The role attributed to the data protection officer is one manifestation of the accountability principle of the EU General Data Protection Regulation. As such, the GDPR requires that the DPO exercises their functions independently and that he or she "shall directly report to the highest management level," according to Article 38. The regulation does not provide any guidance on the type of reporting line that needs to be established in order to satisfy this requirement, however. Nor have the Article 29 Working Party or data protection authorities been forthcoming. Sarah Taïeb, the global DPO of Ipsen, a pharmaceutical group, wished to fully advise her management on the best reporting line for her from the moment she would be officially appointed in May 2018. She thus decided to look into what was said by authorities and the "professional doctrine." In this article for The Privacy Advisor, she and Carolin Stenz discuss their findings, along with the analysis Taïeb made for her own organization.
If you want to comment on this post, you need to login.