European Data Protection Board adopts report on Data Protection Officers

The EDPB considers results to be encouraging, with the majority of the DPOs interviewed stating that they feel they have the necessary skills and knowledge necessary, receive training, have clear tasks and can act independently. However, the Report identifies areas to improve and makes recommendations for organisations, data protection authorities and DPOs. For example:

• Requirement to designate a DPO. The investigation found that some organisations were unaware of when a DPO needs to be appointed. The Report recommends that supervisory authorities implement initiatives and publish guidance to increase awareness. Enforcement action is also flagged as a possible solution to educate controllers and processors.
• Insufficient resources. DPOs may act for multiple controllers, processors and clients at any one time so may not be able to spend sufficient time on each client. With respect to controllers, the Report recommends that they carefully verify resources available to their DPO, including time and capacity. Controllers should also take the resourcing of their DPO seriously and be ready to show their analysis of those resourcing needs. The Report recommends that supervisory authorities provide additional guidance and training materials. Supervisory authorities are encouraged to take action to incentivise organisations to dedicate resources to.
• Knowledge and training. The GDPR acknowledges that the level of expert knowledge required by a DPO can vary. However, the Report notes that the majority of DPOs receive 24 hours or less training each year, with four per cent receiving no training at all. It suggests that DPOs should receive further training sessions and guidance from the relevant supervisory authority or the EDPB, for example free online courses (such as those in Poland) and certification mechanisms (such as those in France). The Report notes that controllers and processors should ensure they are documenting the knowledge and training needs and progress to support compliance with Article 24 (technical and organisational measures) and 5(2) (accountability) of the GDPR. They should also ensure that DPOs are given sufficient opportunities, time and resources to refresh their knowledge and learn about the latest developments, including, where relevant to their activities or purposes, on new EU digital- and AI-related legislation.
• Conflict of interest and lack of independence. DPOs may conduct other tasks or hold positions (eg in management) which could conflict with their duties as DPO, including when externally appointed.  The Report recommends that the EDPB’s Guidelines on DPOs are developed further, particularly taking account of the new roles that many DPOs may take on in relation to new EU digital legislation. The Report also suggests that supervisory authorities could verify that controllers and processors have safeguards in place to avoid DPO conflict of interest. Further recommendations point to the need for awareness raising activities, information provision and enforcement action (from supervisory authorities or within organisations themselves). From the DPO perspective, duties could be formalised in an engagement letter and they should have freedom to collect evidence of interference with independence.
• Lack of trust put in DPO to carry out tasks. The investigation revealed that not all tasks that a DPO would be expected to perform were being carried out by the DPOs surveyed.  In other cases, DPOs were not being appropriately involved in relevant decision-making. Report recommendations are focused on promoting the role of the DPO within organisations.
• Lack of DPO reporting lines to highest management. The GDPR requires that DPOs report to the highest management level but the investigation found that such reporting did not always occur or was infrequent. The Report suggests that further guidance on expectations in this area would be helpful perhaps through supervisory authority/EDPB best practice recommendations or template reports. Further, supervisory authorities could encourage industry standards or pursue actions and initiatives to encourage DPO engagement with top management, for example.

The Report also summarises enforcement action taken, and guidance issued by, supervisory authorities on this topic.

The Report is available here and the press release here.