> It's just a role, take your CEO, and now he's your "Data Protection Officer" C...

acatton · on May 26, 2018

I don't see how this is "not compliant".

Expert knowledge just mean that he/she read the entire directive. The same way that most employer in europe have read their country's labor law.

The reason why they say that is because the "Data Protection Officer" is the person liable for GPDR violation. The same way the CEO is liable for many wrong doing a company could do. They require no certification, no degree for a person to be a "Data Protection Officer."

mseebach · on May 26, 2018

The "GDPR is easy" brigade is very keen on telling people that it's easy to just read the actual text, so let's try that.

Just having read the GDPR doesn't count for "expert knowledge", it's just knowledge. "Expert" is something more. How much more? Funny you should ask, welcome to GDPR limbo.

Also, it doesn't say expert knowledge merely of GDPR, it says expert knowledge of "data protection law", vague and unbounded, certainly not limited to the GDPR. GDPR is probably the most restrictive you have to comply with, but the text literally requires you to have to have expert knowledge of the others, too. Finally, there's the little "and practices". It's not enough to read it, you have to be an expert in how data protection law is used in practice.

Before you have processed even a single byte of data, you're literally uncompliant simply by being blasé about how you name your DPO. It seems unlikely that anyone will get busted simply for this, but low likelihood of enforcement is not the same as compliance, and why would they include this paragraph if they didn't feel it was important? People who actually care about being compliant need to think about this.

Dylan16807 · on May 27, 2018

It doesn't mandate any particular level of expertise. If the CEO is the most qualified person in the company, you did it.