Member-only story
Due to news events yesterday, I’ve had another look at the law on data protection officers (DPOs). Data protection officers are required by organisations that by virtue of their nature, their scope and their purpose require regular and systematic monitoring of data subjects on a large scale or the processing on a large scale of special category data. Public sector bodies also require DPOs.
The law implies that the data protection officer is the Supervisor’s person in the organisation and their accountability, like compliance departments is to the law, and not the bottom line. They must also be protected against dismissal for doing their job.
The skills and experience required of data protection officer are laid out in the GDPR and the UK’s Data Protection Act 2018. The GDPR specifies the skills and experience required in Article 37.5. The UK’s Data Protection Act 2018 states the UK requirements in paragraphs 69–71. They both state the requirement of expertise in both the law and data protection practice. The latter requires knowledge of cyber-security techniques and standards and data administration skills. These are IT industry skills.
I ask, is it easier to teach lawyer the significant technical skills required to assess effective cyber security policy or easier to teach a cyber security expertise in the law?
While the UK is no longer a member state, and thus the jurisdiction of the GDPR maybe questioned, the UK’s time bound adequacy agreement requires that data subjects have access to independent assessment and remediation of their complaints. The expertise, job security and accountability of companies’ data protection officers are part of that guarantee.
Originally published at https://www.linkedin.com.
