How to Become a Data Protection Officer

Yahoo, LinkedIn, Facebook, Marriott International, My Fitness Pal. These popular companies created headlines in recent years due to one unfortunate thing in common: They made the list of the 15 biggest data breaches of the 21st century. The reality, however, is that cyber attacks are a growing problem for every size and type of business and organization — with the cost of cyber crime projected to reach $10 trillion by 2025.

In addition to implementing cybersecurity best practices, such as training employees, backing up data and instituting multi-factor authentication, businesses also have the option of employing skilled cybersecurity professionals. In this career guide, we’ll discuss the details of one such important position — the data protection officer.

What Is a Data Protection Officer?

This is a security-based position charged with protecting a company’s or organization’s data and information. For the most part, data protection officers (and other data and privacy-related positions) are not required in the United States, though they are in some other countries, but they are becoming much more common. In the U.S., with the exception of businesses and organizations regulated by HIPAA, there is no requirement to appoint a data protection officer, though it is considered a best practice, especially for larger entities.

Data Protection Officers and the GDPR

The GDPR, touted as “the toughest privacy and security law in the world,” imposes data privacy requirements and obligations to organizations that focus on or collect data related to people in the European Union (EU). Data privacy violations and failure to comply with the regulations result in costly penalties.

As explained by the Digital Guardian, the GDPR was created by the European Parliament, the European Council and the European Commission to “strengthen and streamline data protection for European Union citizens.”

One of the requirements of the GDPR is that organizations must appoint an employee to oversee GDPR compliance. This is also known as a data protection officer. As the regulation explains: “The Data Protection Officer, or DPO, is an organization’s GDPR focal point and will have to possess expert knowledge of data protection law and practices.”

What Does Personal Data Entail?

There is no one list that identifies every type of personal data; rather, the GDPR explains that it is “information relating to an identified or identifiable natural person.” Names, for example, could be considered personal data, but that isn’t always the case. As IT Governance explains, John Smith isn’t enough to identify one person since there are many people with that name. But if you combine the name with other information, such as a birthday and address, it could be enough information to identify someone.The GDPR does not cover personal data that relates to deceased individuals, data in which personal identifying details have been removed or information about public authorities and companies.

What Does a Data Protection Officer Do?

In the simplest terms, a data protection officer (DPO) is involved in all aspects of personal data protection.
The position is also one that stresses confidentiality; typically the DPO only reports to the highest levels of management. Here is a good explanation from LinkedIn:

“A Data Protection Officer is responsible for educating a company’s employees about data compliance, training members of staff who are involved in processing data, and carrying out regular security audits. They also serve as the main point of contact between the company and the relevant data protection authorities. The role of Data Protection Officer is mandatory for all companies that process or collect EU Citizens’ personal data.”

Data Protection Officer Job Description

Establish a privacy governance framework to manage data use.
Work with key internal stakeholders to review projects and related data to ensure compliance with local data privacy laws; where necessary, complete and advise on privacy impact assessments.
Collaborate with IT to maintain records and a data privacy and security incident management plan.

Data Protection Officer Education Requirements

According to the Cybersecurity Guide, data protection officers typically need a BA or BS degree in computer science, information security or a related field. A bachelor’s degree, J.D. or equivalent work experience in privacy, compliance, information security, auditing or a related field may also be an accepted alternative, according to Cybersecurity Guide. An advanced degree is typically not required, but it may depend on the position. Even if one isn’t required, there are many benefits to obtaining one; an advanced degree can provide real-world experience, demonstrate your proficiency for continued learning and provide an edge over other job applicants.

Work Experience Needed

A data protection officer is not an entry-level position, especially since it deals closely with personal information. How much experience is required will depend on the specific job and the amount of data a company handles.

Professional Certifications

Certifications may be required, depending on the position. Either way, they are incredibly valuable to becoming a successful data protection officer.

Desirable Hard and Soft Skills

In addition to professional certifications, these are the skills a data protection officer should have, as outlined by the International Association of Privacy Professionals (IAPP):

5-10 years of experience in EU and global privacy laws (drafting privacy policies, technology revisions and outsourcing agreements)
5-10 years in IT operations and programming
5-10 years of experience in information systems auditing, attestation audits and assessment and mitigation of risk
Leadership skills