Going back to basics for the EDPB’s year of the DPO

Published: March 2023

Navigate by Topic

The European Data Protection Board officially kicked off its second annual coordinated action earlier this month, setting its focus on the “designation and position of data protection officers.” The EDPB’s current prioritization of the DPO reflects a few important points. The first is the unique, essential and increasingly important role DPOs are envisaged to play when it comes to contributing to and promoting data protection compliance. The second is, even after nearly five years of the EU General Data Protection Regulation, compliant and effective implementation of requirements related to the designation, structure and tasks of the DPO can be a challenging exercise for organizations and DPOs alike. The third — which remains to be seen via the EDPB’s coordinated enforcement — is the likely lack of an archetypal DPO given the diversity of sectors, organization sizes and domestic contexts across the EU.

As reported by IAPP Staff Writer Jennifer Bryant, 26 data protection authorities from various EU member states, including the Office of the European Data Protection Supervisor with oversight of the EU institutions and bodies, will work with DPOs to investigate and potentially issue enforcement orders related to the DPO role. This fact-finding exercise will identify not only challenges and potential violations, but also best practices and opportunities for collaboration. Through the coordinated enforcement action, the EDPB will produce a consolidated report with recommendations from DPAs and points of attention. But, as IAPP Managing Director, Europe, Isabelle Roccia, points out “The final report on the ACA does not necessarily mark the end of DPAs’ activities on the topic.”

For privacy professionals: The DPO Toolkit offers a variety of resources created by IAPP staff and members of the privacy community. Some resources you might find helpful include:

The DPO acts as the go-between for organizations, regulatory authorities and individual data subjects. They must balance both outward- and inward-facing interests as they navigate their organization’s internal goals, data subject requests and regulator inquiries. That can be a tough balance to strike. However, DPOs are uniquely positioned to use their investigative, corrective, authorization and advisory powers within an organization to ensure data practices remain compliant with the GDPR. In recognition of the importance of such a role, GDPR Articles 37-39 outline the DPO’s designation, position and tasks, as explained below.

Designating a DPO

Who needs a DPO?

Under Article 37, DPOs must be appointed for public authorities and bodies, as well as organizations whose core activities consist of any of the following:

  • Regularly and systemically monitoring data subjects on a large scale.
  • Processing Article 9 special categories of data (e.g. personal data relating to health, biometric identification, race, ethnicity, etc.) or Article 10 criminal data on a large scale.

The U.K. Information Commissioner’s Office — now no longer a member of the EDPB — explains “core activities are the primary business activities” of an organization (i.e. processing of data required for key objectives), and are as differentiated from secondary processing activities like human resources or payroll. The Article 29 Working Party, the predecessor to the EDPB, issued guidance in 2017 outlining the following factors to be considered when determining “large scale”:

  • The number of data subjects concerned, considered as an absolute number or as a proportion of the relevant population.
  • The volume of data and/or the range of different data items being processed.
  • The duration, or permanence, of the data processing activity.
  • The geographical extent of the processing activity.

WP29 points to Recital 24 of the GDPR, which to clarifies “regular and systemic monitoring” entails profiling a natural person in order to analyze or predict their personal preferences, behaviors and attitudes.

Importantly, the above requirements to appoint a DPO extend to organizations based outside of the EU, where organizations are covered by the EU’s extraterritorial scope.

What are the qualifications for a DPO?

A DPO must be designated on the basis of “professional qualities and, in particular, expert knowledge of data protection law and practices.” Regulators such as France’s DPA, the Commission nationale de l'informatique et des libertés, have published the specific skills and competency areas they believe are encompassed within the GDPR’s short provision on expert knowledge. These areas include:

  • Understanding and applying laws relating to core data privacy principles such as purpose limitation, data minimization, storage limitation, data integrity and confidentiality.
  • Developing and implementing data protection programs and policies.
  • Organizing and participating in data protection audits.
  • Identifying and assessing privacy by design within an organization’s processing operations.
  • Conducting data protection risk assessments and impact assessments.
  • Understanding how to respond to data breach incidents.

They also noted the value of certifying expertise both as a way for DPOs to “prove that they have the skills and knowledge required of a DPO” and as “a vector of trust” for organizations designating DPOs as well as for data subjects, supplier, and employees. Writing years before the GDPR, the EDPS remarked how certification “should be considered as an asset” when designating a DPO.

There are soft qualities to look out for as well. Ireland’s Office of the Data Protection Commission Assistant Commissioner Cathal Ryan noted that ideally, a DPO is “a strong, influential individual that sticks to their guns regardless of how the organization reacts to the issues raised by the DPO.”

Where is a DPO situated in the organizational structure?

According to Article 37(6), a DPO can be an employee of the controller, the processor, or an external contractor. There is healthy debate about whether it’s more beneficial for an organization to appoint an internal or external DPO, and which model better facilitates the effective functioning of the DPO’s tasks and addresses a company’s risk tolerance. To date, EU regulators have not endorsed one approach over another. The decision to outsource or stay in-house depends on a multitude of factors, including the size and complexity of the organization, the budget, the organizational culture and leadership’s risk tolerance for liability. Perhaps in recognition of the limited and often expensive pool of qualified DPOs, Article 37(2) allows for a single DPO to be appointed by a parent company and its subsidiaries provided the DPO remains “easily accessible” to each undertaking. The same is true for public entities in that it is also possible for an outsourced DPO to provide services to multiple unrelated entities.

Regardless of whether the DPO is an internal hire or external contractor, Article 38(2) stipulates organizations must provide their DPOs with appropriate resources to carry out their tasks and maintain their expertise.

What are the reporting obligations once a DPO is designated?

Article 37(7) mandates organizations are required to publish the contact details of their DPOs and notify the local DPA. In 2019, just one year after the application of the GDPR, an IAPP study estimated 500,000 organizations had registered DPOs across Europe. If organizations don’t register their DPOs, they are liable to be fined, as evidenced by a December 2019 enforcement action by the Hamburg Commissioner for Data Protection and Freedom of Information against Facebook’s German subsidiary. The HmbBfDI fined the subsidiary 51,000 euros for failing to notify the regulatory authority that Facebook had assigned their data protection team in Ireland as the DPO across all European subsidiaries.

Positioning the DPO

Are there any independence requirements?

Article 38 envisions the DPO operating independently of the controller or processor. BP Privacy Advisor Helga Turku, CIPP/E, provides a helpful analogy that equates the DPO to the referee in a sports game: “A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from owners, shareholders, managers or the players themselves.” That is, a controller cannot instruct a DPO on how to perform their tasks, including the fact-finding and analysis of complaint investigations. Article 38(3) prevents the possibility of retribution by asserting organizations cannot dismiss or penalize a DPO for performing their tasks.

How are conflicts of interest addressed for DPOs?

Conflicts of interest are more likely to arise when a DPO is an internal position rather than an external contractor. A recent ruling by the Court of Justice of the European Union affirmed an employee who is an appointed DPO for an organization can maintain some other responsibilities as an employee of the organization outside of the DPO role, so long as the roles comply with the GDPR principles. Importantly, Article 38(6) stipulates the DPO should not be involved in any duties resulting in a conflict of interest, such as determining the purpose and means of the data processing conducted by their organization. For example, a 2020 enforcement action by Belgium’s DPA found a company that appointed the head of their compliance, risk management and audit department as the DPO to be in violation of Article 38(6).

What is the reporting structure for a DPO? Any other obligations?

Article 38(3) mandates an organization’s DPO shall report directly to the “highest level of management,” such as the board of directors or a role with similar governance and decision-making authority. According to Founder and CEO of HewardMills, Dyann Heward-Mills, “This is intended to ensure compliance with the regulations in the sense that management receives timely advice on matters of data protection.”

DPOs are uniquely situated, in that they must answer to both senior leadership and individual data subjects. To ensure DPOs can effectively engage with both types of stakeholders, Article 38(5) imposes a duty of confidentiality and secrecy on them when performing tasks. In the course of fulfilling their duties of training on GDPR compliance, investigating practices and responding to external inquiries, DPOs may encounter individuals’ personal information and sensitive data, such as health or financial information. This provision protects data subjects and recognizes any additional protections afforded by individual member countries.

Tasking a DPO

What are the internal tasks for DPOs?

Article 39 establishes a floor for the minimum number of tasks a DPO is responsible for within an organization. As an internal advisor, the DPO must:

  • Advise the organization and employees of data protection obligations.
  • Monitor the compliance and training of relevant staff.
  • Advise on data protection impact assessments and monitor performance against the assessments.

These DPO tasks are critical to ensuring the organization respects the rights and freedoms of data subjects and complies with GDPR requirements. This can prevent data breaches, fines, reputational damage and legal liabilities for the organization. In the course of conducting these tasks, DPOs can also help foster a culture of data protection and trust among customers, business partners and stakeholders.

What are the external tasks for DPOs?

DPOs also serve as externally facing representatives and contact points for different stakeholders. During a DPA’s site inspection or audit, the DPO is primarily responsible for coordinating with the regulators. That is, they are responsible for providing information about the processing of personal data and answering questions about the organization’s data protection practices. DPOs also may also consult with DPAs if questions or concerns arise outside of formal inspections and audits.

Finally, Article 39(2) warns that DPOs must give due regard to data processing risks as they carry out these internal and external tasks.

Looking Ahead

With continued waves of emerging technologies, new data processing techniques and increasingly complex legal obligations, the data privacy ecosystem is growing ever more complicated for businesses and regulators alike. Businesses are quick to innovate and focus on data utilization as an economical approach to meeting their goals. And they are not the only ones trying keep up with technology innovations. The rate of new EU regulations and new data initiatives also appears to have only accelerated since the enactment of the GDPR five years ago.

Amid this busy ecosystem, the DPO requirements articulated in the GDPR and across other guidance documents may appear straightforward. But appearances can be deceiving. The role of the DPO can take many forms depending on a multitude of factors such as the size of the organization, the resources and funding available, the complexity of the entity’s data processing, and the maturity of the organization’s privacy program. In selecting the role of the DPO as this year’s coordinated enforcement action, the EDPB recognizes the need to understand how the role has responded to these factors and evolved.

Additional Resources

Credits: 3

Submit for CPEs