Article 37(5) General Data Protection Regulation (GDPR) does not list with particularity the professional skills that should be considered when designating the Data Protection Officer (“DPO”). It provides:
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
The focus is on the legal skills because the provision mentions “expert knowledge of data protection law and practices” and those necessary to fulfill the tasks “referred to in Article 39”, which are legal tasks. Other tasks can – and reasonably will — be given, however.
The WP29, whose interpretation is going to be binding,[I] does not require the DPO to be a lawyer or even have a law degree, but it does seem to slightly privilege legal skills over technical ones in its Guidelines on Data Protection Officer (“Opinion”).
The Opinion states that the DPO “should” possess the following skills:
- “expertise in national and European data protection laws”
- expertise in national and European “practices”
- “in-depth understanding of the GDPR of the law and regulations”
- “understanding of the processing operations carried out” by the data controller
- understanding of “the information systems”
- understanding of “data security and data protection needs of the controller.” Opinion at 11.
The skills are listed in this order. The legal skills (which we have numbered from 1 to 3) are listed first; then – after a paragraph in which the WP29 mentions organization skills, the Opinion lists the technical skills (which we have numbered from 4 to 6. As for organizational skills, the Opinion qualifies them only as “useful” (hence, not absolutely necessary), by saying “knowledge of the business sector and of the organisation of the controller” are “useful”.
The apparent focus on legal knowledge in the Opinion has surprised and fostered debate among privacy professionals. However, was it really surprising?
As said, the text of the GDPR itself focuses on only legal skills for the DPO, while the requirement that the DPO must also have a technical and organizational skills can be implied but are nowhere expressly mentioned.
But is it really true that the WP29 privilege the legal over the technical component? To answer this question, we must take into account the FAQ, which were published after the Opinion. In fact, the WP29’s position in the two sources differ somewhat.
The FAQ (FAQ no. 7) reorganizes the skills of the DPO and this time the legal skills and the technical ones are together and both are qualified as “necessary”:
The necessary skills and expertise include:
– expertise in national and European data protection laws and practices including an in- depth understanding of the GDPR
– understanding of the processing operations carried out
– understanding of information technologies and data security
– knowledge of the business sector and the organisation
– ability to promote a data protection culture within the organization.
Also, the FAQ lists the organizational skills together with the legal and technical skills with all being necessary.
The two sources differ semantically in another way: the Opinion uses the word “should” for all the skills (except the organizational ones) while the FAQ no. 7 uses the word “necessary” for all the skills. The word “should” seems less obligatory than the word “must” or “necessary.”
So is there a conflict between the Opinion and FAQ no. 7 regarding the necessary skills for a DPO ands the compulsiveness of the requirement? Maybe or maybe not. The different wording should not be over-emphasized.
The WP29 is probably suggesting in both sources that the DPO should/is required to have all these skills, even if probably not at the same level. The focus on legal skills, in fact, is undeniable. Consistently with GDPR Article 37.5 – where they are the only one to be mentioned – they are listed first in both the Opinion and the FAQ no. 7; also both sources required the knowledge of GDPR and privacy regulation to be “in-depth”.
The predominance of legal skills over technical ones does not mean, however (1) that– as said above – the DPO must be a lawyer (i.e., enrolled in a bar) and or even have a law degree and (2) that the technical skills are unimportant.
Beyond pedantic discussions on terminology, the real question is: can an organization appoint a DPO who does not possess all the mentioned skills? Probably not. An organization needs to appoint a person with a deep expert knowledge of privacy law (both the GDPR and the practice), with an understanding of the processing operations carried out, and with knowledge of IT and data security. Better if the DPO knows the business sector and the organization and he or she is able “to promote a data protection culture within the organization”.
In a perfect world, you would need 75,000 of legal/tech savvy professionals, with some knowledge of the business sector and the organization. In a less than perfect world, we might accept something less.
An indication that a DPO need not possess all the skills at the same level is given by the GDPR itself:
The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Whereas 97.
This principle is reaffirmed in WP29’s FAQ no. 7.
This indication is to be read at a minimum as the recognition that the DPO’s required skills – depending on the organization – need not to be possessed at the same level. But can it also be read as a license to appoint a DPO who possesses less than all the required skills? While a technician with only a superficial legal knowledge is definitely not compliant with GDPR Article 37 (as interpreted by the WP29), would a DPO with deep legal knowledge and some technical skills be acceptable (when for example assisted by technical staff)?
To avoid transforming the appointment of a DPO into the search for a unicorn, perhaps the answer should be yes.
Given these uncertainties it would be advisable for the WP29 to give some flexibility to organizations in selecting the skills that their DPOs must possess, taking into account the particular size and type of data processing, the nature of data, and the industry in which the organization operates.
We still have a few days – within the postponed deadline of February 15 – to send comments or questions to the WP29.
[i] The interpretation given by the WP29 on this matter will be adopted by the new European Data Protection Board provided by GDPR Article 68 and the following and will be therefore binding.
[ii] The DPOs can be both employees of the organizations or operate in outsourcing (GDPR Article 37.6). Because in many civil law countries, lawyers (intended as enrolled in a bar) cannot be employees (because they would lack independence required by ethics rules), in those countries lawyers can be DPOs only in outsourcing. If an organization chooses to appoint as DPO a person who is already an employee, that organization should be careful to avoid conflicts of interest (GDPR Article 38.6 – see here our previous blog on the topic) which have been already sanctioned in Germany (German privacy law already requires the appointment of DPO and its experience is a useful precedent).