DPO Handbook

Data Protection Officers

Under the GDPR,
Second Edition

E
PL
Thomas J. Shaw, Esq.
M
SA
 E
PL
© 2018 Thomas J. Shaw
M
Published by the International Association of Privacy Professionals
(IAPP)

All rights reserved. No part of this publication may be reproduced,

SA

stored in a retrieval system or transmitted in any form or by any means,

mechanical, photocopying, recording or otherwise, without the prior,
written permission of the publisher, International Association of
Privacy Professionals, Pease International Tradeport, 75 Rochester
Ave., Suite 4, Portsmouth, NH 03801, United States of America.

Nothing contained in this book is to be considered as the rendering of

legal advice for specific cases, and readers are responsible for obtaining
such advice from their own legal counsel. This book is intended for
educational and informational purposes only.

Copy editor and Proofreader: Deirdre Fulton McDonough

ISBN: 978-1-948771-21-4
 

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Dedication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Acronyms Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

E
Chapter 1: Introduction to the DPO Role
1.1 Is a DPO Required? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
PL
1.1.1 GDPR — Mandatory and Voluntary DPOs . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 DPO Role — What Are Organizations Thinking? . . . . . . . . . . . . . . . . . . . 4
1.2 The Skills and Professions Of a DPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.1 DPO Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
M

1.2.2 DPO Professions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2: Initiating the DPO Role

2.1 Defining the Role and Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
SA

2.1.1 Defining the Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.1.2 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.2 First Tasks of the DPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2.1 Start-Up Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.2.2 Data Protection Policy and Data and Processing Inventory . . . . . . . 44

Chapter 3: DPO Tasks — GDPR Compliance

3.1 GDPR Compliance — Controllers and Processors . . . . . . . . . . . . . . . . . . . . . 56
3.1.1 Data Processing Obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.1.2 Data Subject Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.1.3 Security and Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.1.4 Other Obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.1.5 Other Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

iii
 DPO Handbook: Data Protection Officers Under the GDPR

3.1.6 Processors under the GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

3.1.7 Processor — Controller Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.2 GDPR Compliance — Assessments, Audits, Certifications . . . . . . . . . . . . . . 83
3.2.1 GDPR Compliance High-Level Checklist and Questions . . . . . . . . . . 84
3.2.2 GDPR Initial Assessment and Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
3.2.3 Certification under GDPR and Codes of Conduct . . . . . . . . . . . . . . . . 92

Chapter 4: DPO Tasks — Risk and DPIAs

4.1 Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.1.1 ISO 27005 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.1.2 Risk in the GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.2 Data Protection Impact Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

E
4.2.1 GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.2.2 Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
PL
Chapter 5: DPO Tasks — Technical Assessments
5.1 Information Security and Anonymization . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
5.1.1 ISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
M

5.1.2 NIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

5.1.3 Anonymization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
5.2 Data Breach and Privacy by Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
SA

5.2.1 Data Breach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

5.2.2 Privacy by Design and Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 6: DPO Tasks — Outside the EU

6.1 Transferring Data Outside the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.1.1 Adequacy and Derogations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6.1.2 SCCs and BCRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
6.2 Non-EU Controllers and Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
6.2.1 Controllers Not in the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
6.2.2 Other Countries’ Privacy Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

iv
 

Chapter 7: Putting It All Together — Example Scenarios

7.1 Leaping Unicorns Ltd. — SME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.1.1 Leaping Unicorn’s Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.1.2 Introducing/Initiating the DPO Role . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.1.3 Assessing GDPR Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
7.1.4 Technical Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
7.1.5 Data Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
7.2 Exhilarating Elephants Inc. — Multinational . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.2.1 Exhilarating Elephants' Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.2.2 Introducing/Initiating the DPO Role . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
7.2.3 Assessing GDPR Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

E
7.2.4 Technical Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.2.5 Data Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
PL
Appendix A: Various Topics for DPOs
Outsourcing Your DPO: Real-Life Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Vulnerability Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
M
Photographic Images  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Unified Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
App Developer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
SA

Subject Access Requests Under the GDPR — Uses in Litigation . . . . . . . . . . . 205

Legal Response to Data Breaches in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Consent to Children’s Data — Is It Legal? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
The Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
The Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
EU Data Transfers to the U.S. — Model Clauses but Why? . . . . . . . . . . . . . . . . . 216
Schrems II – Facebook’s Request to Appeal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
The referred questions on model clauses and the Privacy Shield —
Schrems II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

v
 DPO Handbook: Data Protection Officers Under the GDPR

Excessive Personal Data — Who Decides? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

The Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
A Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
DPOs and Data Protection Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
The Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
DPOs and EU Copyright Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
EU Copyright Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Revised Copyrights Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
DPOs’ Focus for Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239

Appendix B: Table of Authorities

E
Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Statutes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
PL
Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Opinions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
M
SA

vi
 Foreword

Foreword

This book arises out of a series of articles I wrote about and experiences
I have had in the role of data protection officer (DPO) under the EU’s
new General Data Protection Regulation (GDPR). While the GDPR
has mandated this role in certain circumstances and at a high level
specified the tasks that must be performed, it has left much unsaid. The
Article 29 Data Protection Working Party (WP29) and its successor
the European Data Protection Board (EDPB), and various EU data

E
protection authorities have tried to provide some guidance, but many
key questions about how to perform the role remain. This book is an
PL
attempt to fill these gaps and explain to a new or experienced DPO how
to perform their role.
It is important to understand that this book is written as a manual of
first impression, based upon the author’s experiences in this industry
M

across the world for the last three decades. However, the book is being
written about a new role under a new legal statute that is only recently
coming into force. No one really has much experience with this role
under this statute. As such, some interpretations must be made on a
SA

projected trajectory that will be recalibrated as DPOs gain experience

under this new regulation. As such, I expect there to be frequent and
perhaps substantial revisions to this book as time goes on and very much
welcome constructive input from those in the profession about topics
needing more clarity or focus.
It is also important to understand that this book is written by referring
to two other related books by the author that have deeper explanations
for those who wish to acquire such knowledge. While this book has the
essential information to perform the DPO role, these two other books
will greatly enhance the DPO’s knowledge and ability to perform their
role. The first is Information and Internet Law — Global Practice for those
wanting to understand all the privacy, information security, data breach,
cybercrime, messaging, surveillance, internet access and content, e-
commerce, and online intellectual property laws around the world.

vii
 DPO Handbook: Data Protection Officers Under the GDPR

The second is Emerging Technologies Law — Global Practice for those

wanting to understand the legal issues surrounding more than 30 emerg-
ing technologies from a global perspective, from social media, mobile
computing, and cloud computing to robots, drones, blockchains, 3D
printing, virtual currencies, augmented reality, artificial intelligence, and
the internet of things. Both books are referenced throughout this book
when further knowledge is important.
The audience for this book is anyone who undertakes the DPO role
under the GDPR. This includes those who take on the role full time or
part time, those who are hired into the role or who move laterally into it,
those who are taking it on in addition to other organizational functions
or for whom it is the only role, those who are in the private sector or
government, and those who are doing it as an employee of a company or

E
as an outsourced service provider. There is no specific training or profes-
sion that this book applies to, as whomever an organization determines
PL
to be qualified to be a DPO is the target audience.
The intended use of this book is to provide an overall guide to new
and experienced DPOs to fulfill their role from a high level. There are
specifics of each situation, industry, system, and technology that require
customization by the DPO to perform their role. In addition, this is not
M

a legal guide that addresses any specific case. DPOs should first read the
GDPR in detail for the needed clarity, and if that is not sufficient, then
legal guidance should be sought from an appropriate lawyer. The same
SA

applies to being able to audit various aspects of systems that are required
to be compliant. If the DPO cannot find sufficient evidence to support
compliance, audit guidance should be sought from an appropriate audit
professional.
This book was written in a relatively short period of time to ensure its
availability before the GDPR comes into force. As such, it may temporar-
ily contain errors or omissions that I would ask readers to kindly notify
me of. Also, while the specifics of the GDPR are covered, for each rule
there are many exceptions and qualifications. These may apply to only a
smaller number of situations and as such are not discussed herein. The
goal is to deal with the vast majority of situations DPOs encounter. Cer-
tain areas are not covered, such as data about criminal justice or member
state statutes and restrictions.
While this book is naturally written within the EU focusing on EU
law, I have tried to bring a global perspective. Having lived and worked

viii
 Foreword

outside the United States for the last quarter century in all three parts
of the global triad while practicing across many related disciplines, I
have tried to bring a global viewpoint and multidisciplinary approach
to this discussion of international statutes, cases, and guidance. DPOs
will not only be based in the EU but also located globally. The law
that DPOs will need to deal with is not only the GDPR but their local
privacy laws.
The chapters in order cover whether a DPO is required and the skills
and professions are best suited for the role; structuring and initiating the
DPO role; GDPR compliance for controllers and processors; under-
standing risk and data protection impact assessments; technical assess-
ments DPOs are involved with for information security, data breach re-
sponse, and privacy by design; the mechanisms for transferring personal

E
data outside the EEA and when controllers, processors, or DPOs operate
outside the EU; and two example scenarios of a DPO in action using
PL
these varied techniques. Appendix A contains articles that would be of
interest to a DPO and Appendix B a table of the authorities referenced.
A brief word about the original cover image created for this book. It
was designed to reflect the four principal stakeholders a DPO is re-
sponsive to: the board of directors/highest levels of management, the
M

business/support units of controllers and processors, data protection

supervisory authorities, and data subjects who contact DPOs directly.
Behind those are other legs representing the principal tasks of the DPO:
SA

to advise, inform, monitor, and cooperate.

I intend for this book to be updated with the experiences of DPOs
as they begin to operate under the GDPR from May 2018. Some of the
practical advice should be seen as initial efforts at guidance that leaves
lots of room to be supplemented by methodologies that are most familiar
or helpful to the DPO. Everyone may have certain audit techniques or
interview methodologies that work the best for them. DPOs should feel
free to substitute their favored practices as appropriate. I would ask that
they share those techniques for future editions of this book to create
an improving best practices handbook for all DPOs working under the
GDPR.

Thomas J. Shaw, Esq.

February 2018

ix
 DPO Handbook: Data Protection Officers Under the GDPR

Almost as soon as I had submitted the manuscript for publication of

the first edition, new ideas and work aids were coming into my mind
and practice. The intent in this second edition is to add all that is neces-
sary to reflect current best practices for DPOs but to remain true to its
handbook name as a reasonably-sized resource that could be carried into
meetings, used during interviews, and taken off-site for remote work
including audits and assessments.
The following information and materials have been added to this sec-
ond edition of the book, including: a discussion of the data protection
requirement for necessity, a critique of a data protection policy so DPOs
can facilitate appropriate levels of transparency, reasons why a DPO
might want to exit a services contract, the scope of the ePrivacy Direc-
tive/Regulation on the DPO’s role, more examples using both real-life

E
documents from DPO practice and the tasks of the DPO of hypothetical
French undertaking Richelieu, the DP principles section that should be
PL
part of every DP policy, examples from several DPAs of article 30 records
of processing that can also be used to start the data and processing inven-
tory, examples of documents to request when assessing compliance,
examples of the analysis and actions sections of a GDPR compliance
assessment report, thoughts on how DPOs might engage GDPR train-
M

ing for various types of employees, examples of using ISO 27001/2 for
analyzing the security profile of an organization, a quicker method of
analyzing an organization’s security posture from CNIL, references to
SA

new guidelines published by the EDPB under GDPR including article

49 derogations, a deeper explanation of encryption, further discussion of
privacy by design, discussion of the issues surrounding the mechanisms
supporting the export of personal data from the EEA, the latest legal
developments impacting those export mechanisms, new DPO survey
responses, negotiation points for a DPO services outsourcing contract,
more detailed and revised analysis when performing DPIAs, and revi-
sions for the global privacy and data protection laws and authoritative
guidelines that became effective after the publication of the first edition.

Thomas J. Shaw, Esq.

September 2018

x
 Dedication

Dedication

No one can write a book without the support of those who make up the
panoramas and portraits of their daily lives and loves. I wish again, in
this the second edition of my ninth book, to express my gratitude to my
wife and daughter and to the memory of our much beloved companion
who gave us 16 years of hilarity, harmony, and huskiness.

E
PL
M
SA

xi
SA
M
PL
E
 Acronyms Used

Acronyms Used

There are many acronyms used throughout the book that should
become second nature to a DPO. These include:

CNIL Commission Nationale de l’Informatique et des

Libertés (France)
DPA data protection authority (called Supervisory
Authority in the GDPR)

E
DPC Data Protection Commission(er) (Ireland)
DPD Data Protection Directive
PL
DPIA data protection impact assessment
DPO data protection officer
DS data subject
EC European Commission
M

EDPB European Data Protection Board (under GDPR)

EDPS European Data Protection Supervisor
ENISA EU Agency for Network and Information Security
GDPR General Data Protection Regulation
SA

ICO Information Commissioner’s Office (U.K.)

InfoSec information security (often called just “security”)
IPC Information and Privacy Commissioner (Ontario)
ISO International Standards Organization
ISP internet (or intermediary) service provider
PbD privacy by design
PIA privacy impact assessment
PII personally identifiable information
PKI public key infrastructure
WP29 Article 29 Working Party (under DPD)

xiii
SA
M
PL
E
 About the Author

About the Author

Thomas J. Shaw, Esq., is a EU-based attorney at law, CPA, CIPP/E,

CIPP/US, CRISC, ECM M, CISM, ERM P, CISA, CGEIT and
CCSK who runs DPO Services (www.dpo-services.eu), providing
an outsourced DPO role to organizations as well as lectures on
information, internet and emerging technologies law at universities and
on the DPO role through professional organizations. He is the editor/
founder of the American Bar Association’s Information Law Journal

E
and its antecedents, and the author of the following books on global
technology law and legal history:
PL
• DPO Handbook — Data Protection Officers under the GDPR
• Emerging Technologies Law — Global Practice
• Information and Internet Law — Global Practice
M

• World War I Law and Lawyers — Issues, Cases, and Characters

• Cloud Computing for Lawyers and Executives — A Global
Approach, Second edition
SA

• World War II Law and Lawyers — Issues, Cases, and Characters

• Children and the Internet — A Global Guide for Lawyers and
Parents
• Cloud Computing for Lawyers and Executives — A Global
Approach
• Information Security and Privacy — A Practical Guide for Global
Executives, Lawyers and Technologists
He can be reached at [email protected].

xv
SA
M
PL
E
 CHAPTER 1

Introduction to the DPO Role

It is new, but, like a rediscovered friend or lost photo found, seems so

familiar. The data protection officer (DPO) role is part of the General

E
Data Protection Regulation (GDPR), which commenced May 25, 2018.
The role is made up of new requirements that are not part of current
PL
practice, new requirements that mandate what was previously optional,
and still more that have been part of best practice for a long time. This
newly synthesized function is one that may require re-evaluating
how the role, if currently filled, is staffed and carried out, but in any
M
situation, needs a fresh perspective on the duties involved and skills
required.
The DPO role is not mandatory under the GDPR unless certain
types of conditions exist, so the first step is for an organization to
SA

analyze whether a DPO is required. A DPO can be engaged because

they are required or can be brought on voluntarily, but, in either
case, there is a series of tasks the DPO must perform. Knowing those
tasks, the next step is to determine the type of job skills that someone
in the DPO role should have to be able to succeed in this position.
Certification based on those skills and experiences may help with this.
A further step is to decide which profession to look to find most, if not
all, these skills. In these early days, it is helpful to know what other
organizations are doing or planning for their DPO role.

1
 DPO Handbook: Data Protection Officers Under the GDPR

DPO Areas of Focus

• Whether a DPO is required or optional
• What other organizations are doing
• Skills required of a DPO and DPO certifications
• Appropriate professions for a DPO

1.1 Is a DPO Required?

The first question for organizations is to determine whether they need
a DPO. The role may be required under law, or the organization may

E
determine it would be in their best interest to staff this position. There
are more clearly defined criteria for the legally mandated analysis,
PL
while the voluntary decision analysis is more subjective. Whether the
DPO is to be established or not, the analysis and conclusions must
be documented by the respective controller or processor engaging
the DPO. Because the GDPR1 is still in its early days, what other
M
organizations are thinking and doing provides useful insight and
helps underline some of the important characteristics of the DPO role.
To gain this knowledge, a survey was sent out via privacy and DPO
organizations to their members.
SA

1.1.1 GDPR — Mandatory and Voluntary DPOs

Under Article 37, the GDPR specifies that a DPO is required to be
appointed by a controller or processor in the following situations:
• The processing is carried out by a public authority or body,
except for courts acting in their judicial capacity.
• The core activities of the controller or the processor consist of
processing operations which, by virtue of their nature, their
scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation).

2
 Introduction to the DPO Role

• The core activities of the controller or the processor consist

of processing on a large scale of special categories of data
pursuant to Article 9 and personal data relating to criminal
convictions and offences referred to in Article 10.”
The WP29 has published guidance to further explain these
requirements.2 All public authorities would be expected to designate
a DPO, but the WP29 noted that private organizations sometimes
may carry out public tasks or exercise public authority in areas
such as public transportation, utilities, infrastructure, housing, and
broadcasting. These organizations are not required to nominate a DPO,
yet they are encouraged to do so given data subjects have little choice
over having their data processed by such organizations.
“Core activities” are those that encompass how an organization

E
makes money and an activity supporting the money-making processes.
The WP29 cited the use of health data by a hospital as being part of
PL
its core activities of providing health care services, as opposed to
support activities, like human resources, accounting, or IT, that all
organizations would use. “Large scale” is not defined in the GDPR,
but factors to consider include the number of data subjects involved,
M

the volume of data, the different types of data, the permanence of the
processing, and the geographic scope of the processing. Hospitals,
banks, insurance companies, telecom providers, and ISPs were cited as
large-scale processors in the normal course of their businesses.
SA

“Regular and systematic monitoring” is defined to include but not

be limited to online tracking and profiling, including tracking used for
behavioral advertising. The “regular” aspect can be ongoing, occurring
at regular intervals, or continuous, while systematic would take place as
part of a pre-arranged plan to gather data to achieve a strategy. Telecom
services, email and data-driven marketing, profiling and scoring,
location tracking, behavioral advertising, CCTV, wearable device
monitoring, and smart connected devices, including those comprising
the internet of things3 are all considered to be undertaking regular and
systematic monitoring.
When an organization does not strictly meet one of these mandated
situations, the WP29 believes it is still beneficial to appoint a DPO
2 Art. 29 DP WP, Guidelines on Data Protection Officers (“DPOs”) (Apr. 2017).
3 See Thomas J. Shaw, Emerging Technologies Law — Global Practice.

3
 DPO Handbook: Data Protection Officers Under the GDPR

voluntarily, given the assistance the role provides in complying with

the new regulation and the significant increase in creditability with
data subjects and DPAs. In either case, the decision to have to have a
DPO or not must then be documented, citing the factors listed above
in concluding with the role is required or not and whether voluntary
designation will occur. The GDPR requires that a DPO appointed
under a voluntary designation has all the same tasks and controllers
have the same obligations for the DPO as if the role was required.
Hypothetical French undertaking Richelieu is a private business,
not a public authority. Its retail business online and in physical stores
does not require processing of sensitive data, except for health data
of employees, but HR is not a core business activity. It does monitor
data subjects who use its website to browse and purchase its products

E
but only to identify unauthorized access to its systems and does not
retain or further process this website activity data for activities such
PL
as behavioral advertising. As such, it does not appear that Richelieu is
required to designate a DPO.
However, as it processes significant amounts of data on employees
and customers, Richelieu decides it would be best to voluntarily
designate a DPO. Its principal reasons are to improve its internal
M

processes, to differentiate itself from competitors, to generate

credibility with supervisory authorities, to reduce spending on
external training, to provide data subjects with an extra channel of
SA

communication regarding their rights, to ensure it is aware of the

privacy law issues, and to manage its legal exposure by reducing
compliance and litigation risk.

1.1.2 DPO Role — What Are Organizations Thinking?

Another way to get a feel for the need for a DPO is to query
organizations. This provides an understanding of how others are
viewing the DPO role under the GDPR, especially those who
are currently in data protection roles responsible for compliance
with existing laws under the DPD.4 To achieve this, a survey was
disseminated through both the IAPP and the Irish national association

4 Directive 95/46/EC of the European Parliament and of the Council of 24

October 1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (DPD).

4
 Introduction to the DPO Role

of DPOs to their membership. This survey asked people to answer

questions about their organization’s plans regarding the DPO role
under the GDPR. Although probably not statistically meaningful as
the total responses totaled several dozen, the answers may shed some
light on EU organizations’ current thinking and introduces some of the
requirements for the DPO role, which will be expanded on in the next
section and next chapter.
1.1.2.1 The Survey
The survey asked 10 questions, variously posed as yes/no, multiple
choice, and fill-in-the-box answers. The final two questions dealt
with the respondent organization’s industry and their roles under the
GDPR as either a data controller or processor. The industries that the

E
organizations represented were broadly across the spectrum, including
health, education, finance, retail, broadcasting, software development,
IT, natural resources, human resources, communications, hospitality,
PL
transportation, electronics, and national and local government. The
data protection roles undertaken by the organizations under the
GDPR and the DPD were as a data controller, data processor, or, in
the majority of cases, organizations were acting as both controller and
M

processor.
The other eight substantive questions and their responses were as
follows:
SA

• Will your organization require a different skill set for the DPO
role under the GDPR than it does for its current DPO? Most
of the responses answered “yes” that a different skill set will
be required in the future, while only a few believed “no” that
a different skill set will not be required. However, the second
most common answer was that the organization does not
currently have someone in a DPO role, which is to be expected
given it is not part of the DPD.
• How will your DPO meet the strict requirements for
independence under the GDPR (Article 37(1))? The responses
were varied, which included meeting the independence
requirement through a separation of duties or express contract
terms, by the DPO reporting directly to the CEO of the
organization, by reporting only to the legal department, or

5
 DPO Handbook: Data Protection Officers Under the GDPR

by the DPO role being outsourced. Other responses found

organizations will achieve independence through the use
of an independent contractor, while others already viewed
their DPO role as independent, were not sure if the DPO
would be independent, or were still trying to determine how
to answer this requirement. The individual not being in IT,
risk or compliance teams, being thoroughly trained, access to
independent legal counsel, and a separate budget were cited as
techniques to ensure independence.
• How will your DPO avoid conflict of interests as specified by the
GDPR (Article 38(6))? Some respondents found that potential
conflicts of interests were addressed through outsourcing the
DPO role, while others thought there were already sufficient

E
conflict of interest rules in place within their organization. Some
responses said that with the DPO function being the sole role
PL
this person would engage in should be a sufficient control to
avoid conflicts of interest, while others were not yet sure how
the DPO would avoid conflicts of interest or felt it was up to
the personal and professional qualities of the DPO themselves.
M

Even when avoiding conflicts of interests, concerns were cited

for possible conflicts with the DPO’s attention and resources.
Other respondents believed that spending most of their time on
DPO tasks or reporting to the legal department would prevent a
SA

conflict of interest. Lawyer legal ethics requirements were cited

as a way to prevent conflicts, as was limiting the decision power
of DPOs to personal data decisions, adequate training, and a
separate budget.
• Will your DPO report directly to the board of directors as
specified by the GDPR (Article 38(3))? The vast majority of the
respondents agreed that the DPO in their organization would
report to the highest level in their organization, with only a
small percent not having this type of reporting line. The latter
presumably will regularly issue reports to the board instead of
having a direct reporting line.
• Will your DPO, required by the GDPR to have expert
knowledge of data protection law (Articles 37(1) and 37(5)),

6
 Introduction to the DPO Role

be a privacy lawyer, an auditor, a compliance specialist, an

IT specialist, a non-technical manager, or from some other
profession? The variety of professions specified in the responses
were broad. The question choices presented as possible answers
included an auditor, compliance specialist, IT specialist,
privacy lawyer, non-technical manager, and other (fill in the
box). The largest number of professions listed (the question
allowed for multiple answers) was non-technical manager,
privacy lawyer, compliance specialist, and IT specialist.
Professions specified in the “other” category included risk
specialist, records manager, administrative professional,
operations specialist, and business manager (with one
specifying a combination of manager, compliance specialist,

E
and auditor with a budget for outside legal counsel).
• How many years of professional experience will your DPO
PL
have? The respondents to this question, unlike many of the
DPO hiring advertisements being posted online, looked to a
very experienced professional. The number of years of the DPO
ranged from five and seven years to 30 and more than 30 years
M

of experience, with the most common answer 15 years. Only a

few responses thought that the DPO role could be filled with
an inexperienced resource.
SA

• Will your DPO role be filled by one person or more than one
person? About five-sixths of the respondents believed that a
single person would fulfil the DPO role, while the remainder
believed that the role should be filled with more than one
person using a team approach with various skillsets brought
together to fill the DPO responsibilities.
• Will your DPO role be filled internally, hired externally, or
outsourced? About three-fifths of the respondents believed
that the DPO role would be filled internally, with the other
two-fifths of the organizations stating they would be looking
externally for their DPO, more wanting to outsource the role
to DPO consultants and some organizations seeking to hire an
external candidate if they can find one in the limited pool of
experienced DPOs.

7
 DPO Handbook: Data Protection Officers Under the GDPR

1.1.2.2 Takeaways
This survey was targeted at organizations that have already become
members of a privacy or DPO association, so their understanding of
the GDPR’s requirements is likely further developed than that of the
average organization subject to the GDPR. Nearly half already have
someone in DPO role. While not a statistically rigorous survey with a
limited number of respondents, there may be some useful takeaways.
One takeaway is that there seems to be a recognition that an additional
skill set may be required of the existing DPOs who continue in this role
under the GDPR, as well as for new DPOs. Not only the new specifics
of GDPR but also some of the technical assessments will require an
expanded skill set, as discussed in succeeding chapters.
A second takeaway provides some insight in how organizations are

E
looking at dealing with what may be the most difficult criteria for the
DPO role, ensuring the DPO’s independence and avoidance of conflicts
PL
of interest. Various techniques of outsourcing, separation of duties,
reporting chains, independent contractors, conflict rules, legal ethics
obligations, lack of other duties, and professional and personal qualities
were among solutions suggested, along with access to independent
M
legal counsel for non-lawyer DPOs and an independent budget. This
requirement may evolve the most over time, as organizations work to
make the role truly independent of those responsible for designing,
operating, and overseeing the data protection, privacy, and information
SA

security functions in the organization.

In a final set of takeaways, organizations seem to fully understand
the requirement for the DPO’s reporting structure to the highest levels
of the organization and the need for a vastly experienced resource
to fill the DPO role. It was a bit surprising that almost all of these
organizations are viewing the DPO role as being filled by a single
person instead of a team of varying skills, but that could be merely a
snapshot of who answered this survey (it did not ask the size of the
organization). Organizations clearly have many ideas about the right
type of professional ideally suited to fit the DPO role and seem to
consider outsourcing a viable alternative for filling the DPO role if
suitably qualified internal resources are not available.

8
 Introduction to the DPO Role

1.2 The Skills and Professions Of a DPO

Once it has been determined that a DPO is either required or it is better
for business reasons to voluntarily designate one, then it becomes a
matter of determining which job skills the person or persons filling the
role must have to succeed as a DPO. This is assisted by understanding
those competencies required to acquire certification as a DPO. Related
to that but a separate consideration is which profession is most closely
aligned to these skills to fill the role. If a single person is not doing
all the DPO tasks, then the controller or processor should decide the
different professions that need to be involved in filling the role as part of
a team. Common misunderstandings in staffing the DPO role are also
analyzed.

E
1.2.1 DPO Skills
PL
The GDPR has certain requirements for the DPO, and this reflects
directly upon the skills needed by the DPO role, either as a single
person or a team. These skills can be summarized into a listing usable
by organizations’ management and human resources to identify
qualified DPO candidates.
M

1.2.1.1 GDPR’s Requirements for DPOs

Risk/IT: Recital 77 and Articles 39(2) and 35(2) require DPOs to offer
guidance on risk assessments, countermeasures, and data protection
SA

impact assessments. DPOs must have significant experience in privacy

and security risk assessment and best practice mitigation, including
significant hands-on experience in privacy assessments, privacy
certifications/seals, and information security standards certifications.
These skills should be founded upon wide-ranging experience in IT
programming, IT infrastructure, and IS audits. While compliance
checklists may be helpful, the DPO position first and foremost requires
an experienced professional. Because risks constantly evolve, DPOs
must demonstrate awareness of changes to the threat landscape and
fully comprehend how emerging technologies will alter these risks.
Providing guidance is like the lawyer skill of giving advice, using client-
relationship skills to ensure controllers continue to seek such advice
even if not in agreement and at the earliest phase.

9
 DPO Handbook: Data Protection Officers Under the GDPR

Legal Expertise/Independence: Recital 97 and Articles 37(1), 37(5),

and 38(5) specify “a person with expert knowledge of data protection
law and practices” to assist the controller or processor, to be “bound
by secrecy or confidentiality,” and “perform their duties and tasks
in an independent manner.” DPOs must know data protection law
to a level of expertise based upon the type of processing carried out.
This signifies that DPOs could be licensed lawyers knowledgeable of
not only the GDPR and other relevant EU legislation (e.g., ePrivacy
Directive or pending Regulation) but also privacy and related laws
in all jurisdictions their organization does business or outsources
operations. Confidentiality is second nature to the legal profession.
DPOs must have experience acting in an independent manner,
indicating a need for a mature professional with client relationship

E
and audit experience to handle the delicate task of discovering gaps,
encouraging gap mitigation, and ensuring compliance without taking
an adversarial position.
PL
Cultural/Global: DPOs will likely be dealing with controllers and
processors from different countries and therefore business cultures.
DPOs must have experience in dealing with different ways of thinking
and doing business and have the flexibility to marshal these differences
M

into a successful result. Think of the simplified example of an

organization with a retail presence in Europe, contract manufacturers
in China, IT outsourcers in India, and headquarters in the U.S. DPOs
SA

should be based in the EU as recommended by the WP29 but also

globally focused.
Leadership/Broad Exposure: Article 38(2) requires “The controller
and processor shall support the DPO … by providing resources
necessary to carry out those tasks and access to personal data and
processing operations, and to maintain his or her expert knowledge.”
DPOs will need to have leadership and project management experience,
to be able to request, marshal, and lead the resources need to carry out
their roles. They also must be able to critically assess themselves for
knowledge gaps and request training in those areas. DPOs should have
broad business experience to know the industries of the data controller
and processor well enough to understand how privacy should be
implemented to integrate smoothly with the way each company designs
and markets its products and services and earns its revenues.

10
 Introduction to the DPO Role

Self-Starter/Board-Level: Article 38(3) requires “The controller and

processor shall ensure that the DPO does not receive any instructions
regarding the exercise of those tasks … The DPO shall directly report
to the highest management level of the controller or the processor.”
DPOs should be self-starters, with the competence and skills to carry
out the role without guidance and to know where to find necessary
information. DPOs must also have board-level presence and be able
to deal with experienced business people who will not know the
intricacies of DPO functions. Licensed external auditors, such as
certified public accountants (CPAs)/chartered accountants (CAs), who
audit compliance with laws, standards, and practices, are independent
of the auditee, and report to the board, would have this type of
experience.

E
Common Touch/Teaching: Article 38(4) allows data subjects to
contact the DPO “with regard to all issues related to processing of
PL
their personal data and to the exercise of their rights.” DPOs must be
able to speak in the language of the average citizen, not in technical
or legal jargon, to handle requests and complaints from data subjects.
A common touch is helpful to DPOs in their role to protect data
subjects’ rights. DPOs must also have skills in both legal training and
M

awareness raising, to ensure all data subjects are aware of their rights
and responsibilities and to help train others to assist data subjects on
specific requests.
SA

No-Conflicts/Credibility: Article 38(6) allows DPOs to fulfill

other tasks if “any such tasks and duties do not result in a conflict of
interests.” DPOs who are members of the data controller’s organization
may be performing roles that conflict with their DPO role. For
example, a DPO also overseeing information security has a conflict
when their security risk assessments and treatments are evaluated
under their DPO role. Controllers are required to ensure that their
DPO is not conflicted. It is best if DPOs are full time in their role or the
role is outsourced to an independent external DPO to overcome the
possibility of conflicts. Article 39(1) states that DPOs are required “to
cooperate with the supervisory authority … [and] act as the contact
point for the supervisory authority on issues relating to processing.”
A prior relationship with the DPA is helpful or DPOs must be able
to establish instant credibility with DPAs based upon their wide
experience, knowledge, credentials, and relationship skills.

11
 DPO Handbook: Data Protection Officers Under the GDPR

1.2.1.2 Summary of DPO’s Required Job Skills

The following summarizes these requirements into DPO job skills.
• Significant experience in EU and global privacy laws, including
drafting of privacy policies, technology provisions, and
outsourcing agreements.
• Significant experience in IT operations and programming,
including attainment of information security standards
certifications and privacy seals/marks.
• Significant experience in information systems auditing,
attestation audits, and the assessment and mitigation of risk.
• Demonstrated leadership skills achieving stated objectives

E
involving a diverse set of stakeholders and managing varied
projects.
PL
• Demonstrated negotiation skills to interface successfully with
DPAs.
• Demonstrated client relationship skills to continuously
coordinate with controllers and processors while maintaining
M

independence.
• Demonstrated communication skills to speak with a wide-
ranging audience, from the board of directors to data subjects,
SA

from managers to IT staff and lawyers.

• Demonstrated self-starter with ability to gain required
knowledge in dynamic environments.
• Demonstrated record of engaging with emerging laws and
technologies.
• Experience in legal and technical training and in awareness
raising.
• Experience in dealing successfully with different business
cultures and industries.
• Professionally licensed or certified in law, information security,
data protection/privacy, and auditing, including ethical
requirements for competence, confidentiality, and continuing
education.

12
 Introduction to the DPO Role

• Current or former EU resident who is independent and free of

any real or perceived conflicts.
This view was verified against publications from the Network
of DPOs for EU Institutions5 and the WP29.6 The former specified
at least seven years of relevant experience, including knowledge of
the institution and its data protection practices. It also included the
following personal and interpersonal skills: “Personal skills: integrity,
initiative, organization, perseverance, discretion, ability to assert
himself/herself in difficult circumstances, interest in data protection
and motivation to be a DPO. Interpersonal skills: communication,
negotiation, conflict resolution, ability to build working relationships.”
The latter extended DPO roles to the internet of things and other
emerging technologies (see below). DPOs may also have to deal with

E
more complicated issues that are not included in job descriptions.7
The decision lies with each organization to find these required
PL
DPO skills in either a single person or several people, to locate them
internally or outsource the role, and to manage this function under
the CPO or let it operate independently. It would be optimal to have
as many skills as possible in a single individual, for obvious reasons
M

of cost, communication, productivity, and responsibility. While, of

course, a DPO may rely upon technical skills of others, they must
be sufficiently capable in all these areas to provide an independent
assessment. It is up to each organization to implement its own DPO
SA

role keeping in minds its obligations and how a DPO will facilitate the
likelihood of full compliance with the GDPR.
Hypothetical French undertaking Richelieu has decided that its
DPO should have legal, audit, and IT skills, as well as global experience
and the requisite negotiation and communication skills, but did not
believe that this required a full-time role. In its review of the resources
with DPO-required skills available in the job market, it found that all
the candidates matching its desired profile either already had a job or
were looking for another full-time role. It was then able to identify a
candidate who was an experienced French avocate (lawyer) who had

5 EDPS, Professional Standards for Data Protection Officers of the EU institutions

and bodies working under Regulation (EC) 45/2001 (Oct. 2010).
6 Art. 29 DP WP, Guidelines on Data Protection Officers (“DPOs”), r1 (Apr. 2017).
7 See Thomas J. Shaw, Outsourcing your DPO: real-life scenarios (in Appendix A).

13
 DPO Handbook: Data Protection Officers Under the GDPR

also spent a decade in Silicon Valley working with technology startups,

had been involved in privacy by design and technology audits, leads a
local legal technology association chapter, and is comfortable speaking
and working at board level. Given her ongoing DPO roles with
other clients, they decided to engage her on a part-time, outsourced
basis to act as Richelieu’s DPO. Her role as a non-employee would
address concerns about conflicts of interest and her independence
and her professional affiliations would keep her current on changes to
technology and the law.
1.2.1.3 DPO Certification
DPOs may be subject to certification in some member states. For
example, the Spanish DPA Agencia Española de Protección de Datos

E
(AEPD) has published guidelines for the certification of DPOs.8
This certification requires at least five years of relevant professional
experience (or some combination of lesser experience and training).
PL
The four-hour exam covers the areas of DP laws, including GDPR, the
ePrivacy Directive, and WP29 guidelines, plus relevant Spanish laws,
accountability, including risk management and DPIAs (see Chapter
4), privacy by design (see Chapter 5), and compliance techniques,
M

including InfoSec (see Chapter 5), DP audits (see Chapter 3), and
emerging technologies (see companion book9). Certified DPOs must
adhere to a code of ethics and take continuing professional training to
use the AEPD-DPO mark.
SA

The stated competencies of advising and supervising tasks for

certified DPOs include the following:
• Compliance with principles relating to processing, such as
purpose limitation, data minimisation or accuracy.
• Identifying the legal basis for data processing.
• Assessment of the compatibility of purposes other than those
which gave rise to initial data collection.
• Determining whether any sectoral regulation may determine
specific data processing conditions that are different from
those established by general data protection regulations.
8 AEPC, Esquema de certificación de Delegados de Protección de Datos, r1.1 (Oct.
2017).
9 See Thomas J. Shaw, Emerging Technologies Law — Global Practice.

14
 Introduction to the DPO Role

• Designing and implementing measures to provide information

to data subjects.
• Establishing mechanisms to receive and manage requests to
exercise rights of the data subjects.
• Assessing requests to exercise rights of the data subjects.
• Hiring data processors, including the content of the contracts
or legal documents that regulate the controller — processor
relationship.
• Identifying international data transfer instruments that are
suited to the needs and characteristics of the organisation and
the reasons that justify the transfer.

E
• Design and implementation of data protection policies.
• Data protection audits.
PL
• Establishing and managing a register of processing activities.
• Risk analysis of the processing operations carried out.
• Implementing data protection measures by design and by
M

default that are suited to the risks and nature of the processing
operations.
• Implementing security measures that are suited to the risks
SA

and nature of the processing operations.

• Establishing procedures to manage violations of data security,
including assessing the risk to the rights and freedoms of the
data subjects and procedures to notify supervisory authorities
and the data subjects.
• Determining the need to carry out data protection impact
assessments.
• Carrying out data protection impact assessments.
• Relations with supervisory authorities.
• Implementing training and awareness programmes for
personnel on data protection.

15
 DPO Handbook: Data Protection Officers Under the GDPR

1.2.2 DPO Professions

To determine which professions to look to fill the DPO role, it is best to
start with the GDPR requirements for the DPO’s skills, qualities, and
tasks include:
• Risk assessments, countermeasures, and data protection
impact assessments.
• Expert knowledge of data protection law and practices.
• Perform their duties and tasks in an independent manner.
• Not receive any instructions regarding the exercise of those
tasks.

E
• Perform other tasks only if these do not result in a conflict of
interests.
PL
• Handle data subject requests.
• Marshal resources and lead people and projects.
• To maintain his or her expert knowledge.
M
• Bound by secrecy or confidentiality, notwithstanding that the
DPO can contact the DPA directly on any matter.
• Directly report to the controller/processor’s highest
management level and/or provide an annual report of DPO
SA

activities.
• Cooperate with and act as the contact point for the supervisory
authority.

1.2.2.1 Professions Matching DPO Job Skills

The two professions that appear best suited to carry out are the role
of DPO, their availability and costs notwithstanding, are experienced
privacy (and technology focused) lawyers and Information systems
(IS) auditors licensed as certified public accountants (CPAs) or
chartered accountants (CAs). A privacy-and-technology-focused
lawyer is a licensed professional with hands-on experience with IT
programming and operations, IS auditing, and privacy certifications/
seals and information security standards, in addition to experience with

16
 Introduction to the DPO Role

varied privacy and information security laws, policies, and provisions.

IS auditors would have experience with various types of attestation
audits, including privacy and security. Both should have the appropriate
professional privacy and information security certifications.
Both types of professionals should be able to carry out the
following aspects of the DPO role equally well: reporting directly to
the highest management level of the controller/processor, exercising
the tasks of the DPO without receiving instructions, working in an
independent manner, and being sensitive to not creating any conflicts
of interest. Licensure rules for the regulated professions of lawyer and
public/chartered accountant both require continuing competence,
maintaining integrity, avoiding conflicts of interests, taking sufficient
continuing education to maintain his or her expert knowledge, and

E
being bound by rules of professional secrecy and confidentiality.
Although lawyers tend to have a broader code of ethics to comply with,
PL
lack of compliance with their respective ethical rules by those in either
profession could lead to loss of their ability to practice publicly.
Both professions need to have significant negotiation skills, although
given their typical roles, the lawyer will likely have deeper negotiation
experience. Both should have knowledge of risk assessments,
M

countermeasures (including those implemented in software by

programmers and in IT infrastructure), and data protection impact
statements, although auditors will likely have more in depth risk
SA

mitigation experience. Both may have understandings of privacy by

design and default, but the auditor may have more in-depth knowledge
through assessing control design. Both should be able to marshal
and lead resources, teams, and projects and handle data subject
requests without difficulty, handle internal and external relationships,
communicate effectively with all parties, educate controller/processor
personnel and data subjects, and raise data protection awareness.
What tips the balance between the two is the requirement to
have expert knowledge of data protection law and practices, which is
something to be expected from the lawyer but not from the auditor.
This requirement is more complicated than it appears, as it involves not
only the GDPR but other EU law, such as the ePrivacy Directive (or its
successor) and relevant cases, but also likely, given the global interplay
of organizations, the data protection and relevant other laws and cases

17
 DPO Handbook: Data Protection Officers Under the GDPR

of many jurisdictions and the necessary conflict of laws analyses to

determine which laws are controlling. In an independent role, a DPO
providing legal advice and analysis who is not a licensed lawyer may
also become involved in the unauthorized practice of law. If they
instead use the organization’s corporate counsel to perform the legal
analyses, the DPO may no longer be viewed as independent.
Other reasons it is beneficial to have a lawyer in the DPO role
include the advantages of legal privilege, competency and ethical
mandates, being able to work easily with corporate and external
counsel in the event of enforcement proceedings, and avoiding the
unauthorized practice of law. If the DPO is not a lawyer, this means that
they are going to be leaning heavily on the corporate counsel but when
doing so, are they still sufficiently independent? Without the DPO’s

E
ability to rely on their own legal, IT, audit, and risk evaluations and not
merely accepting those from internal staff, it seems that it would be
PL
difficult to maintain the necessary independence and avoid all potential
conflicts of interest. That is why, for example, internal accountants
prepare financial statements and licensed external accountants audit
and opine on those statements, based upon their own independent
professional judgment. And so should the DPO.
M

Therefore, the best professional to fill the role of DPO under the
GDPR would be an experienced privacy-and-technology-focused
lawyer. The privacy and technology focus of this lawyer is essential, as
SA

these would not be typical skills of the average lawyer. There are other
qualities of a lawyer that also weigh in their favor as the best profession
to fill the DPO role, including the use of legal privilege in certain cases
when the controller or processor is subject to litigation or other adverse
actions and possibly in their role as a witness or expert in legal cases.
One area a DPO lawyer must avoid is acting as counsel for a controller
or processor on data protection matters. The second choice professional
to fill the DPO role should be an experienced and licensed (CPA/CA)
IS auditor, one who has significant experience in leading various types
of audit engagements. For either choice, the DPO team should have a
member that complements the DPO, such as an experienced IS auditor
when a privacy-and-technology-focused lawyer is the DPO.
Beyond those two professions, it may get more complicated
for organizations trying to fill the DPO role with other types of

18
 Introduction to the DPO Role

professionals, with multiple people, and/or with a combination of

internal, hired, and outsourced resources. As a rule, in these types
of situations, organizations must stick hard and fast to the following
two rules. First, they must not utilize anyone in the DPO role who
could create a conflict of interest. For example, as a case in Germany10
demonstrated, the role of IT manager is inappropriate for the role of
DPO under current German law, given the required independence of
the DPO from IT operations. Second, any resource filling the DPO
role must have sufficient legal and technical skills to carry out an
independent assessment of the organization’s data protection practices
without relying primarily upon the judgment of the organization’s staff.
1.2.2.2 DPO Hiring Errors

E
DPO jobs posted in the EU show some organizations are still learning
about the requirements for DPO positions under the GDPR. The most
common errors are looking for DPOs with too little experience (a few
PL
years is a common requirement), insufficiently broad job experience
(focusing on only one of several needed disciplines), and lack of
independence, with DPOs reporting into IT, legal, or compliance
organizations instead of the board of directors as the GDPR requires.
M

Another error is that organizations assume that their current DPO

or similar should be their DPO under the GDPR. That may certainly
be valid, but it would be a useful exercise to vet the existing DPO
against the job skills discussed above. When discussing the role of the
SA

DPO under the GDPR, examples are often cited based upon current
experiences under existing legislation, primarily national enactments
of the Data Protection Directive. While instructive and possibly the
best historical examples that there are in the region, the DPO role
under the new GDPR legislation is a somewhat different role, one that
may require consideration of what is now required and intended before
organizations that already have a DPO automatically slot that person
into the DPO role under the new law.
Another common misconception, which many vendors are
perpetuating, is that you can create a DPO merely with training and
certifications without basing it first upon a broad foundation of existing
diverse skills gained through years of experience. There is some belief
10 Bayerisches Landesamt für Datenschutzaufsicht, Datenschutzbeauftragter darf
keinen Interessenkonflikten unterliegen (Oct. 2016).

19
 DPO Handbook: Data Protection Officers Under the GDPR

that one can make a DPO out of an inexperienced resource. That is

not accurate. What can be accomplished is for an organization to train
an existing experienced resource, with many of the professional skills
and responsibilities discussed above, in the specifics of the GDPR
and hopefully deploy that resource in time into the role of DPO.
While using an inexperienced resource can be viewed as the way
forward for cost or resource-constrained organizations, they may be
making a choice between full compliance with the GDPR and their
other business objectives. Given the significant penalty regime of the
GDPR, organizations should consider the need to staff the DPO role
appropriately from the start to achieve their short- and long-term goals.
One other problem involves the fundamental flaw of confusing the
role of the chief privacy officer (CPO) with that of DPO under the

E
GDPR. The role of a CPO could be described as someone responsible
for complying with GDPR from inside the organization, setting
PL
policies and procedures to do so. But the new role of DPO is different.
The DPO as specified by the GDPR must maintain independence
and avoid conflicts of interest, in addition to acting as the point of
contract, cooperation, and consultation with the DPAs. As the WP29
stated, “the DPO’s primary concern should be enabling compliance
M

with the GDPR.” It then stated that “chief privacy officers (‘CPO’s) or
other privacy professionals already in place today in some companies,
who may not always meet the GDPR criteria, for instance, in terms
SA

of available resources or guarantees for independence, and therefore,

cannot be considered and referred to as DPOs.”11
While it is not essential that the DPO must be a lawyer, such
a profession helps to address a problem raised by the GDPR. The
DPO is required by the GDPR to have “expert knowledge of data
protection law.” The WP29 stated that DPOs “must not be instructed
to take a certain view of an issue related to data protection law, for
example, a particular interpretation of the law.”12 The DPO then will
be independently providing legal advice on data protection law to the
controller or processor as part of their specified tasks.
If the DPO is not a lawyer, then this could involve them in the
unauthorized practice of law. Although a complex area of law not

11 Art. 29 DP WP, Guidelines on Data Protection Officers (“DPOs”), r1 (Apr. 2017).

12 Id.

20
 Introduction to the DPO Role

easily summarized, it appears that a majority of EU member states

and a significant number of non-EU states including importantly the
U.S. consider the provision of legal advice for compensation to be
a “reserved” activity that can legally only be done by licensed legal
practitioners. Those in certain jurisdictions like England or Ireland
with a more limited number of legal activities reserved only for licensed
lawyers may not understand these legal restrictions of other member
states and non-EU countries.
Another likely issue that must be borne in mind is considering a
simplistic legal compliance situation, not the more complex situations
when the required expertise in data protection law includes the need
to understand, coalesce, and possibly apply conflict of law rules to a
large list of differing laws, regulations, and legal cases from different

E
countries, including the privacy and information security laws,
consumer protection laws, labor laws, etcetera. Could this complicated
PL
legal work be done without a lawyer in the DPO team? Possibly, but if
not, then independent legal counsel would need to be made available to
the team.
In summary, privacy lawyers or licensed IS auditors would be the
best professions to fill the role of DPO as specified under the GDPR.
M

These are not the only professions who can fulfill the DPO role, just the
best-qualified based on their skills and so should be the starting point
for an organization’s search, within resource availability and financial
SA

constraints. If they are not designated as the DPO, these professions

should at a minimum both be present as members within the DPO
team, as their skills are a large part of what is needed to successfully
initiate and fulfil the DPO tasks. Organizations will have to consider
how to ensure these skills are available to support the DPO role
regardless of who fills it. This would allow other types of professionals
to fill the role of DPO, knowing they have support from the skill sets
of lawyers and auditors who can perform their roles with the necessary
independence to be able to assess the organization’s compliance with
GDPR.

21