The GDPR does not specify the credentials a DPO must have. However, the WP29 (Article 29 Working Party) published guidelines, which have been adopted by its successor, the EDPB, defining minimum requirements regarding the DPO’s expertise and skills:
- Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expert knowledge of data protection law and practices the DPO will need.
- Professional qualities – DPOs do not need to be qualified lawyers. Still they must have expertise in national and European data protection law, including in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.