GDPR compliance

Guide to hiring an excellent Data Protection Officer for GDPR

~
IT industry lives according to a lot of well-established cyber-security concepts. For instance, large companies and enterprises have been employing people with titles like Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Compliance Officer (CCO) for decades. Small companies had equivalent positions with affixes like specialist, expert or manager. GDPR reconsiders most of these concepts, stirs them up and adds extra flavour.
DPO is actually very similar to these positions. We have created a short, easy-to-use list of required qualities and some tips on hiring your new DPO.
We need a superhero


Here is the official GDPR guideline on Data Protection Officers. Requirements of DPO appointment are defined in Article 37: Designation of data protection officer.

The list of suggested qualities is quite long and comprehensive, but here are main points. DPO should:


Be an authority figure who reports only to the board of directors
Get their own budget
Get their own team
Be fully supported by the entire organization
Have deep understanding of data protection laws including GDPR
Have hands-on experience in IT security
Have understanding of company processes
Be a strong communicator, promoting security
Be able to train staff on compliance issues
Be able to analyse and document processes and problems
Get "GDPR DPO certified" as soon as possible
NOT be influenced by conflicts of interest
NOT be told how to do their job
As you can see, this is another hybrid role, which ideally should be given to someone with 10+ years of experience in a variety of roles.
What to look for in a DPO candidate?
Since DPO is such a hybrid role, personal qualities and characteristics might actually be more important than professional track record.
You can learn about GDPR and laws
You can learn how to create process maps and manuals
You can learn the basics of modern IT security
You can become a very competent data protection trainer
However, it will take much time to understand how everything is organized from the inside and to train bullying senior managers on compliance matters. Internal resistance to DPO work is going to be strong and only gritty personality and C-level support will help them succeed.
Taking into account what has already been said, there are several "preferred" options to choose. Right now, you can't expect to find thousands of resumes titled "Experienced DPO looking for a new challenge" in your mailbox.
CIO/CSO/CISO
C-level IT managers, especially the ones with a security background, are the most obvious choice. Understanding of large-scale IT operations, data warehouses and databases is going to be extremely valuable. They are also likely to have procurement experience, which will come in handy, as your organization starts to get rid of those security holes. Although being in a position of authority might be a challenge.
Financial/Business/Compliance controllers
While they need assistance in improving their IT knowledge, they bring another great value. It is the ability to scrupulously analyse processes, to find inefficiencies and inconsistencies, documenting the changes. They are also trained to be in charge, operating outside anyone's jurisdiction and reporting only to CFO or CEO
CEO or Business Development Director
Even though GDPR is enormously important, the business must go on. General managers and business developers will be able to understand what a nightmare it turned out to be for Marketing, Sales, HR etc. They are also good at negotiating process alterations in a variety of business areas to get to "compliant" state. They have no problems with holding authority but might need a brush up on IT, security and legal issues.
Former or acting consultants
They are experts at talking and convincing people to do what they know has to be done. If you hire a full time consultant it seems to be cheaper than hourly rate. It might be tricky to recruit a consultant, but a decent salary and C-level position might be tempting.
Last but not least, promoting someone from within your company might actually be one of the best solutions, as that person will come with an understanding of your company and some personal credit. Just don't forget to hand over their responsibilities and give a reasonable bump in pay. Remember, they will show up on every head-hunter's radar after they put shiny "DPO" on their LinkedIn profile.
DPO salary and term
DPO position comes with a huge responsibility and a need for self-motivation. There will be plenty of stress and conflicts, especially prior to GDPR (set to go into effect at the end of May), after the inevitable breach or when Supervising authority audit takes place. Moreover, a person can feel lonely in this position, as he has to spend his days digging up in dark data closets and giving orders to every manager.

It's a little bit early to draw conclusions about salary package, but we are likely to talk about €100-200k annually in large and enterprise businesses. Plus benefits and non-disclosure compensation.
DPO salary ~ €100-200k per year
This sounds a lot, but some surveys claim that there will be need for over 30.000 DPOs before the end of 2019. This makes sense, as there are over 10.000 companies employing more than 250 people. They will probably hire a DPO due to a number of their operations. You should also keep in mind financial, IT, healthcare and public sectors. Last but not least, subsidiaries of large international corporations will agree to follow GDPR rules not to get hit with the "global turnover" penalty.
Here is a nice article on CSO salaries in EU and UK, alongside some insightful comments from CSOs, which are the closest position to DPO.

You should apply for legal aid in drafting the DPO contract, as it has to reflect the GDPR requirements and contain a solid Non-Disclosure clause. Should something happen, DPO's contract and job description will be checked during an audit.


~
Unlike other tech jobs, hiring a DPO is going to be a challenge. It's when being tech-savvy and experienced is not enough. Define your needs as early as possible and start searching for talents in the market, your company and your network today.