Enquire
On 17 January 2024, the European Data Protection Board (EDPB) published a report on a co-ordinated investigation into the role of Data Protection Officers (DPOs).
25 supervisory authorities (SAs) across the European Economic Area (EEA) took part in the investigations, using a mixture of questionnaires and fact-finding exercises.
The EDPB’s report emphasises the importance of DPOs in the practical application of the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and safeguarding data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling.. However, the findings also detail certain challenging areas that DPOs face.
In this blog, we explore a few of these key challenges, based on the findings in the report:
We also offer a useful comparison between in-house and outsourced DPOs, providing practical information for organisations that are deciding on the most suitable approach for their data protection needs.
The EDPB report identifies a lack of resources as a major challenge for many DPOs.
The report underscores how a DPO team is often necessary because of workload levels, which can exceed a single person’s capacity. Other problems with workflow can also arise when a DPO is on leave, becomes sick, or resigns.
Although the GDPR does not strictly require organisations to appoint a deputy DPO, compliance is easier to achieve with a DPO supported by a deputy, where appropriate.
The EDBP’s report also highlights concerns about the levels of DPO expert knowledge and training.
The report confirms that the level of expert knowledge required varies, depending on the nature of the data processing. However, as data protection and privacy are rapidly evolving fields, it is important for DPOs to maintain consistent and relevant learning to fulfil their role.
The Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) states that a conflict of interest can happen when a DPO also holds a role within an organisation that involves decision-making about the handling of personal dataInformation which relates to an identified or identifiable natural person..
A DPO needs to act independently and impartially, sometimes criticising current mechanisms to ensure personal data is being handled properly and legally.
This means that if a DPO also holds a senior management position, they might find themselves torn between their responsibilities as a DPO and their role as a senior decision-maker.
The GDPR emphasises the DPO’s role as an independent advisor. However, the EDPB’s report highlights how contractual and budgetary setups can sometimes interfere with a DPO’s independence. One supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. suggested that if an organisation manages a DPO’s budget, it could restrict the DPO’s decision-making because of budget cut fears.
The report advises organisations using an external DPO to be mindful of the contractual relationship to ensure it does not include, either directly or indirectly, instructions on how to carry out the DPO’s tasks.
You can read the EDPB’s full report, covering all identified DPO challenges here: Designation and Position of Data Protection Officers
Outsourcing offers a strategic solution to the challenges detailed in the EDPB’s report. A quality outsourced DPO service resolves the problem of expertise and ongoing training. With a team to support the DPO, a pool of expert knowledge and resources is always readily available. Outsourced DPOs also operate independently, eliminating the risk of any conflicts of interest.
Additional articles and information you might find useful:
The DPO Centre provides a wide range of outsourced data protection services, including Data Protection Officers (DPOs), EU and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. Representatives.
Contact us today to discuss how we can help.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Enquire
Fill in your details below and we’ll get back to you as soon as possible