Why your DPO needs specialised training

The broad range of skills required to succeed as a DPO (data protection officer) makes it a tough position to fill. DPOs need to work with staff to answer data protection questions, monitor the organisation’s data protection policies and procedures, and, of course, have expert knowledge of the GDPR (General Data Protection Regulation).

We therefore wouldn’t expect an organisation to simply tell its newly appointed DPO to get straight to work. Instead, they should be given specialist training to help them excel.

Not convinced? Here are three reasons why you should invest in specialised DPO training.

1. It will shore up GDPR knowledge gaps

DPOs are naturally expected to have expert understanding of data protection law, and they should have received GDPR training. However, the shortage of skilled DPOs means not every organisation will be able to appoint someone who already knows the Regulation inside out. Many will have to make do with their resident data protection and privacy expert, who may well have a strong understanding of the GDPR, but will need to bone up on the Regulation’s requirements to fulfil all the DPO’s tasks.

Studying will also help DPOs understand how the GDPR works in practice. Those who are new to the job will quickly learn that there’s a huge difference between understanding the Regulation’s requirements and ensuring that the organisation implements them. It’s only through practical exercises that DPOs can learn to bridge that gap.

2. They need to learn how to be independent advisors

Arguably the trickiest part of being a DPO is liaising with employees on the organisation’s data protection practices. DPOs must advise staff on their data protection responsibilities and monitor whether they are being met, but they must also operate independently and without instruction from the organisation.

This means an employer can’t help the DPO perform their duties, and the DPO can’t overstep their boundaries when advising employees on how to achieve compliance. Doing so would effectively make them responsible for that activity, jeopardising their status as independent advisors free from conflicts of interest.

As such, DPOs must learn what they can and can’t say in their role, a skill that’s particularly important if they take on the responsibilities alongside their existing role.

3. It helps them prepare for disaster

DPOs play a crucial role in the data breach response process. The GDPR gives organisations 72 hours from the time they become aware of a breach to disclose it to their supervisory authority. The disclosure should include explanatory details about the incident, such as what caused the breach, how many records were affected and the types of information involved.

It’s the DPO’s responsibility to record all these details (acquired from relevant members of staff) and relay them to the supervisory authority by email or phone.

The task itself is relatively straightforward if the DPO is sufficiently prepared. This generally means having the supervisory authority’s contact details to hand, as well as a list of the details you are required to provide. A meticulous DPO might also prepare a list of employees who are best suited to providing the necessary information, as well as alternatives if that person is away from the office.

However, without specialist training, your DPO will have to figure out how to plan for breaches by themselves. (Remember, you can’t advise them.) Maybe they’ll manage, but do you want to take the chance? Particularly when the stress and panic that comes with a data breach could lead to your DPO making a crucial mistake.

Interested in a DPO masterclass?

Anyone who wants to learn how to become an expert DPO should consider our Certified Data Protection Officer (C-DPO) Masterclass Training Course.

Using practical examples and exercises, you’ll learn how to fulfil the DPO’s tasks and develop the soft skills that the role requires.

This four-day course runs in Birmingham, London and Manchester.

Leave a Reply

Your email address will not be published. Required fields are marked *