What Should I Look for in a Data Protection Officer?

Question: I need to hire a data protection officer. What should I be looking for in a potential hire?

Tony Anscombe, global security evangelist and industry partnerships ambassador, Eset: The EU's General Data Protection Regulation (GDPR) requires companies to appoint a data protection officer (DPO). While not a requirement by all legislation, having a person responsible for data protection in an organization does bring ownership and authority to this important task.

What skills should you look for when recruiting a DPO? First, the person must understand the relevant legislation and what constitutes personal information so they can identify where data is being held and ask the crucial questions of why it was collected and whether it still required.

Record-keeping (of audits, risk assessments, data access, monitoring, etc.) requires pragmatism – a key trait in a DPO. Yet this person must strike a balance between a pragmatic approach and also holding authority within the business, as the DPO role is also customer-facing. When consumers request copies or deletion of their data, the right processes need to be in place to deliver or delete as necessary.

Adding to these essential skills is the ability to educate employees on the correct methods for data processing and to educate the business on the reasons to comply. Last, an understanding is necessary of what technology is needed or available to protect the data.

In summary, look for a DPO who is a strong communicator and an independent worker, with legal knowledge and technical background, who can carry credibility and authority within the business.