Pursuant to article 35 c. 5 of the General Data Protection Regulation (Regulation COM(2012)11), Data Protection Officer (DPO) must have professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfill the tasks referred into the following article 37.
This would means that the level of required expert knowledge of the DPO candidate should be determined by the employer that must take into account the required professional skills, level of expert knowledge and the candidate’s ability to fulfill the tasks allocated by the Regulation.
First of all, the employer (the controller) should consider:
1) The nature of the processing carried out and the required level of data protection;
2) Extension of his organization in the EU territory. Where an organization operates in multiple EU Member States the DPO would need to demonstrate relevant expert knowledge of each Member State’s data protection law;
3) Relevant experience of DPO on how the laws operate in practice (e.g., the inevitable local differences in approach between data protection authorities, and the cultural expectations of local data subjects).
As prescribed by article 36 c. 2 the employer shall ensure that the DPO performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. Moreover, the DPO shall directly report to the management of the organization.
However, the requirement for independence may create conflicts of interests between DPO and management. There is a concrete risk that the DPO will not be fully integrated into and involved by the organization. DPO’s activities could be viewed internally with suspicious. This would prevent the DPO from being involved in new projects of products and services, failing to comply with new obligations of privacy by design and privacy by default, as prescribed by the Regulation.