The role of the Data Protection Officer

Companies in which at least twenty employees process personal data are generally required to appoint a Data Protection Officer. Regardless of the number of employees, this obligation to appoint also applies to companies that process special categories of personal data (e.g., health data) or if the core activity of the company involves the collection, processing, use, or transmission of personal data.

An employee can be appointed as an internal or in-house Data Protection Officer. The individual must meet various requirements such as expertise and personal suitability.

On the other hand, to be successful as an external Data Protection Officer, one must possess a much broader range of skills. Advising, training, and auditing companies from different industries with diverse data processing activities requires the ability to address numerous legal, technological, and organizational issues.

While a law degree is not explicitly required for the role of an external Data Protection Officer, it is generally considered necessary. This is because the assessments of data processing activities must comply with the entire legal framework, not just with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Telecommunications and Telemedia Data Protection Act (TTDSG). Relevant aspects include competition law and civil law questions. Data Protection Officers without sufficient legal qualifications may quickly reach their limits or make significant mistakes in these areas.

The formal university degree is of secondary importance. Theoretically, a Master’s degree in Law also qualifies for providing consultancy services in data protection law. However, full-fledged lawyers and authorized attorneys generally have better career prospects in law firms and in an international context. An LL.M. degree can also be highly beneficial.

The greater challenge lies in the fact that data protection law is not a separate subject area taught at law faculties. Over the past few decades, the experience has shown that few graduates already possess the necessary expertise in this field.

It is highly advantageous if law graduates have already engaged in theoretical studies of the GDPR, BDSG, TTDSG, the Telemedia Act (TMG), and the Act Against Unfair Competition (UWG) during their studies.

Moreover, individuals who have acquired additional qualifications or practical knowledge in data protection law through internships during their studies are well-prepared for a career as a data protection lawyer.

Data processing typically takes place in an IT-based environment. Therefore, at least basic IT knowledge and a certain level of technical affinity are a must for aspiring data protection experts. While very few law graduates can independently configure a Windows server, they should at least know the difference between a firewall and a fire extinguisher for the job of a data protection officer.

Given international markets and cross-border data processing, it is almost needless to say that excellent English language skills are essential. Additional foreign language skills and experience abroad can bring career advantages.

The role of a Data Protection Officer requires a lot of client interaction and communication. Especially as an external Data Protection Officer, lawyers establish long-term relationships of trust with their clients. Balancing the roles of assessing and advising can sometimes be a challenging task.

Those who prefer working alone at their desk, drafting complex legal documents with utmost precision, may consider pursuing a different legal field. However, individuals who enjoy direct communication with people and have the ability to explain legal matters in an understandable way already possess an important core competency for a job as a data protection consultant.

A strong problem-solving mindset is particularly valuable among the sought-after personal competencies. Even experienced data protection experts encounter new challenges on a regular basis. As the digital transformation of the economy progresses technologically and organizationally at a faster pace than legislation and case law, a diverse range of creative solutions is required for various data processing activities in value chains and business models.

Graduates of law studies, as well as experienced lawyers or legal practitioners aiming for a career in data protection law, should critically assess themselves in this regard. Those who see themselves more as “naysayers” are likely to be overwhelmed by the challenges of being a data protection consultant. However, lawyers who enjoy thinking outside the box and are willing and able to do so every day can expect an exciting job with the opportunity to quickly assume project responsibilities.

In addition to the mentioned profession-specific key competencies, there are, of course, soft skills that are important for working in a team. Each employer may prioritize different aspects. However, since data protection lawyers typically do not work in highly specialized large law firms, both teamwork and assertiveness are required. Independent work in potentially flat hierarchies or even self-organized teams is not necessarily common for lawyers but should be learned.

The professional life of an external Data Protection Officer is anything but boring. To excel in this role, one quickly assumes project responsibilities and acquires their own clients. The relationship between an external Data Protection Officer and their clients is often long-term and characterized by intense collaboration.

The tasks of an external Data Protection Officer include advising company management, providing training to employees, and conducting audits of data processing activities. Many of these activities can be carried out from their own office (e.g., regular status meetings with clients), but on-site inspections and training sessions are also part of the job.

Furthermore, the responsibilities of a Data Protection Officer encompass communication with supervisory authorities and direct interaction with individuals whose data is processed by the clients.

In recent times, the role of a Data Protection Officer has also involved judicial and extrajudicial representation, particularly for licensed attorneys. This primarily pertains to defending against cease-and-desist letters or claims for damages, and also includes defending against fines.