The ODPC have recently issued guidance on the appropriate qualifications for Data Protection Officers in Ireland. Whilst there are perhaps still some areas to be further clarified, unsurprisingly there are still some areas where interpretation of the GDPR with regard to the DPO doesn’t follow a completely rigid structure.
What is interesting is the added emphasis that the ODPC appear to be placing on levels of IT knowledge that may be required in certain cases.
So, whilst the Article 29 working party guidelines state that ‘the DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller’, the ODPC guidelines use different language in describing the IT skills that may be needed by the DPO.
Their view is that in some instances ‘a DPO may need an expert level of knowledge in certain specific IT functions, international data transfers, or familiarity with sector-specific data protection practices such as public sector data processing and data sharing, to adequately perform their duties.’
The original Article 29 working party guidelines were very clear that a Head of IT shouldn’t be the DPO because of the potential conflict of interest. It would be very interesting to see how the ODPC would view an Irish company appointing someone who has the appropriate data protection training, knowledge and qualifications but happens to be the Head of IT (or anybody in IT who is involved in determining the means of processing data) as their DPO because they were the only person in a company with the required expert IT knowledge.
Certainly when you consider that the Bavarian data protection authority issued a fine to a company in 2016 because they had their Head of IT as DPO, it certainly looks like we could be looking at one area where there are very different interpretations of who should be DPO depending on where you are in the EU.
You can view the guidelines here: