EMERGING CAREER: HOW TO BECOME A DATA PROTECTION OFFICER
What is a DPO: Origin of the data protection officer role
Though emerging as an official job title in the U.S., the data protection officer role originated in 2018 as a required part of General Data Protection Regulation (GDPR) compliance in the European Union (EU). It is an enterprise security leadership role whose primary purpose is to oversee a company's data protection strategy, protect customer data and implement the strategies to keep that consumer data protected.
GDPR was proposed and enacted by the European Parliament, the European Council and the European Commission to strengthen data protection for EU citizens. The role of the data protection officer (DPO) grew from this act, which calls for the "mandatory appointment of a DPO at every organization that processes or stores personal data for EU citizens." GDPR states that the "size of a company or organization is not what necessitates the need for a DPO, but rather the size and scope of the data that's being handled."
They further state that DPOs must be "appointed for all public authorities and where the core activities of the controller or the processor involve regular and systematic monitoring of data subjects on a large scale, or where the entity conducts large-scale processing of special categories of personal data."
What about the U.S.?
Only the state of California enforces something like GDPR in its California Consumer Privacy Act (CCPA), a data privacy act that originated in January 2020 and gives California residents greater control over how businesses collect and use their personal information. And since there is no other formal or mandated compliance legislation like the GDPR to protect data privacy, the DPO job title isn't quite as common in the U.S., and may be called something different, such as Chief Privacy Officer or Chief Information Security Officer (CISO).
The Federal Trade Commission (FTC) does enforce the Gramm-Leach-Bliley Act (GLBA) in the U.S., which requires financial institutions offering loans, investment advice or insurance, to protect consumer data and make how they use consumer data transparent to their customers. Under the GLBA's Safeguards Rule passed in 2021 by the FTC, a financial institution must have a "qualified individual" overseeing the implementation of its information security program. This is largely considered a DPO-type role, thus recognizing it as a legitimate job title in the U.S.
What does a DPO do?
A data protection officer is required for businesses based on the scale of the data handling that they do, and many small businesses may avoid hiring for the role unless their business model is focused on data collection or storage, which is determined by what defines "data collection." While the role is mandatory in the EU, there are few regulations or rules that inform where a DPO should be hired in the U.S. and even in the EU the job description and when a DPO is mandatory are fuzzy about the criteria. The one agreed-upon set of rules is that who needs a DPO is decided by three factors that define the scale of data collection and storage as outlined in Article 29 of the Data Protection Working Party (WP29). These are:
It is a public authority or body, which the WP29 interprets as encompassing national, regional and local authorities, as well as other organizations "governed by public law."
The company's core activities entail processing operations, which require regular and systematic monitoring of data subjects on a large scale.
The company's activities entail processing on a large scale of special categories of data—such as race or religion—or personal data relating to criminal convictions and offenses.
In defining "large-scale," the GDPR cites four factors that help determine what that is:
- Who are the data subjects?
- What the data items are
- How long will the data be retained? Is it permanent?
- What is the geographical range of the data processed?
What a DPO does on the job:
The job duties for a data protection officer will likely be similar no matter if they work in the EU or the U.S., as the goal of the job is the same. Article 39 of the GDPR, and CPO Magazine define the duties of a DPO as:
- Educate company employees on compliance
- Determine and update data strategy, data governance and data collection best practices
- Conduct data protection impact assessments or DPIAs, which identify and minimize risks in the processing of personal data as early as possible
- Conduct audits to ensure compliance and address potential issues proactively
- Monitor performance and provide advice on the impact of data protection efforts
- Maintain comprehensive records of all data processing activities conducted by the company, so that they can be made public on request
- Cooperate with authorities, acting as a point of contact with them for any request for information addressed to the company, as well as making any inquiries to the authorities on behalf of the company
Ideally, DPOs will have the following skills and knowledge:
Hard skills for a successful DPO:
- Have expert knowledge about data protection laws and practices and all the regulations around them
- Have experience in IT security, security audits, cyber security and threat assessments
- Have strong communication skills across all departments and tiers
- Have at least a bachelor's degree in computer science, cyber security or information security
- Have proven skills in data analysis and data management
Soft skills for a successful DPO:
- Have excellent communication skills
- Have analytical and problem-solving skills
- Strong attention to detail
- Strong organizational skills
- Be a proactive thinker
The importance of a DPO in data protection and privacy
A DPO is a critical component to a company's security and adherence to compliance in an age when data is compromised on a daily basis. A good data protection officer should be a proactive thinker and doer and foresee solutions that can help keep company employees alerted to compliance and regulations that may ensure the security of not only the company but the data of thousands of individuals. A good DPO will help to guide a business through the complexities of new approaches to privacy regulations, which could impact every department—from human resources, legal, corporate and product, to content, database design, IT infrastructure and cyber security.
Are a data privacy officer and data protection officer the same?
While the terms "data protection" and "data privacy" are sometimes used interchangeably, there is a major difference between the two roles: Data privacy officers define who has access to data, while data protection officers provide tools and policies to restrict access to that data.
Steps to become a data protection officer (DPO)
Earn a bachelor's in computer science, cyber security or information security.
A solid foundation in information security analysis will help you gain the confidence to think independently and have a proactive approach to the DPO job.
Get educated in data protection laws, compliance and regulations.
Depending upon where you work you may need to know laws and regulations for a county, a state or nationally. The exploitation of data will never stop, so you can expect this step to be ongoing and ever-changing as long as you work in the field.
Gain practical experience in data protection and privacy.
Experience in cyber security or information security can give you a strong foundation before you step up to the rigors of a DPO position.
Earn certifications and attend bootcamps.
The more you know what to look for the more you'll be prepared. New tools and information will always happen in this role, and since a proactive stance is key to the job, earning certifications will help you expand your knowledge base and understand what may be coming in advance of its actually happening.
Stay current on the news and what's going on in the world.
Industry trends, compliance regulations and best practices will change daily as data changes, and tactics to exploit data grow and change.
DPO education and experience
Data protection officers typically need a bachelor's degree in computer science, cyber security or information security or a related field. A bachelor's degree, Juris Doctor or equivalent work experience in privacy, compliance, information security or auditing may also be an alternative. Desired work experience may include five years in privacy and compliance-related risk management positions. Promotion to DPO can likely be considered after 10 years of experience in the various privacy disciplines, such as privacy and policy, privacy law, information governance, incident response, information security, training and awareness.
Certifications for data protection officers
Once you've entered the workforce in a cyber security or information security role, you can hone your skills and educate your way into a DPO position by enrolling in one or more certification programs. Certification programs offer professional credentials that you can add to your title by enhancing your skillset with focused areas of information security or data protection education. Certification programs may require that you have experience or a set period of time on the job before you're eligible to pursue the certification. Other certification providers may simply require you to pass an exam. Once you are eligible, most certifications take a few months to complete.
Some of the professional DPO certifications available for those wishing to enter, or who are currently in a DPO role are:
| Ceritification | Issuing agency | You'll learn... | Program formats | Cost |
|---|---|---|---|---|
| Certified Information Privacy Professional/Europe (CIPP/E) | International Association of Privacy Professionals (IAPP) | European laws, regulations and policy. Includes explanations of European regulatory structures, concepts of data protection, major laws including the GDPR and the ePrivacy Directive. | Online self-paced, live online, in-person, group | $1,195 for the training, $550 for the exam |
| Certified Information Privacy Professional/United States (CIPP/US) | International Association of Privacy Professionals (IAPP) | U.S. federal and state privacy statutes, analysis of sectoral laws, civil and criminal enforcement and an overview of the EU's GDPR and the CCPA. | Online self-paced, live online, in-person, group | $1,195 for the training, $550 for the exam |
| Certified Information Privacy Manager (CIPM) | International Association of Privacy Professionals (IAPP) | Introduction to the U.S. privacy environment, private sector collection and use of data, government and court access to private sector information, workplace privacy and state privacy laws. | Online self-paced, live online, in-person, group | $1,195 for the training, $550 for the exam |
| Information Security Management Systems Lead Auditor (ISO 27001) | Certified Information Security (CIS) – National Initiative for Cybersecurity Careers and Studies (NICCS) | A one-day program for those who need to conduct internal or external audits of a risk management system supporting an ISMS, or manage an ISO ISMS audit program. | Classroom or online with instructor or online, self-paced | $1,674.85 |
There are also other certifications available for professionals in the fields of HR, compliance and information security who might desire to expand their knowledge of data privacy regulation or move into a DPO role, or in the case of the CDPO certification, help them gain needed regulatory knowledge as a practicing DPO:
| Certification offered | Issuing agency | You'll learn... | Program formats |
|---|---|---|---|
| Certified Data Protection Officer (CDPO) Also offers a S-CDPO credential for DPOs who have extensive experience and seven years on the job. | Knowledge Academy and others | Intro to data protection, why it's required, regulations and approaches and the role of the data protection officer. | Online self-paced, online instructor-led, in-person |
| Data Protection Practitioner (DPP) | Different organizations: Seco Institute, PECB, etc. | Five day course focused on hands-on practice in a simulated business environment. You will learn how to implement and safeguard GDPR compliance in your company. | Virtual online, classroom |
Bootcamps for DPOs
Bootcamps are another way to get focused training programs that prepare students with specific skills needed to enter the field of information security or any field you may be wanting to enter, such as cyber security or IT. Some bootcamps are designed for data security or data privacy professionals who already have some experience in the field or on the job, but most bootcamps are meant for people with very little to no previous experience in the area. These programs can usually be completed in a few months, are usually online and can be immersive and intensive.
Since the DPO role is relatively unique and new, a bootcamp may be a great way for professionals to get basics in information security, cyber security and related subjects quickly so they can begin their move toward data protection entry-level practitioner roles with a solid knowledge base.
Some bootcamps that may help lay the foundation include:
Flatiron School Cybersecurity Engineering Bootcamp
What you'll learn: You'll graduate prepared for a range of vital tier 1+ cyber security roles—like security engineer or penetration tester
Format: Classroom or online
Length: 15 weeks
Columbia University Online Cybersecurity Bootcamp
What you'll learn: Real-world training in networking, systems, web technologies, databases and defensive and offensive cybersecurity
Format: Online
Length: 24 weeks
Data Incubator Data Science Bootcamp
What you'll learn: Data Science technologies with advanced Machine Learning, Natural Language Processing (NLP), advanced analytics and more
Length: 8 weeks
360DigiTMG Data Science for Internal Auditors
What you'll learn: Innovative technologies in internal auditing and utilizing them to improve business operations. You'll understand the fraud analytics lifecycle and learn about various data analytics, such as descriptive and predictive analytics, and you'll learn advanced techniques to detect fraud.
Length: 4 weeks
Data protection officer salary
Since DPOs can come from other parallel careers, such as compliance officer, or computer science and IT careers, it's hard to pinpoint an average salary for the field. The U.S. Bureau of Labor Statistics does not track salaries specific to DPOs, but it does cite median annual salaries for many of the cyber careers from which a DPO might come. Here are some comparisons of different careers to give you an idea of what an enterprise security leadership role's salary may be.
Because DPOs are mandatory in the EU for any business that collects data, it's difficult to gauge where a DPO might work based on geographical location. Rather, it would be more likely that DPOs would have a higher concentration of opportunities based on the type of business. For example, in the U.S. it makes sense that DPOs would be in demand near and around Washington D.C. where there are federal agencies that store data, such as the IRS. Areas pocketed with high tech, such as Silicon Valley or San Francisco and Seattle, may also be potentially high-employment geographic locations.
Some businesses or agencies where DPOs may be employed are:
- Federal government agencies that collect and store information, such as the IRS, FBI, Social Security Agency or NSA
- Military
- Local and state government agencies
- Financial institutions, including lenders, investment, securities and banking
- Technology, internet and e-commerce hubs
- Insurance companies, including healthcare
- Healthcare companies and hospitals
- Non-profits and not-for-profit businesses that collect data
Another factor in pay might be education level. While a master's degree isn't required, a bachelor's and experience are a must, and some positions require five or more years of experience in a related privacy role, such as compliance or HR, to even begin to take the steps to apply for a DPO position.
Frequently asked questions (FAQs)
Is a DPO required in every company?
No, only companies that process data and are a "public authority or body." A DPO is required if the data collected requires regular and systematic monitoring of data subjects on a large scale. A DPO is mandatory if a company is processing data on a similarly large scale.
Can a DPO be a controller or processor of personal data?
DPOs may be an outside contractor and impartial person, or they may be a company employee, such as a controller. However, they must not have any current responsibilities that may be in conflict with their monitoring responsibilities, and they must be able to do their work without being pressured by other people within the company to do things in any certain way.
What happens if a company does not appoint a DPO even though one is required?
Failure to appoint a Data Protection Officer constitutes an infringement, which may result in an administrative penalty of up to 10 million euros or 2% of the total annual turnover, whichever is higher, according to GDPR regulation.
What are the penalties for non-compliance with data protection regulations?
Companies can face four major risks for non-compliance with data protection regulations: inadequate cyber security, expensive fines, high individual penalties and reputational damage.
The FTC and other federal financial regulatory authorities also have the power to bring civil actions for damages related to GLBA. In the context of the FTC, potential consequences include cancellation or amendment of contracts, refunds or return of any real property, restitution or compensation for unjust enrichment; monetary penalties and public notification of the violation. Civil monetary penalties range from $5,000 to one million dollars per day of violation if an individual knowingly violated the law.
States also establish consequences for non-compliance with state privacy laws. For example, the CCPA provides for fines of up to $2,500 per violation or $7,500 if the violation is intentional. It notably does not place a cap on the total amount of fines.
Getting started as a DPO
With data protection and privacy becoming more integral to businesses every day, and laws and regulations being enacted to make companies accountable and liable for the data they are obligated to protect, the role of the DPO also becomes more critical and essential. If you are an independent and compliance-minded crusader who is dedicated to keeping user data safe and protected under the law, then why not get started on a DPO career path?
Not only will you showcase your grasp of the relevant laws, but you'll never stop learning as a DPO. If you are currently working in data science or analytics, HR, compliance or information/cyber security but want to step up to a career that is just beginning to make its presence felt in a big way, a DPO bootcamp, data science degree or certification program can help you tale the first step toward helping guide businesses through the complex new approach to privacy regulations.
To get started, all you need to do is click the Find Schools button and find the program that fits your needs.
Published: July 20, 2023
Written and reported by:
Cyber Security Education Staff