO has been hired the competency assessment process cannot stop at the point of signing their employment contract. The DPO must now undergo a period of probation where they [truly] demonstrate their competence on-the-job. Similar to the interview process the challenge remains if the new DPO is the sole expert, who is going to assess whether they are doing the job competently? Again, this is where an external Data Protection expert can act as a mentor for the new DPO. The Data Protection mentor can:
- Define or validate the new DPOs Key Performance Indicators (KPIs)
- Support performance monitoring Assessing the DPOs competency during the probation period against those KPIs.
- Provide a formal performance assessment to support the hiring manager when determining if the DPO should move out of their probation period.
This approach greatly aids the hiring manager’s decision making process by having an expert opinion to rely upon when it is highly unlikely they will have the required expertise.
There is no doubt that most, if not all, organisations are now data-driven and therefore a Data Protection Officer is highly likely to be a key hire. Due to the specialist nature of the role it’s also highly likely there isn’t someone in your organisation who can effectively assess a prospective candidate’s competence. Relying on qualifications (and maybe what’s on their CV) is a good start but it’s just a start. Getting a Data Protection expert on your interview panel, then getting an expert to provide ongoing support and mentoring during the new DPOs probation period (and potentially beyond) is going to do a lot more to mitigate the potential costs associated with hiring an incompetent DPO.
About the Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso vulnerability scanning