The role of Data Protection Officer is becoming more important as technology allows the sharing of data more quickly and on a much larger scale. Despite this, no minimum qualification is required to take on the role. The latest UK Data Protection Index reveals DPOs overwhelmingly want this to change, we look at the reasons why.
What should a company look for when appointing a Data Protection Officer (DPO)?
Provisions in the General Data Protection Regulation (GDPR), implemented in the United Kingdom through its Data Protection Act 2018, outline some loose criteria data controllers must take into account when deciding on a DPO.
When designating a DPO, controllers must have regard to the ‘professional qualities’ of the proposed officer, particularly their “expert knowledge of data protection law and practice.” They also need to consider the ability of the proposed officer to carry out the multitude of tasks required of a DPO.
However, currently there is no requirement that a proposed DPO demonstrate their expert data protection knowledge by gaining a qualification.
The latest report of the UK Data Protection Index suggests a large majority of DPOs want this to change.
The UK Data Protection Index, produced by Data Protection World Forum and The DPO Centre, allows us a glimpse into the changing attitudes and sentiments of DPOs by asking our panel of 334 DPOs the same set of questions each quarter.
The results are striking. When faced with the statement ‘The DPO role should become a protected title with minimum qualification requirements”, 84% of respondents agree that it should, up from 80% in November’s report. One in four DPOs (25%) say they “strongly agree”, while just 9% disagreed with the statement.
But why do so many DPOs want to see this minimum requirement?
Rob Masson, CEO of The DPO Centre commented that “DPOs recognise the complexities involved in the advice they are required to provide on a daily basis, and are therefore acutely aware of the level of skill and depth of knowledge required to inform and advise their organisations appropriately. Elevating the role of DPO to a protected title, along with the requirement to demonstrate a minimum academic capability would not only recognise DPOs for the senior advisory role they perform, but also ensure that industry standards are maintained and data subject rights continue to be appropriately upheld.”
It would seem then that many DPOs would agree on the need for a minimum qualification, but what level of qualification should we expect? What strikes the right balance between ensuring a proposed DPO is qualified, without making it too difficult for companies to appoint?
March’s UK Data Protection Index report for the first time asked the panel what they think the minimum level of qualification should be (see chart below).
More than half of the panel (53%) were in favour of a multi-day accredited certification. A total of 19% opted or a 6–12-month study programme and 12% said they would be in favour of an online course.
Longer qualifications proved less popular among DPOs. Just 3% think the minimum qualification should be a 1-2 year BTEC equivalent, just 2% a three-year degree and 4% a postgraduate degree.
Rob Masson says: “It is encouraging to see a significant majority of the panel favour a minimum certification level. However, industry standards will need to continuously rise in line with the rise in complexity and diversity of global data protection laws.
“The bar will need to be set progressively higher, meaning the longer duration, more involved accreditation levels are likely to be required and therefore reflective of the senior professional status the award of a protected title represents.”
Apply for DP Index Membership
The next survey results will be published in June 2021. If you are a data protection or privacy professional and you would like to join the panel and add your voice to future surveys, please apply for membership using the button below.
As data protection concerns continue to increase worldwide, the job of the DPO has never been more important.
The message from the DPOs on the UK Data Protection Index panel is clear, it is time for the role’s importance to be properly reflected by making it a protected title with minimum qualification requirements.