Under the EU’s General Data Protection Regulation (GDPR), Data Protection Officers (DPOs) serve to protect the rights of the data subject and serve as a liaison between jurisdictional Data Protection Authorities (DPAs), data subjects and its organization. As required in Articles 39 of the GDPR, the specific tasks of the DPO include advising the organization of their obligations under the GDPR, monitoring compliance, raising awareness and training, conducting Data Protection Impact Assessments pursuant to Article 35 and to cooperate with supervisory authorities.
Ideally, the DPO reports directly to the most senior person in its organization, has adequate resources to carry out their duties and is free from any conflicts of interest. To ensure that this is occurring for registered DPOs, the European Data Protection Board (EDPD) wanted to better understand what resources a DPO needs and what conflicts of interest might arise from the role.
This subsequently prompted the EDPD to create the Coordinated Enforcement Framework (CEF) to launch an assessment initiative focusing on the role of the DPO within an organization. The initiative began in mid-March 2023 and is expected to continue for a year.[1]
Following the assessment process by the CEF, Data Protection Authorities (DPAs) would take the results and carry out coordinated enforcement efforts over specific areas of concern. Twenty-six (26) DPAs are expected to participate in the CEF’s DPO assessment initiative. They can solicit information from DPOs by sending them questionnaires in “fact-finding exercises” or by launching full investigations.[2]
The EDPD is concerned that DPOs might have conflicting interests and not have the bandwidth to perform the responsibilities required of them as outlined in the GDPR and related guidance. In order to comply with regulations, organizations should reassess who they are appointing as DPO and if they are providing them with adequate resources.
Understandably, many companies lack the appropriate resources to appoint someone within their organization to be a DPO with the adequate independence and knowledge of the privacy landscape.
To solve this dilemma, some companies have looked to appoint third-party DPOs. They have turned to consulting or legal firms to assume the role. This provides the organization with a dedicated DPO resource with adequate privacy knowledge, an individual free from any conflicts of interest as they do not assume an internal position or other responsibilities, and also allows the organization to save on valuable resources by not having to hire a separate employee to fulfill the DPO position.
At the conclusion of the initiative, the CEF will publish their findings in a report that will be released to the public. The EDPD plans to use the report to determine what additional regulations may need to be created to ensure that DPOs have adequate resources and are free from conflicts of interest.[3]
As the CEF conducts their investigations and looks to potentially create additional regulations around the DPO position, organizations should use the next year to re-evaluate how their own DPO roles are structured to ensure they are aligned with current GDPR regulations. This might mean reassigning the DPO position where conflicts of interest are present or using a third-party DPO to fulfill the role.
[1] ‘Launch of coordinate enforcement on role of data protection officers’, edpb.europa.eu, EDPB, 2023, https://edpb.europa.eu/news/news/2023/launch-coordinated-enforcement-role-data-protection-officers_en, 4/7/23.
[2] Ibid.
[3] Ibid.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
