Data Protection Courses/Career

I'm looking to re-train in this area. I've a long-held personal interest in the area and it seems like a great time to re-train. I've worked both in private and public sector for about 15 years previously. I'd like to be a DPO, but I'm open-minded on related roles.

The qualification I've seen most connected to this is CIPP/E.

Is it worth doing the course online with IAPP? Or is it reasonable to get the book, study on your own and go for the exams? 3rd party course providers that offer CIPP/E seem to be charging x2 x3 the price IAPP charge. I've no problems paying for a good course, just don't want to waste the money.

In terms of getting career-ready in this area, I looked at many job listings for DPOs and it seems fairly wide open: degree/career xp + 'relevant data protection qualification'. That plus prior work experience, that's good enough for an entry-level job in DPO, do you think?

Thanks.

It's hard to know what kind of advice is useful for you since you dont mention the area of your experience to date.

Qualification-wise you're definitely on the right track with IAPP and CIPP/E. But to say an 'entry level job in DPO' is odd?

Depending what role you're in at the moment you might have sufficient experience to be able to make a lateral move into DPO, or if you dont have sufficient experience for DPO you could take some slightly more junior privacy roles and progress to DPO. But theres no such thing as 'entry level DPO'. DPO is a role that requires qualification and experience, independence, and direct reporting to the highest level of management. It's not something you can grow or develop into, since you need to be advising the business and making independent calls from day 1.

Hi thanks for the info.

I've glanced occasionally at data privacy roles over the last few months while studying just to see what employers expect and how I can align.

I had seen a number of DPO roles at the time that were lighter on expectations. For example, I saw a DPO role today live on Glassdoor saying:

Data Protection Officer

...

"THE IDEAL CANDIDATE

Third level qualification

Ideally but not essentially a background in advising on data protection or privacy issues.

Strong project management skills

Excellent attention to detail"

That's hardly a senior role there. 40-60k. So I was a little confused when I read your reply had I mixed things up!

That said - many DPO roles I've had a look at specify a legal background, cybersecurity, both and sometimes more. I won't be going for those then.

As the role is so new I imagine a lot of organisations are trying to figure out their needs and the most suitable backgrounds.

My background is not in any of those areas so I would have to work my way up. I'm looking at data privacy analyst, data governance exec. and similar roles. There seems to be many roles with those titles where the description says it's to directly support a DPO. Are there any other roles/areas that might be good first-steps?

I'm also considering should I continue on to CIPP/M or perhaps add a project management qualification.

You would think with all the international companies here with EU-wide scope that more people would be investigating this track!

Edit: found an odd one, the regulator for aviation is hiring a DPO which they seem to have bolted onto HR functions under corporate services. How weird. They've watered DPO down to admin. functions for 30k!

https://www.aviationreg.ie/about-the-commission-for-aviation-regulation/current-vacancies.526.html

Forestsman

Forestsman wrote: »

That's hardly a senior role there. 40-60k. So I was a little confused when I read your reply had I mixed things up!

Depending on the size of the company, someone on 60k could be fairly senior.

Some DPOs certainly aren't as qualified as others. Part of this is the level of risk attached to data processing at a particular company:
- If the company isn't legally required to have a DPO, they'll be more comfortable hiring someone called DPO but who doesn't necessarily fit the description in the reg. Or they may play fast and loose with the title DPO without meaning it to fit the definition of DPO under GDPR.
- If the company does require a DPO, but only really processes a small amount of employee data and not much else, again, the company might be more accepting of someone who isn't 100% up to scratch from the get-go.
- In some cases, the company will just appoint an existing staff member as DPO, if they don't think the workload warrants a dedicated member of staff, and in some cases they can even outsource the role and have a DPO as a contractor.

Another factor is the capacity of the company. They might just not have the resources or know-how to hire the right person for the role, so they hire who they can afford.

Looking back at my previous post, I think I got hung-up on your terminology of 'entry level DPO'. it's clear now you just mean any kind of privacy role that doesn't require tonnes of experience.

I would say re: DPO though, the reg defines the DPO as reporting to the highest level of management. And that's reporting in an independent manner, where you can't let management tell you how to do your job, so a junior person who might be intimidated easily or not taken seriously by execs just wouldn't cut the mustard really. In a small org, or charity/public body, a DPO might get away with learning as they go, but by hiring someone without sufficient skill and experience, the company's leaving themselves open to significant risk while that DPO is finding their feet. If I was in your position, I'd much prefer a DPO Assistant role in a big company under an expert DPO, where I could learn the ropes and get a good reputation to take forward into a proper DPO role, rather than settling for a DPO role in a company that doesn't seem to take the role seriously, where you're leaving yourself and the company exposed to risk.

In large companies, DPOs are usually solicitors by trade but there are other avenues. Have you looked at the European Certified Data Protection Officer training, the ICS offer it https://www.ics.ie/training

Clareman

I'm a DPO IRL so feel free to PM me with any questions you may have. In my experience, the ICS is the way to go for any qualifications you might want to get (I have a few from them) and they are closely aligned to the Association of DPO in Ireland. The problem with qualifications is that there isn't any 1 size fits all or anything endorsed by the DPC so you are just making an educated guess as the best 1 to get, the ICS qualifications are good because of the ADPO but that's not to say it's perfect.

In regards to career, there aren't many full time DPOs around, a lot of companies will have them but they will normally have a lot of other tasks as well, historically the DPO was the accounts person but that has changed to be someone technical for a lot of companies, there won't be that many "entry level" roles as DPO as if a company is large enough to need a full time DPO then they won't want a junior person.

The job itself is often making judgment calls on stuff that's happening, that'll involve reading GDPR over and over again, not very exciting at all but you do have a LOT of responsibility, you report directly to the board with a lot of authority and your decisions can have a huge impact on a company's strategy, this means that the person in the role will need to have a lot of confidence as often you will be going toe to toe with board members/directors and often be giving advice that you know will impact the company.

You mention that you want to "retrain" and that you would be interested in a DPO role but you don't mention your previous training, I would say that if you were previously trained in a technical role that I'd say go down the information security route, if you were more in an admin function then DPO will be for you, it's all about paperwork/processes.