Data Protection Officers – what does it take to do the job?

January 2022

The unique blend of traits and skills which make for a great DPO

What is it that makes a DPO effective and successful? Whether you’re recruiting or someone interested in the role, here are a few thoughts for you to chew over. I’m focussing here more on character traits, rather than the specialist knowledge & skills required for the job.

Be a good leader – not just a manager

A DPO should be a self-starter, with the energy and motivation to lead and inspire others. With the leadership skills to set the direction of travel for data protection across the organisation, laying out clear priorities and bringing others with them on the journey.

In the words of Mark Starmer; ‘Will the real leader please stand up?’, leadership is all about being able to influence. This means building effective relationships with everyone from senior management, clients, customers and so on. All this helps the DPO with their quest to embed data protection principles and processes across the organisation.

If they have direct reports, they’ll need to be someone who can lead and inspire their team. This includes recognising people’s individual strengths and weaknesses, their progress and achievements. Finding appropriate and perhaps innovative ways to recognise and reward each individual.

Thirst for knowledge

Not only does a DPO need to have an excellent grasp of the relevant laws, and ideally qualifications to evidence this, but they also need to be someone who is always on a quest to learn more. Someone who is happy to spend their spare time reading new guidance, privacy articles and opinions, case law and so on. Someone with a genuine interest in the data landscape and emerging trends.

Autonomy and independence

A DPO must also be able to act autonomously, independently and objectively, as the role requires. Not only looking at what the law requires, but also considering ethical and moral issues, to work out what is the right thing to do. Acting with genuine honesty and integrity.

Robert Bond, Senior Legal Counsel at Bristows:

“Data Protection Officers must be adept and be able to adapt and adopt as circumstances require. Above all they need to implement compliance & ethics with impartiality.”

A great communicator and diplomat

Strong communication skills are vital. Taking the time to actively listen, interpret and understand others.

A DPO is likely to work with a range of staff across the organisation, plus clients and suppliers. Often working across national borders too. This requires cultural awareness and sensitivity. They need to be able to change their approach, depending on who they are talking to.

As Fedelma Good, Director at PwC UK explains:

‘DPOs need to be great communicators and above all they need to be multi-lingual. They need to be able to communicate across a broad range of stakeholders, ranging from board members to web designers and quite often they need to act as the translator to ensure that technical, legal and business specialists really do all understand each other.’

Sympathetic but strong

A good DPO will be both understanding and assertive. There’ll be times when people are tricky to handle, be it disgruntled customers or even perhaps a member of the senior management team!

The role doesn’t exist to preserve the status quo. They may need to push back against established practices (‘we’ve always done it that way’) and challenge people to think differently and find creative solutions. This takes sheer persistence and the drive to make a difference.

Confidence

A DPO should to be a confident individual who is up for some straight-talking when needed. They must be ready to stand their ground. But they also need the confidence to show humility and say when they don’t know the answer. The laws are detailed and complex and no DPO can know it all.

To apply the law in practice, they often need time to think it through and deliberate. DPOs need to be clear when they need this time and need to resist the temptation (or demands) to respond immediately.

Well-organised

Sometimes everyone seems to be clamouring for a piece of the DPO. Juggling multiple conflicting priorities, means being well-organised is critical. Some demands will be urgent, others important but less urgent, some can wait. That data breach always seems to happen on a Friday afternoon!

A DPO will inevitably need to do their fair share of ‘fire-fighting’ when things crop up out of the blue. They need to manage not only their diary, but colleagues’ expectations too!

Even at the busiest times, it’s also important to try and remain approachable with an ‘open door’ to anyone in the organisation.

Finding workable solutions

Because of the specialist knowledge and obligations a DPO has, they need to work hard to show the business how their role acts as an enabler for the business. Nobody wants to be seen as ‘the department of No’.

In my view this often comes back to character and communication style – being ready not only to shine a light on compliance risks but also to go the extra mile, working closely with stakeholders to find pragmatic solutions.

Taking a more flexible solution-oriented approach builds much better relationships, where the rest of the business sees the DPO as someone who doesn’t put up barriers, but will help them navigate their way to reach their goals.

This is especially important during times of change. Someone who can embrace change, stay positive and focussed and keep working towards shared goals is more likely to succeed in the end.

In conclusion

Wow, the DPO role is certainly a demanding role which requires a lot of positive character traits and interpersonal skills!

All nicely summed up by Matt Kay, Deputy DPO at Metro Bank:

“It goes without saying that the role of a DPO is multi-faceted requiring a broad skillset with organisations valuing certain skills more than others, and this of course differs between organisations. For me I think the key skills are stakeholder engagement, the ability to project manage, navigate conflicting priorities and being able to take a pragmatic approach. Taking risk based decisions that balance the needs of data subjects and the organisation you work for.”