The European Data Protection Board (EDPB) recently published a report on the designation and position of Data Protection Officers (DPOs). This report highlights the issues identified following a year of investigations commenced by 25 supervisory authorities (SAs).

The report is part of the Coordinated Enforcement Framework (CEF). The CEF was set up by the EDPB to streamline enforcement and cooperation amongst SAs when dealing with certain data protection issues.

The report demonstrates increased regulatory scrutiny on how DPOs operate within companies and enforcement activity in this area.

The report and the shortcomings identified should be considered carefully by companies that need to appoint a DPO.

Summary of issues and recommendations

Six key themes are identified in the report. We summarise the issues and recommendations identified.

1. Absence of a DPO even in circumstances where mandatory.

Recommendations: More initiatives are likely to be rolled out by SAs increasing awareness on:

• Organisations’ obligations to appoint a DPO.
• How to determine whether a DPO is actually required.
• The applicable requirements for DPO designation.
• Promoting existing guidance on this topic (through education / awareness campaigns).

2. Insufficient resources allocated to DPOs.

• Most SAs reported a lack of sufficient resources for DPOs.
  
• Another concern was that external DPOs were acting for multiple organisations impacting their ability to discharge their duties.
• Similar concerns were raised about in-house DPOs, with many hiring DPOs part-time or dividing their time between different roles.

Recommendations: SAs could take action in order to encourage organisations to allocate appropriate resourcing to their DPO / DPO team.

• Controllers / processors are expected to analyse on a case-by-case basis what resources their DPO requires. In the report it is stated that “we recommend that controllers take this obligation very seriously and are ready to show their work”.
• Controllers / processors are required to verify that their DPO has sufficient resourcing in order to discharge their functions. In instances where a DPO is externally hired, this may involve verifying how many clients the external DPO has relative to its resources and capacity. Oher steps are required for the DPO to demonstrate it can discharge its GDPR obligations.

3. Insufficient expert knowledge and training of the DPO.

• Most reported 24 hours or less of training. This was deemed insufficient by the EDPB.
• Article 37(5) GDPR requires the DPO to have ‘expert knowledge’. Mere experience is not enough.
• DPOs must also receive “consistent and continuous education” reflecting the pace of change in the area.

Recommendations: Controllers and processors are expected to document their organisations’ knowledge and training needs and progress.

• Controllers / processors must also ensure their DPOs are given sufficient:
  • Opportunities,
  • Time, and
  • Resources to refresh their knowledge and keep abreast of developments / legislative updates.
• DPOs should increase their use of certification mechanisms and initiatives, where relevant.
• DPOs should also increase their cooperation with stakeholders from universities and market-led training courses.

4. DPOs not being fully trusted or explicitly trusted with the tasks as prescribed by the GDPR.

• Explicit reference was made to the drafting of data protection impact assessments (DPIAs). Whilst DPOs can be significantly involved in the drafting of a DPIA, they should have sufficient independence to evaluate the DPIA and its outcomes.
• DPOs cannot do their job unless they are consulted.
• In some instances, even where DPOs had been consulted, the consultation did not always “bear fruit”.

Recommendations: Recommended action includes the roll out of more initiatives from SAs to incentivise controllers / processors to appropriately separate their obligations from those that lie with DPOs, i.e. C/P duties / obligations v DPO duties / obligations.

• Controllers should promote the role of their DPO internally.
• Controllers should work with the DPO to build out the role of the DPO appropriately and in an independent manner.
• All stakeholders should promote the role of the DPO to ensure that the DPO is seen as necessary.
• Controllers and processors should give effective support to DPOs.
• SAs should adopt initiatives to protect and enhance DPOs independence regardless of the governing contract of the DPO. This should enable DPOs to feel safe to fulfil all aspects of their role.
• Controllers and processors should regularly review the EDPB’s guidelines on DPOs (the ‘EDPB’s Guidelines)[1], the annual reports of DPO activities from Supervisory Authorities (SAs), and general best practices. They should also enhance DPO involvement as needed based on these reviews.

5. Conflict of interest and lack of independence.

• Firstly, in-house DPOs sometimes held positions or were responsible for management level duties. This meant that many DPOs were acting as directors such as CFO or CEO, heads of department.
• Secondly, some DPOs were in charge of contradictory tasks requiring them to act simultaneously in two roles.
• Concerns were also raised that some DPOs were given instructions on how to carry out their tasks and duties.

Recommendations: The EDPB’s Guidelines require further development to address possible conflicts of interests, taking into account new roles now taken on by DPOs as a result of new legislation.

• SAs could take further action to verify that controllers and processors have appropriate safeguards in their procedures to ensure that the DPO is not carrying out conflicting tasks.
• Awareness raising activities and educational campaigns could be rolled out by either SAs or organisations themselves.
• Organisations and DPOs could formalise the DPO’s duties and conditions by issuing an ‘engagement letter’ to the DPO.
• DPOs should be able to gather evidence where their independence is being interfered with.

6. Lack of reporting by the DPO to organisations senior management.

• Article 38(3) GDPR requires DPOs report to the highest management level.
• There is inconsistency in how this was implemented in practice.
• The lack of access was seen as undermining the role of the DPO and ultimately effecting the organisation’s overall compliance (given management are not sufficiently informed about data protection issues).

Recommendations: SAs and/or the EDPB could implement the following:

• SAs could encourage the adoption of industry standards, internal data protection policies, and best practices to better inform how DPOs should directly report to senior management.
• SAs and the EDPB could adopt ‘best practice’ based recommendations and / or a template for DPO reporting, setting out the granular level of detail required to address the specificities of the organisations and their respective industries.
• SAs could also initiate more initiatives to address the DPO access to management issue.

Conclusion

In summary, the EDPB’s report highlights the various requirements that controllers and processors must comply with to discharge their obligations of having a DPO in place. These include the need to have clear policies and procedures in place, and ensuring the DPO is given the appropriate resourcing and independence to discharge their duties. The report is also a reminder that this is an area of increased regulatory scrutiny.

For more information and expert advice, contact a member of our Privacy & Data Security team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

People also ask

[1] Article 29 Data Protection Working Party, ‘Guidelines on Data Protection Officers (‘DPOs’), adopted on 13 December 2016, last revised and adopted on 5 April 2017, available here.