Qualified for the job: time for the role of DPO to become a protected title?

What should a company look for when appointing a Data Protection Officer (DPO)?

Provisions in the General Data Protection Regulation (GDPR), implemented in the United Kingdom through its Data Protection Act 2018, outline some loose criteria data controllers must take into account when deciding on a DPO.

When designating a DPO, controllers must have regard to the ‘professional qualities’ of the proposed officer, particularly their “expert knowledge of data protection law and practice.” They also need to consider the ability of the proposed officer to carry out the multitude of tasks required of a DPO.

However, currently there is no requirement that a proposed DPO demonstrate their expert data protection knowledge by gaining a qualification.

The latest report of the UK Data Protection Index suggests a large majority of DPOs want this to change.

The UK Data Protection Index, produced by Data Protection World Forum and The DPO Centre, allows us a glimpse into the changing attitudes and sentiments of DPOs by asking our panel of 334 DPOs the same set of questions each quarter. 

The results are striking. When faced with the statement ‘The DPO role should become a protected title with minimum qualification requirements”, 84% of respondents agree that it should, up from 80% in November’s report. One in four DPOs (25%) say they “strongly agree”, while just 9% disagreed with the statement.

But why do so many DPOs want to see this minimum requirement?

Rob Masson, CEO of The DPO Centre commented that “DPOs recognise the complexities involved in the advice they are required to provide on a daily basis, and are therefore acutely aware of the level of skill and depth of knowledge required to inform and advise their organisations appropriately.  Elevating the role of DPO to a protected title, along with the requirement to demonstrate a minimum academic capability would not only recognise DPOs for the senior advisory role they perform, but also ensure that industry standards are maintained and data subject rights continue to be appropriately upheld.”

It would seem then that many DPOs would agree on the need for a minimum qualification, but what level of qualification should we expect? What strikes the right balance between ensuring a proposed DPO is qualified, without making it too difficult for companies to appoint?

March’s UK Data Protection Index report for the first time asked the panel what they think the minimum level of qualification should be (see chart below).

More than half of the panel (53%) were in favour of a multi-day accredited certification. A total of 19% opted or a 6–12-month study programme and 12% said they would be in favour of an online course.

Longer qualifications proved less popular among DPOs. Just 3% think the minimum qualification should be a 1-2 year BTEC equivalent, just 2% a three-year degree and 4% a postgraduate degree. 

Rob Masson says: “It is encouraging to see a significant majority of the panel favour a minimum certification level.  However, industry standards will need to continuously rise in line with the rise in complexity and diversity of global data protection laws.  

“The bar will need to be set progressively higher, meaning the longer duration, more involved accreditation levels are likely to be required and therefore reflective of the senior professional status the award of a protected title represents.”

As data protection concerns continue to increase worldwide, the job of the DPO has never been more important.

The message from the DPOs on the UK Data Protection Index panel is clear, it is time for the role’s importance to be properly reflected by making it a protected title with minimum qualification requirements.

CLICK HERE TO READ THE LATEST UK DATA PROTECTION INDEX FINDINGS