Proper resources and training to carry out data protection officer requirements under the EU General Data Protection Regulation may not meet the growing complexity of the job. The perceived gaps in aiding DPO efficacy were among the revelations outlined in a European Data Protection Board report adopted 17 Jan. on the results of the board's 2023 coordinated enforcement action regarding DPOs.
The board initiated the action among national data protection authorities in March 2023 with a goal "to gauge whether DPOs have the position in their organisations required by Art. 37-39 GDPR and the resources needed to carry out their tasks." The board's final report is based on 17,490 stakeholder responses — 15,108 from organizations and 2,382 from DPOs — to a broad questionnaire issued by participating supervisory authorities. The total responses fell well short of the number of solicitations as authorities contacted 61,962 stakeholders in all.
The report specifically called out red flags concerning "insufficient resources allocated to DPOs, insufficient expert knowledge of DPOs and risks of conflicts of interests." EDPB Chair Anu Talus said in a statement that enforcement action generally aimed to "achieve better efficiency and more consistency" to support the vital role a DPO plays in an organization's data protection practices.
"DPOs play an important part in contributing to compliance with data protection law and promoting effective protection of data subject rights," Talus said. "The report provides an analysis of the challenges faced by DPOs, along with points of attention and recommendations to address these challenges."
Stakeholder responses generated seven areas of issue the EDPB explicitly outlined at the outset of the report while providing recommendations to improve or remedy perceived gaps. The areas of issue include:
- Absence of designation of a DPO.
- Insufficient resources.
- Insufficient training and expert knowledge building.
- Lack of explicit trust with tasks required by the GDPR.
- Conflict of interests and lack of independence.
- Lack of DPO reporting to organization management.
- Additional data protection authority guidance.
The report also outlined relevant enforcement work carried out by supervisory authorities to address noncompliance, including reprimands and fines, guidance and more.
Key takeaways
While the report itself fleshes out positives and negatives relating to the DPO field, the findings may come off as somewhat skewed based on participation.
Digiphile Managing Director Phil Lee, CIPP/E, CIPM, FIP, said the ratio of solicitations to responses could present "risk of response bias" as major players and whole industries may not be included. He added, "Those organisations have an obvious incentive to present their compliance in the best possible light — given the potential for DPAs to launch formal investigations off the back of their responses."
Among the EDPB's findings, IKEA Data Protection Officer Natalija Bitiukova, CIPP/E, CIPM, FIP, was alarmed by the fact DPOs are not being entrusted with fulfilment of their tasks. The report indicated respondents to the questionnaire revealed DPO tasks "may not always be properly assigned" and that there is a "lack of systematic involvement of the DPO within organisations."
"It fundamentally undermines the nature of the role," Bitiukova said. "It is concerning to see DPOs still not having access to the highest management in the organization. Without such access it is difficult to see how DPOs are able to effectively exercise their statutory responsibilities and bring the value this role is meant to bring to the organizations."
The report also struck on the growing responsibilities falling on DPOs as the EU grows its digital rulebook, with the EDPB noting the DPO role "seems to be changing." The board said the swath of regulations, including the Digital Services Act, Digital Markets Act and the proposed Artificial Intelligence Act, must be top of mind when considering "how DPOs are being tasked, utilised and supported, to ensure that they can provide the best added value for everybody involved."
Lee called attention to the report referring to "burn out" in regards to additional regulatory burden, which he added is "a conversation that I have on a daily basis with clients."
Bitiukova was "positively surprised" to see the EDPB acknowledge how DPO duties are going beyond GDPR compliance. She highlighted the report's callout on how a DPO juggling multiple compliance efforts could generate conflicts of interest.
"Given the similarities between compliance roles under DSA and DMA, as well as a strong focus on fundamental rights under the AI Act, it is natural to see a DPO as a good candidate to assume such responsibilities," Bitiukova said. "In some cases, I could see strong synergies while in others there could be concerns regarding the conflict of interests. It is however important that any new duties are clearly outlined and accompanied with appropriate training and resources."
Improvements required
With regard to the allocation of resources and training, the EDPB indicated the crux of the issue boils down to finances and time. A glaring reflection of those challenges is the perceived lack of attention paid to hiring a DPO and support staff.
"The report seems to suggest that the absence of a deputy DPO — in addition to a DPO in some cases — could be evidence of insufficient resourcing," Lee said. "It suggests that where there is a single DPO this might indicate the DPO is spread too thinly and that it could present ongoing compliance issues when the DPO is on leave or if they resign."
Also within the lack of personnel resources, the EDPB pointed out potential overextension of external DPOs and undervaluing in-house DPOs. The EDPB said, external DPOs "may end up spreading themselves too thinly" across clients while some companies are only using in-house officers on "a part time basis" or "diverting at least some of their DPO’s time to other tasks."
The EDPB indicated an uptick in national enforcement actions could incentivize companies to explore allocating adequate resources. The report also pointed to companies holding themselves accountable on verifying proper resourcing.
Bitiukova said she sees a relative "trend toward maturity" in how companies recognize and prioritize their DPO. It depends on the company, she said, but knowledge of the role, its value and what the officer is not responsible for.
If additional resources are out of the question, improved guidance and training may help DPOs "navigate complex issues and save time," according to the report. The EDPB proposed updating its own DPO guidelines while also pitching increased "use of certification mechanisms and initiatives" as well as "cooperation from stakeholders with universities and market-led training courses."
Additional and timely guidelines are always helpful, Bitiukova said, but they should be informed more by the DPOs and those working in the trenches every day to ensure "tangible" guidance.
"It is important to involve DPOs representing different industries, organizations of different sizes and different governance structures, in the development of such guidelines from the outset," Bitiukova added. "Given some of the systematic issues identified in the EDPB report, for instance, a lack of DPO role description or DPO annual reports, it would be particularly valuable to supplement the guidelines with a library of model templates which the companies could customize accordingly."