The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks. The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.
Where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. Relevant skills and expertise include:
• expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
• understanding of the processing operations carried out
• understanding of information technologies and data security
• knowledge of the business sector and the organisation
• ability to promote a data protection culture within the organisation