According to the new EU general data protection regulation, a DPO must have ‘expert knowledge’ regarding the processing of personal data and related practice. The level of expertise necessary must be determined considering the types of processing in question and the level of data protection that is required of the data controller and data processor. Only a very small part of the Danish population possesses this kind of expert knowledge so initially the selection of DPOs will be very limited.
However, this is not necessarily a problem. Primarily for two reasons:
- The newest edition of the regulation has considerably reduced the number of instances requiring companies to appoint a DPO. Now only public authorities and companies that have extensive processing of personal data in quantity and quality as their core activity are required to appoint a DPO. Currently, only a few Danish companies have a core activity of such a nature.
- The regulation explicitly provides the opportunity for several companies and public authorities to appoint the same DPO. It is not hard to imagine that a small number of DPOs will handle the main part of the DPO supervision in Denmark.
Therefore, a need for a large number of DPOs in Denmark could rightfully be questioned. Nonetheless, an increasingly number of DPO training programmes is offered in order to train future DPOs or to prepare the companies as good as possible to handle the new function in practice.
In a long-term perspective, it may be convenient to have a staff of trained DPOs, especially because IT start-ups are depending heavily on data, but currently the need is relatively limited.
The training programmes may be a welcome opportunity to train new or upgrade existing data controllers or processors who will obtain new tools for handling the other requirements of the new regulation.