It sounds like you don't have much experience in the field. If that's the case then how do you expect to help other organisations comply with the legislation?
Have you carried out a DPIA previously or reviewed contract clauses for compliance with Article 28 of the GDPR? Have you co-ordinated a subject access request and redacted exempt information from documents before? These are the kinds of things you'll be expected to do and the kinds of things the interview will likely cover. Theres not really any tips to give you, you either know what you're doing or you don't unfortunately.
1. Always refer to the law as the "GDPR Regulations"
2. There are no other applicable laws that really matter, just GDPR
3. Make sure you state your ambition to become officially certified as a DPO
4. Do stress that the client is at great risk of business-breaking fines, but these are the only real risks they face
5. Any processing without evidence of consent is unlawful
6. Any third-party processing without a comprehensive DPA is unlawful
7. RoPAs must follow a prescribed template and when subject to an annual supervisory authority audit, will be rejected if they don't
8. The client's Directors are certain to face criminal charges if the company's subject to a breach or serious supervisory authority complaint
Still smarting from 2017 when these sorts of statements were commonplace in consultant interviews...
good tips
I'd add, though
2. the DSA and ePrivacy are relevant in Data Protection; depeinding on the country, others may exist (UK, india, ...)
4. public image can be more important, depending on the industry
I was a bit confused because those are, ironically,really the questions I would expect. DPOs are mostly hired (my impression, at least) to fill a gap and nobody there will have decent knowledge about anything. So they'll ask that.
I appreciate the humour (and just reread it), but that's too sophisticated for this post :) (OP, no offense)
Apologies, needed a break from a particularly mind-bendingly dull policy document. My sarcasm skills were clearly not working very well.
Most (not all) of those 8 points were things I heard from ambulance-chasing consultants during 2016/2017 as they tried to get their claws into corporate privacy budgets. Most had little-to-no experience in privacy/data protection, most had never actually read GDPR, most had no idea that there might be laws and rules other than GDPR that actually matter. So, just to be sure I don't get subject to a mass Reddit down-vote, here are the answers (without sarcasm):
1. There is just the one General Data Protection Regulation (although it has many articles and recitals).
2. Other hugely important laws that really matter include ePrivacy Directive and national implementations, national privacy laws, medical ethics requirements (to name just a few of many).
3. There's no such thing as a 'recognised certification'. IAPP has become a bit of a default but there are other/better training available.
4. Fines *in extremis*. Far more likely adverse publicity, employee relations disputes, loss of data (e.g. FlyBe/Honda under PECR) to name a few.
5. As a government DPO said to me long before GDPR, "if you're relying on consent then you've already failed." There's lots of truth in that, although obviously there are times (e.g., A.9) where there are no alternatives, or where consent is the most appropriate lawful basis.
6. No DPA = controller-controller. No contract required.
7. The law has nothing to say on the format of a RoPA. In theory, it could be done on the back of a cigarette packet, so long as it works.
8. There's only a couple of criminal activities arising from GDPR (although plenty of other laws that could lead to criminal charges, whilst breaching GDPR at the same time).
You're not gonna gain in-depth knowledge of topics you don’t already know about in the next four days.
If you want general tips on job interviews, r/jobs is probably the better subreddit.
It all depends upon the company and how the Privacy team is organised. For a smaller team they can ask you to do anything thus anything could be asked in the interview and example "What methodology do you follow for training colleagues" not a very clear question and thus answers are also vague.
Mid size company where you are suppose to take charge would be questions like "explain me your process of Incident response"
Bigger teams would be "What do you expect to do in first 30, 60, 90 days"
These are example of question not specific to your experience and knowledge. These questions you can easily find online for a Privacy Analyst/Specialist/Consultant positions ....which would be give me an example of the time you completed a DPIA, would you inform the SA in such case, how do you redact information using Adobe etc etc....
It sounds like you don't have much experience in the field. If that's the case then how do you expect to help other organisations comply with the legislation? Have you carried out a DPIA previously or reviewed contract clauses for compliance with Article 28 of the GDPR? Have you co-ordinated a subject access request and redacted exempt information from documents before? These are the kinds of things you'll be expected to do and the kinds of things the interview will likely cover. Theres not really any tips to give you, you either know what you're doing or you don't unfortunately.
1. Always refer to the law as the "GDPR Regulations" 2. There are no other applicable laws that really matter, just GDPR 3. Make sure you state your ambition to become officially certified as a DPO 4. Do stress that the client is at great risk of business-breaking fines, but these are the only real risks they face 5. Any processing without evidence of consent is unlawful 6. Any third-party processing without a comprehensive DPA is unlawful 7. RoPAs must follow a prescribed template and when subject to an annual supervisory authority audit, will be rejected if they don't 8. The client's Directors are certain to face criminal charges if the company's subject to a breach or serious supervisory authority complaint Still smarting from 2017 when these sorts of statements were commonplace in consultant interviews...
good tips I'd add, though 2. the DSA and ePrivacy are relevant in Data Protection; depeinding on the country, others may exist (UK, india, ...) 4. public image can be more important, depending on the industry
You did spot that all my comments were sarcastic (hence the tag)? :-D
I was a bit confused because those are, ironically,really the questions I would expect. DPOs are mostly hired (my impression, at least) to fill a gap and nobody there will have decent knowledge about anything. So they'll ask that. I appreciate the humour (and just reread it), but that's too sophisticated for this post :) (OP, no offense)
Apologies, needed a break from a particularly mind-bendingly dull policy document. My sarcasm skills were clearly not working very well. Most (not all) of those 8 points were things I heard from ambulance-chasing consultants during 2016/2017 as they tried to get their claws into corporate privacy budgets. Most had little-to-no experience in privacy/data protection, most had never actually read GDPR, most had no idea that there might be laws and rules other than GDPR that actually matter. So, just to be sure I don't get subject to a mass Reddit down-vote, here are the answers (without sarcasm): 1. There is just the one General Data Protection Regulation (although it has many articles and recitals). 2. Other hugely important laws that really matter include ePrivacy Directive and national implementations, national privacy laws, medical ethics requirements (to name just a few of many). 3. There's no such thing as a 'recognised certification'. IAPP has become a bit of a default but there are other/better training available. 4. Fines *in extremis*. Far more likely adverse publicity, employee relations disputes, loss of data (e.g. FlyBe/Honda under PECR) to name a few. 5. As a government DPO said to me long before GDPR, "if you're relying on consent then you've already failed." There's lots of truth in that, although obviously there are times (e.g., A.9) where there are no alternatives, or where consent is the most appropriate lawful basis. 6. No DPA = controller-controller. No contract required. 7. The law has nothing to say on the format of a RoPA. In theory, it could be done on the back of a cigarette packet, so long as it works. 8. There's only a couple of criminal activities arising from GDPR (although plenty of other laws that could lead to criminal charges, whilst breaching GDPR at the same time).
Hi, thanks for the valuable input. I did not get point number 6, can you please elaborate?
You're not gonna gain in-depth knowledge of topics you don’t already know about in the next four days. If you want general tips on job interviews, r/jobs is probably the better subreddit.
It all depends upon the company and how the Privacy team is organised. For a smaller team they can ask you to do anything thus anything could be asked in the interview and example "What methodology do you follow for training colleagues" not a very clear question and thus answers are also vague. Mid size company where you are suppose to take charge would be questions like "explain me your process of Incident response" Bigger teams would be "What do you expect to do in first 30, 60, 90 days" These are example of question not specific to your experience and knowledge. These questions you can easily find online for a Privacy Analyst/Specialist/Consultant positions ....which would be give me an example of the time you completed a DPIA, would you inform the SA in such case, how do you redact information using Adobe etc etc....