ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > GDPR: The Role of the DPO – And How to Find One in a Competitive Landscape

GDPR: The Role of the DPO – And How to Find One in a Competitive Landscape

Michael Hughes, CISA, CGEIT, CRISC, board director of ISACA, partner with Haines Watts, head of governance, risk and compliance (GRC) and IT advisory service lines
| Posted at 8:58 AM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (4)

Michael HughesGDPR (General Data Protection Regulation) introduces the new role of Data Protection Officer (DPO). While many organizations have had the title of such a role under the existing EU Directive, member states had different interpretations of what this meant. GDPR takes the responsibilities of the DPO to another level.

To be able to effectively discharge the duties of the DPO, as outlined in Articles 38 and 39 of GDPR, the DPO needs to have a high authority in their organization, have a wide range of experience and be multiskilled, both technically and socially.

The requirement to appoint a DPO will mainly fall upon large corporations, government bodies, organizations in the health and social care sectors, financial institutions, and mostly organizations that are based in the EU.

However, small and medium enterprises (SMEs) may also need a DPO role, as they could be a key component in a large corporate or government organization’s supply chain. These cases probably will not be a dedicated role, and could even be brought in as a managed service.

Also for the first time, an organization acting as an information processor under an outsourced, managed service, such as a cloud service provider arrangement, may need to consider the role of DPO.

This all means there is going to be a large requirement to recruit DPOs. There are many job adverts out there requiring X number of years of GDPR experience, but these people simply do not exist. Yes, there are many data privacy professionals out there, but the requirements of the GDPR go beyond this.

So, what makes a good DPO?
The DPO needs a mix of skills and experience extending from data privacy into information risk management, relationship management, persuasive/negotiating skills, and the ability to operate at the highest levels within an organization. DPOs will need to be able to effectively communicate across the whole of the organization with the ability to articulate potential risk, in business terms. The DPO needs to understand the risk to information and how to appropriately and adequately protect this information related to its level of risk, through people, processes and technology; related governance processes; and management controls.

The DPO’s initial primary focus will be to get his or her organization ready to be GDPR-compliant by the May 2018 deadline, when GDPR becomes enforceable. This will require engagement with all areas of the organization to obtain a good understanding of the information, gathered, processed, stored and shared, with particular attention on Personal Identifiable Information (PII).

However, once the DPO has the organization GDPR-ready, the DPO can add real business value by taking a wider view into information governance. With this in mind, larger organizations should seriously consider developing the DPO role in to the role of the Chief Data Officer (CDO).

Many of the skills and standing within an organization required belong to that of a Chief Data Officer (CDO). While the role of the CDO is wider than that of the DPO, there are many similarities.

To sum up, there is massive requirement to recruit DPOs with GDPR experience. As GDPR is only in its implementation phase, these people do not exist in the numbers required. Therefore, organizations need to take a more pragmatic view. Look at existing data protection professionals; can they be developed into the role of the DPO with training and coaching? Look at information risk and information governance professionals; can they be trained in data privacy? For the large corporates, look at the role of Chief Data Officer, and for SMEs, look at buying a managed service.


Simple and Useful

Thanks for writing this article in simple words...It is helpful to prepare for GDPR requirements.
Vaibhav Malhotra at 10/10/2017 1:20 AM

Simple and Useful

Thanks. As concrete as ever.
Orillo at 10/17/2017 1:30 AM

Excellent and informative.

Mike shares his vast and extensive knowledge and experience in this concise article on a complex and detailed matter.
Chris Billings, CISM, CISSP 18th Oct 2017.
Chris B at 10/18/2017 9:49 AM


Thanks Mike, an interesting take on where the DPO might end up in an organisation, I would challenge the CDO role as being wider than the DPO but then it does depend on how you interpret the responsibilities of both.

Great Article though and certainly one  that provokes more thinking in this area
Lesley793 at 10/24/2017 5:38 AM
You must be logged in and a member to post a comment to this blog.