As it is known, in order to fulfil tasks that are attributed by the article 39 of the GDPR, the Data Protection Officer shall has juridical, informatic and organizational skills, which shall not take for granted that the designed person is able to carry out the role of DPO.
Obviously, it is about three main competences which it is fundamental to find out in the profile of a Data Protection Officer, but like in a table made out by three legs that is standing up until unforeseen accidents do not occur that reduce one of the three supports, as well the DPO that has not additional character qualities in order to face and manage stress situations shall wreck before the storm, also with serious damages for the data controller who has designated him.
To confirm how, especially in structured organizations, the DPO shall be an assertive and resilient person under the psychological profile it is enough to say that the article 38 of the GDPR askes that “The data protection officer shall directly report to the highest management level of the controller or the processor” the but also that the “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation”
This means that the DPO shall known how to relate with highest top management as well as to pensioner or to the housewife that wants to complaint on the respect of her privacy.
Only a Data Protection Officer has the ability to remain sharp and keep its cold head in front of emotionally challenging situations, he shall face in a efficient way an unexpected inspection by the Personal Data Protection Authority or by financiers of the Special Unit for Protection of Privacy and Technological Fraud, and only a DPO that has these specific characteristics shall be a real support for the data controller upon the occurrence of unforeseen sceneries like those one during the Covid-19 emergency situation, when all the every-day practices of personal data protection where suddenly called into question (even not distorted) with the need to provide immediately responses to opinions on the temperature measurement to workers, the usage of term scanners in commercial exercises, the detection of the positivity status to employee, and then the subsequent questions of vaccination campaigns in companies, and a series of questions to decided on that have pressured the DPO.
This frenetically context, implement the need to verify careful specific personal and professional characteristics, which made up a fourth leg of the table, and they contribute to make it more sturdy and stable, before carrying out the designation of the Data Protection Officer, also on his open-mildness and active willingness, as neither the Authority agrees on the day and time to carry out an inspection, nor the dreaded data breach makes an appointment; on the contrary, the insiders know well how, unfortunately, certain harmful events happen unexpectedly often just over the weekend or at night, if not during vacation periods, which could therefore be unhappily spoiled to those who hold this key role provided by the GDPR.
And if the article 37 of the Regulation admits that a group of entrepreneurs shall designate a Data Protection Officer, it certainly does not alleviate the anxiety of those who take up this post to know, as the same article states, that this is only possible ” provided that a data protection officer is easily accessible from each establishment”.
In order to avoid finding the wrong person at the wrong time in the various cases that have been exemplified in a non-exhaustive way, it is therefore essential not to rely exclusively on the primary professional skills and on what is stated in the curriculum by the candidate, who may, however, be entirely self-referential; but also deepen with further evaluations through aptitude tests, documentation of previous references, repeated cognitive interviews, and any other lawful method that may be useful in determining whether the professional you intend to appoint as DPO is really the right one.
SOURCE: FEDERPRIVACY