What is a data protection officer? Otherwise known as a DPO, this is a fairly new position within cybersecurity. It has been brought about by the European Union’s General Data Protection Regulation, or GDPR, which was adopted in 2016 and became enforceable in 2018. Any company marketing services or goods to European Union residents, wherever that company happens to be located, is subject to the GDPR. Brazil’s law, the Lei Geral de Protecao de Dados (LGPD) is another data protection law that functions similarly to the GDPR.
Any company that does business in Europe, therefore, must hire a data protection officer. The data protection officer must monitor data protection strategies and ensure that a company complies with the GDPR. Additionally, the data protection officer is responsible for training management and staff on compliance requirements and for conducting security audits on a regular basis. The data protection officer is a liaison between a company and supervisory authorities who oversee data-related activities.
The factors that determine whether or not a company needs to hire a data protection officer are:
- The number of data subjects
- Number of data items
- How long the data is retained
- Geographical range of the processing of data
Businesses that are on a smaller scale likely will not need to hire a DPO. Those that are on a larger scale, however, must have a DPO on staff.
Are you interested in learning more about becoming a data protection officer? If so, keep reading.
Education and Experience Required to Become a Data Protection Officer
In order to become a data protection officer, you need at least a bachelor’s degree in information security, computer science or a related field. You should not need a graduate degree for this position. Consult our Cybersecurity Bachelor’s Degree guide to find a suitable, accredited bachelor’s degree program in your state. Examples include:
- Bachelor of Science in Information Technology – Specialization in Information Assurance and Cybersecurity – Capella University, online
- Bachelor of Science in Computer Science – Information Assurance and Security concentration – Tennessee Tech, Cookeville, TN
- Bachelor of Science in Cybersecurity – Champlain College, online
- Bachelor of Science in Computer Science & Engineering – Concentration in Cybersecurity – University of Connecticut, Storrs, CT
Having a legal background can be quite helpful in becoming a DPO. Some organizations prefer to hire licensed lawyers who have obtained their JD degree to handle the role of DPO. The ability to interpret GDPR regulations and apply them to case law is vital.
The majority of data protection officers who are hired have some years of experience in information security or information technology security. It is not considered an entry-level position. Some companies prefer to hire DPOs with at least five to ten years of experience in privacy and/or risk management activities and disciplines.
Additionally, industry certifications may be required in order to become a DPO. Recommended certifications for this position include:
- Certified Information Privacy Professional (CIPP)- International Association of Privacy Professionals
- Certified Information Privacy Manager (CIPM)- International Association of Privacy Professionals
- Certified in Risk and Information Systems Control – Information Systems Audit and Control Association
- Certified in the Governance of Enterprise IT- Information Systems Audit and Control Association
Job Description & Skills Required for a Data Protection Officer
Data protection officers are responsible for protecting the personal, private data of residents of Europe and Brazil (although the United States is expected to enact a law similar to the GDPR soon). The DPO must do much more than simply learn the GDPR regulations, however. Responsibilities of the DPO include (but are not limited to):
- Thorough knowledge of GDPR regulations and applicable national data laws
- Thorough familiarity with applicable privacy laws
- Experience with information security and threat assessment
- Experience in dealing with security incidents
- Maintain detailed records of all data processing (records must be made public upon request)
- Conduct security audits to ensure compliance
- Give in-house legal advice on privacy, data sharing and transfer of data
- Monitor performance and provide advice on data protection within company
- Draft, negotiate and review commercial agreements that contain protected data
- Advise and draft data protection documentation
- Offer guidance and support on new compliance reporting and data tracking requirements as they arise
- Act as a liaison between the organization and GDPR supervisory authorities
- Inform private citizens how their data is being used, what their rights are regarding their personal data, and what steps are being taken to protect their personal data
Skills that a data protection officer should have are:
- Excellent communication skills (both orally and in writing)
- Be a self-starter
- Work well independently
- Be able to simplify complicated regulations in order to instruct and train others in the organization
- Willingness to learn
Data Protection Officer Salary & Job Outlook
The U.S. Department of Labor’s Bureau of Labor Statistics (BLS) does not specify an annual mean wage for data protection officers. According to GDPR.CASH, the average salary of a DPO is EUR71,584 annually, which translates to $83,582 U.S. dollars per year.
Because of the adoption of the GDPR, it is expected that the need for data protection officers will continue to rise. As more countries adopt laws like the GDPR, more data protection officers will be needed to uphold the regulations involved. In 2018, for example, there were 8813 new job openings as a result of the GDPR (per GDPR.CASH). When you think about the fact that any company that does business in Brazil or Europe is subject to the GDPR, it is easy to see that jobs for data protection officers should be on the rise for some years to come.