The ODPC issues guidance on appropriate qualifications for a Data Protection Officer, (GDPR).

The Data Protection Commissioner's Office

The ODPC have recently issued guidance on the appropriate qualifications for Data Protection Officers in Ireland. Whilst there are perhaps still some areas to be further clarified, unsurprisingly there are still some areas where interpretation of the GDPR with regard to the DPO doesn’t follow a completely rigid structure.

What is interesting is the added emphasis that the ODPC appear to be placing on levels of IT knowledge that may be required in certain cases.

So, whilst the Article 29 working party guidelines state that ‘the DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller’, the ODPC guidelines use different language in describing the IT skills that may be needed by the DPO.

Their view is that in some instances ‘a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.’

The original Article 29 working party guidelines were very clear that a Head of IT shouldn’t be the DPO because of the potential conflict of interest. It would be very interesting to see how the ODPC would view an Irish company appointing someone who has the appropriate data protection training, knowledge and qualifications but happens to be the Head of IT (or anybody in IT who is involved in determining the means of processing data) as their DPO because they were the only person in a company with the required expert IT knowledge.

Certainly when you consider that the Bavarian data protection authority issued a fine to a company in 2016 because they had their Head of IT as DPO, it certainly looks like we could be looking at one area where there are very different interpretations of who should be DPO depending on where you are in the EU.

You can view the guidelines here:

Article 29 Working Party Guidelines on Data Protection Officers

About Wizuda

Developing IT Solutions to Make Businesses Better

At Wizuda we focus on developing IT solutions which help businesses grow and empower people to collaborate and stay connected securely and compliantly. Specialists in secure data transfer since 2001, all development and support operations are carried out from our two Irish 

offices located in Dublin (Wizuda Headquarters) and Limerick. We pride ourselves in developing software solutions that allow organisations to take back control of their file transfer and data sharing operations, enabling them to operate efficiently, securely and compliantly

Quick Contact

Contact Us