cyber-security, business, GDPR compliance, DPO selection

How to select data protection officer for your company

Click below if you prefer to listen.

A data protection officer (DPO), whether an obligation or an option for companies depending on specific factors, is a person who holds the most responsibility within the company for GDPR compliance.
Let’s start with the basics.

Why does your selection of the right person matters?

Simply because the right selection will make GDPR compliance smoother, easier and most importantly effective. You do not want one of the following two scenarios:

  • A person who will spread catastrophe by stressing everyone out that everything is wrong, and the company will have an attack or a GDPR fine if they continue that way,
  • A person who is doing nothing to get the company into compliance. This person just has a title, has no knowledge and/or intention to complete the tasks required to get your company GDPR compliant.

Want a little help?

cyber-security approach, philosophy, business, protection

Based on my experience and view here are the characteristics of a successful choice for a GDPR DPO

  1. Knowledge of how to balance GDPR effectiveness without overwhelming or stressing out other employees and support everyone involved during the process. This is the number one characteristic. If there is something wrong, s/he will definitely mention it to management but at the same time will accompany it with supportive solutions. The right person will apply simple yet effective progressive moves, which are both smooth and adaptable for the employees and management.
  2. Ability to understand, evaluate and analyze data, correlations and attach impact to it. Less impact from an attack means lower reputation damage and lower direct and indirect costs from a cyber-attack or a data breach.
  3. Deep security knowledge both of systems and infrastructure, which ensures protection from hacks or data breaches and lowers chances of being fined!
  4. Out of the box thinking in order to figure out solutions which are friendly to the company’s budget.
  5. Ability to setup the right budget for GDPR compliance based on the customized needs of the company. S/he cannot tell a small business owner with, let’s say, 100 000 euro income per year that in order to get compliant they have to pay 300 000!
  6. Vigilance in order to maintain the company’s protection levels and GDPR compliance high at all times. As a company develops, it will undergo changes, which will affect data flow and new data additions. That means that the right person will design a flexible GDPR compliance process allowing it to grow with the company and at the same time, build the internal procedures to stay informed and adjust anything necessary accordingly.
  7. Ability to enforce methodologies and tools which are effective but at the same time usable and easily adaptable for employees. It is not ideal to make employees’ daily tasks difficult. Merging ease with security is the best approach to follow in this case.
  8. Ability to avoid impact chain reaction. Each cyber-attack or data breach has certain implications. The ability to detach implications and minimize impact is an art and the professionals who possess this are highly paid, but if you want maximum results in protecting worldwide profits of the company it is wise to look for and request this characteristic.
  9. Ability to respond to incidents quickly and effectively. All solid professionals know that they cannot stop all cyber-attacks or data breach incidents. That is why they work on point 8- the impact chain reaction avoidance and at the same time they prepare to respond to incidents with speed and effectiveness. Doing it right will affect your protection levels and the GDPR fines. Additionally, you have to report everything in a timely manner to the GDPR authorities. Your DPOs ability to report them based on the specified requirements will affect your fines.
  10. Ability to operate effectively under stressful conditions. The weight of a cyber-attack or a data breach might not be easy on everyone. Obviously, the right preparation will play an important role but when a cyber-attack or a data breach takes place the focus will be on the DPO. That is the most important time for a DPO’s performance and you do not want someone who freezes when something goes wrong! You need that person to be on top of their game as their performance is correlated with both your business survival and the GDPR fees you have to pay.
  11. Ability to communicate effectively and report to the company management as an advisor and solutions maker. If management is not informed appropriately on what the problem is and given available options on how to solve it, its impossible to get effective compliance. That is why communication and reporting is a key characteristic of a GDPR DPO.
  12. Ability to communicate effectively with the company’s employees. In order to understand the current processing of data, the technical protective aspects, current policies and procedures, among others, and to implement new ones the GDPR DPO needs to be able to interact impeccably with all employees of the company.
  13. Ability to present the right arguments to the court in order to defend the company in case of a data breach or cyber-attack that results in the company being sued. Any proof of at least sufficient controls and measures will be very positive to the outcome of the case against your business.
  14. Ability to minimize the possibilities of a cyber-attack or a data breach in combination with maximizing the effectiveness of the compliance by extending its benefits to other areas like financial, marketing etc. In other words, make it mandatory as an opportunity for the company’s further growth.
  15. An authority for data protection or a well-recognized professional will play a positive role when fines come to apply as a result of a data breach. For example, a professional who is recognized by the government authorities, European Union and any related professional bodies is definitely a plus.
  16. Last, but not least is public recognition as no fine can be compared to the reputation damage/cost of a data breach or a cyber-attack. Court cases related to GDPR and data protection will gain great publicity.

Selecting a candidate with a public profile who is already an acceptable figure for the public will be of benefit for you and you will not need to work on building the credibility and acceptance of that person to the public. People are the central focus for data protection and the final judge.

Apply what you learn immediately. Download “GDPR Basics” free quick start guide.

cyber-security approach, philosophy, business, protection

I would suggest you keep these 16 points for GDPR DPO selection nearby when you select the right person for the position.

So I am now turning it over to you. If you found this article useful please show it with a “like” and share it with others. I would also like to hear your thoughts:

What other characteristics are you looking for when selecting a DPO for your business?

I cannot wait to hear your comments so leave them below.


GDPR Interview – Part 7 Your ability to control your protection

GDPR Interview – Part 7 Your ability to control your protection

GDPR Interview - Part 7 Your ability to control your protection Click below if you prefer to listen. Free Quick start guide: GDPR basics GDPR basics Want a little help? Download “GDPR Basics” free quick start guide. Clarity is power! So, I am now turning it over to...


and get the latest updates