In the world of data protection, the figure of the Data Protection Officer
Data Protection (DPD) has gained fundamental prominence since the implementation of the
General Data Protection Regulation (GDPR). Traditionally, it has been
associated with the DPD with an eminently legal profile, and not without reason: the GDPR is
a complex regulation that requires a deep legal understanding for its
proper application and interpretation.
However, the DPD's role goes beyond simply enforcing the law. In the era
digital in which we live, where information is an invaluable asset and the
privacy is a growing concern, the DPO needs to have
specific knowledge, not only in data protection but also in information security, to be able to carry out their work effectively.
Article 25 of the GDPR establishes the concept of “privacy by design”
(Privacy by Design), which implies that data protection must be considered
from the beginning of any project or system. This means that the DPO, when
collaborate with developers and technical teams, you must be able to speak your
the same language to be able to communicate the needs to these teams. Understanding software development processes, the technologies used, and potential privacy impacts is crucial to ensuring regulatory compliance.
Furthermore, Article 32 of the GDPR establishes the obligation to implement measures
adequate security measures to protect personal data. This goes beyond the
mere legal understanding; the DPO must have solid technical knowledge in
information security to assess risks, recommend measures and monitor
its implementation.
The first additional provision of Organic Law 3/2018 on Data Protection
Personal and Guarantee of Digital Rights (LOPDGDD) establishes the obligation
for Public Administrations to implement the measures of the Scheme
National Security (ENS) to mitigate the identified risks. Here,
Again, not only legal understanding is required, but also the ability
technique to understand the specificities of the ENS and its practical application.
Regarding incident management, it is essential to highlight that not all incidents are
Incidents are data breaches, but all data breaches are incidents and must be managed as such.
The DPO must be prepared to manage any type of incident.
information security, from cyberattacks to technical failures, and
have the technical knowledge necessary to understand what happened,
Assess the impact and collaborate with security and systems managers and other involved teams to effectively resolve the situation.
Conclusions on the DPO and data protection
Finally, on a day-to-day basis, the DPO often uses Governance, Risk,
and Compliance (GRC) that require some technical skill to manage
appropriate and without which work cannot be carried out. These tools are essential for the efficient management of data protection and information security in any organization.
In conclusion, while it is true that the Data Protection Officer's profile has a solid legal foundation, it is equally important for them to have technical knowledge in data protection and information security. This technical aspect of the profile is essential for the optimal development of their work and responsibilities. The intersection between law and technology is the terrain in which the DPO must navigate skillfully, in order to ensure the effective protection of personal data in today's digital world.
If you want to get more current information about Data Protection Audit, Risk Management and Cyber Compliance, visit our blog.
