Data protection officer: A job with many opportunities and good prerequisites

According to the legal requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), the hurdles are low, but to work successfully as a company data protection officer, the qualifications are relatively high because the varied job is quite demanding: data protection officers need a broad network of skills that go far beyond purely technical qualifications.

This article would like to demonstrate the diversity of the profession, the different paths and the requirements and give you the specific view of the professional association on the qualifications of data protection officers.

Is a data protection officer actually a prerequisite for the secure handling of data in a company?

In addition to the European GDPR and the German BDSG, there are a large number of legal requirements for data protection experts in Europe and nationally that ensure the protection of privacy and the right to informational self-determination. Due to the increasing degree of digitalization of companies, more and more companies are deciding to appoint an internal or external data protection officer or are seeking expertise from external consultants to support their own legal department.

This makes a lot of sense, as the data protection requirements can no longer be fulfilled en passant and the documentation obligations arising from the GDPR in particular require time, expertise and a high level of process reliability. For example, keeping a processing register, i.e. a list of all relevant data processing operations, is a constant obligation under the GDPR that must be completed – with or without a data protection officer.

Before we get to the legal obligations, it is clear that legally compliant and successful data management is an obligation for every company – regardless of size – and a quality feature for every business in a data-driven economy.

We therefore strongly recommend appointing a data protection officer: Because the bureaucratic obligations exist with or without a data protection officer. And just as you would ask a doctor about medical issues, it is advisable to appoint a DPO in order to have a clear point of contact within the company, for employees and also for the supervisory authorities.

Data protection officer requirements: Requirements from the law for the appointment?

Not every company is subject to the legal obligation to appoint a data protection officer, although all companies are subject to the same legal obligations and therefore the same pattern of processes. Companies must appoint a DPO if they

  • have at least 20 employees who are permanently entrusted with the automated processing of personal data (this also includes interns, temporary staff, etc.) or
  • carry out processing operations that are subject to a data protection impact assessment pursuant to Art. 35 GDPR or
  • process personal data for business purposes, i.e. the data processing is a so-called core activity of the company (e.g. for the purpose of transmission, anonymized transmission or for the purpose of opinion or market research).
  • process particularly sensitive data (such as health data).

The obligation to appoint a data protection officer also applies (in the old BDSG, the term “appointment” was still used) if the processing is carried out by an authority or public body, with the exception of courts, insofar as they act in the context of their judicial activities, a data protection officer must always be appointed and the appointment must be communicated, for example in the data protection notices, and reported to the competent data protection authority

What requirements do I need to work as a data protection officer?

In Germany, there is no uniform training or standardized qualification that must be fulfilled in order to work as a company data protection officer. There are also no further explanations in the requirements of labor law as to what is absolutely necessary to become a data protection officer.

Forderung BvD

Für einen sicheren und erfolgreichen Umgang mit Daten fordert der BvD die Entwicklung und Etablierung europaweiter Standards hinsichtlich der Qualifikation der Datenschutzbeauftragten. Dies betrifft die Ausbildung und den Kompetenznachweis für Datenschutzbeauftragte, den transatlantischen Datentransfer sowie technologische Standards für den Umgang mit Auftragsverarbeitern und Anonymisierungstechnologien. Viele dieser Verfahren sind bereits erprobt und müssen nun politisch geregelt werden.

However, there are some prerequisites and recommendations that should be taken into account. The first step is to acquire comprehensive knowledge in the area of data protection. This includes:

  • Legal basis: GDPR, Federal Data Protection Act (BDSG) and other relevant laws such as UWG, Data Act, AI Act, etc.
  • Technical knowledge: IT security measures and data protection technologies.
  • Organizational measures: Data protection management and documentation.

Attend specific training courses or courses that prepare you for working as a DPO. There are various recognized further training opportunities, such as

  • TÜV-certified courses: TÜV offers various courses and certificates to obtain the necessary qualifications in the field of data protection.
  • IHK certificates: Chambers of Industry and Commerce also offer further training and certificates.
  • Private providers: There are numerous specialized training providers that offer courses and certificates in the field of data protection.

(Not only) something for lawyers – technical background or IT knowledge doesn’t hurt either

Studying law teaches you how to deal with, understand and interpret the law. It goes without saying that lawyers are well equipped to deal with personal data in companies of all sizes. However, in addition to soft skills – which we will discuss below – an understanding of technical contexts and IT skills are equally important and useful for assessing processes and actively finding solutions.

However, one thing is clear: a DPO must have the necessary expertise in the field of data protection and IT security. This includes knowledge of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other relevant data protection laws as well as technical and organizational measures for data protection.

Die notwendigen rechtlichen Voraussetzungen eines Datenschutzbeauftragten ist festgelegt in Art. 37 Abs. 5 DSGVO.

„Der Datenschutzbeauftragte wird auf der Grundlage seiner beruflichen Qualifikation und insbesondere des Fachwissens benannt, das er auf dem Gebiet des Datenschutzrechts und der Datenschutzpraxis besitzt, sowie auf der Grundlage seiner Fähigkeit zur Erfüllung der in Artikel 39 genannten Aufgaben.“

Die Erwägungsgründe bieten wenig Klarheit, weil lediglich festgehalten wird, „dass ein Datenschutzbeauftragter „über Fachwissen auf dem Gebiet des Datenschutzrechts und der Datenschutzverfahren“ verfügen muss (Erwägungsgrund 97 Satz 2). Wenig trägt auch der nächste Satz zur Frage nach der Eignung bei: „Das erforderliche Niveau des Fachwissens sollte sich insbesondere nach den durchgeführten Datenverarbeitungsvorgängen und dem erforderlichen Schutz für die von dem Verantwortlichen oder dem Auftragsverarbeiter verarbeiteten personenbezogenen Daten richten.“

No chance without further training

Further training is essential to ensure that a data protection officer can work effectively and with legal certainty in a rapidly changing environment.

Legal framework: Data protection laws and regulations are constantly evolving. New laws, court rulings and official guidelines can significantly change the requirements for data protection. Only through regular further training can a data protection officer stay informed about these developments and act accordingly.

Technological advances: The technologies used for data processing are developing rapidly. New software, hardware and procedures for data processing bring both opportunities and risks. A data protection officer must understand these technologies in order to assess their data protection implications.

Security threats: The threat situation in the area of information security is constantly changing. New types of cyberattacks and security breaches constantly require new strategies and measures to protect personal data. Continuing education keeps a data protection officer up to date with the latest security practices.

Best practices and standards: The field of data protection benefits from a lively exchange of best practices and standards. Further training enables data protection officers to familiarize themselves with the best and most efficient methods and to implement these in their organization.

Trust and credibility: Ongoing training strengthens the competence and credibility of a data protection officer. This is important to ensure the trust of employees, customers and business partners in the company’s data protection measures.

Complexity of data protection tasks: The tasks of a data protection officer are varied and complex. Further training helps to develop a comprehensive understanding of the various aspects of data protection, from legal requirements to technical measures and organizational processes.

Good data protection needs independence

A very important prerequisite for a competent analysis of the data processing processes is independence and freedom from conflicts of interest: The DPO must not be subject to any conflicts of interest in his/her function. This means that they must not be in a position that could compromise their independence (e.g. managing director or IT manager).

And what soft skills make a qualified data protection expert?

A good data protection officer is characterized by a variety of soft skills. Openness and communication skills are essential, as new things are constantly being added in this area and it is important to speak openly and think “out of the box”.

Structure and documentation are just as important for organizing complex processes clearly and documenting them in a comprehensible manner – especially if several employees need to be involved in the processes.

Self-learning skills are essential, as continuous training and the acquisition of new knowledge are part of everyday life. It is also important to look at things from different angles in order to find comprehensive solutions.

And last but not least, a certain degree of frustration tolerance is also required to deal with the inevitable challenges and setbacks.

Networking and exchanging experiences

Use networks and professional associations such as the German Association for Data Protection and Data Security (GDD) or the Professional Association of Data Protection Officers in Germany (BvD) to exchange information and stay informed about current developments.

Job description of the BvD specifies important requirements for the data protection officer

In the highly complex and rapidly changing environment of digitalization, company management as well as customers and employees must be able to rely on qualified experts with comprehensive expertise to support them in the context of security and compliance.

Data protection officers have been taking on precisely these tasks for decades. The Professional Association of Data Protection Officers in Germany (BvD) began describing the requirements for the work and expertise of data protection officers back in 2004. In 2009, this resulted in the first “Professional Guiding Principles for Data Protection Officers” in Europe, which members must commit to in writing in order to be recognized by the BvD as appropriately qualified.

Through this process and the award “Self-commitment to the professional mission statement of the data protection officer”, companies and institutions can prove that qualified data protection officers have been appointed. If you would like to find out more about the professional mission statement or would like to contribute to it, click here: https://www.bvdnet.de/bvd-ausschuesse/ausschuss-berufsbild/

Data protection officer requirements – everything important at a glance

When is a data protection officer necessary?

A data protection officer is required if:

  • A company regularly and systematically processes personal data that requires monitoring.
  • Sensitive data such as health data is processed.
  • At least 20 people are regularly involved in data processing (in Germany).

Data protection officer requirements: The obligation to appoint a data protection officer arises from the General Data Protection Regulation (GDPR) and national data protection laws.

Does a data protection officer have to take an exam?

A formal examination is not mandatory. However, it is advisable to complete appropriate training and certification in order to acquire the necessary data protection officer qualification.

How can you become a data protection officer?

To become a data protection officer, you should follow these steps:

  1. Participation in training or further training courses that specialize in the GDPR and national data protection laws
  2. Acquisition of a certification to prove your data protection officer qualification.
  3. Gain practical experience in data protection management and legal principles.

Who cannot become a data protection officer?

Persons with conflicts of interest may not be appointed, e.g:

  • Managing directors or IT managers, as they would have to check their own work.
  • Employees without sufficient qualifications Data Protection Officer.

How do you become a certified data protection officer?

To become certified, you will undergo a training program with recognized training providers. These programs test and certify your knowledge, which confirms your data protection officer qualification.

Can anyone become a data protection officer?

No, not just anyone can become a data protection officer. Certain requirements must be met to become a data protection officer:

  • Knowledge of data protection law and IT.
  • Independence and neutrality.
  • No conflicts of interest.

How do I become an external data protection officer?

An external data protection officer works on a freelance basis for several companies. The requirements of data protection officers vary depending on the industry, but always require sound specialist knowledge:

  1. Extensive data protection officer qualification.
  2. Conclusion of contracts for the assumption of data protection tasks.
  3. Building a network and marketing your services.

Welche Voraussetzungen sollte ein Datenschutzbeauftragter haben?

Die Anforderungen Datenschutzbeauftragter umfassen:

  • Fachkenntnisse im Datenschutzrecht.
  • Technisches Verständnis von IT-Sicherheitsmaßnahmen.
  • Kommunikations- und Problemlösungsfähigkeiten.

Ein Datenschutzbeauftragter muss:

  • Datenschutzrecht anwenden und umsetzen können.
  • IT-Sicherheitsmaßnahmen bewerten.
  • Mitarbeiterschulungen durchführen.
  • Datenschutzdokumentationen führen
  • Mit Aufsichtsbehörden kommunizieren