The Irish Data Protection Commissioner Issues New Guidance
on Appropriate Qualifications for DPOs

The Irish Data Protection Commissioner recently published a guidance on the level of qualification needed for Data Protection Officers (DPOs) under the GDPR.

The GDPR stipulates that DPOs must be selected based on their professional qualities and level of expertise in data protection (Article 37.4,) but it doesn’t explain how this assessment should be made in practice –– it only provides very limited information under Recital 97. The new Irish guidance provides clarification on this matter.

While this guidance partially mirrors the recommendations already made by the Article 29 Working Party on DPO qualifications and trainings (see WP29 guidance on DPO dated 13 December 2016,) it goes a step further and provides recommendations on how to select an appropriate DPO training programme.

Risk-based Approach to the Level of Qualification and Expertise Required

The Irish PDC adopted a risk-based approach. The guidance provides that the level of qualification/expertise appropriate for a given DPO will vary depending on:

  • The type of personal data processing operations carried out;
  • The complexity and scale of data processing;
  • The sensitivity of the data processed; and
  • The protection required for the data being processed.

By way of example, the Irish PDC suggests that, given the complexity of the processing activities typically carried out by insurance companies, their DPOs will likely require a higher level of expertise.

Required Skills and Expertise

The guidance also provides a non-exhaustive list of relevant skills and expertise, which includes:

  • Expertise in national and European data protection laws and practices (including an in-depth understanding of the GDPR);
  • Understanding of the processing activities carried out;
  • Understanding of information technologies and data security;
  • Knowledge of the business sector and of the organisation; and
  • Ability to promote a data protection culture within the organisation.

Depending on the circumstances, DPOs may also need specific expertise in international data transfers, certain IT functions, or sector-specific data protection practices.

Selecting the Right DPO Training Programme

Perhaps most importantly, the guidance emphasises the fact that organisations are responsible for proactively deciding what level of expertise and training their DPO needs. In this respect, the Irish PDC warns that a large number of training programmes exist, but not all of them are equal. Organisations should therefore be careful and ensure that they select a training programme that is appropriate to their processing activities.

The guidance lists four non-exhaustive factors that should be taken into account when selecting a DPO training programme:

  • The content and means of the training and assessment;
  • Whether the training that leads to certification is required;
  • The standing of the accrediting body; and
  • Whether the training and certification is recognised internationally.

An example of privacy-specific training and certification would be the IAPP certification programmes, which are accredited under ANSI/ISO standard 17024:2012 and provide several areas of privacy-specific training.

This guidance will likely have a significant impact since many US-based companies, including large tech multi-nationals, choose Ireland as a base for their EU activities, therefore making the Irish PDC one of the most influential data protection authorities.

How OneTrust Helps

OneTrust’s templates and questionnaires can help informed DPOs make accurate and well documented choices. Often, filling out PIAs and other assessments through OneTrust is the first impression employees have of their privacy office. OneTrust gives DPOs the ability to promote a data protection culture within the organisation in a way that is polished and professional.