Data protection officers of a company must have the required expertise and, especially, be qualified to fulfil the obligations defined in Art. 39 GDPR. The requirements for an internal data protection officer may vary depending on the industry and scope of data processing. Particularly in the areas of health, care or personnel, extended knowledge is required, as data processing is associated with a particular risk for data subjects. The requirements related to an IT security officer are diverse and complex and are characterised by the interaction of different components.

There is no mandatory training for a data protection officer or IT security officer. However, attending a course lasting several days and taking a final examination can serve to acquire the necessary expertise. A certificate is regarded as a sufficient proof by most supervisory authorities and auditors.

Knowledge is required in privacy law and IT security in order to perform the activities. The connection between the two areas makes the work of the data protection and IT security officer demanding and means that a consultant from one area or another has to be called in regularly. The consultants of MORGENSTERN train the participants in a five-day course to become a data protection officer or IT security officer and impart the required expert knowledge within this framework. The course can optionally be completed with an examination and a certificate.