Written by Deirdre Miller

In 2023, the European Data Protection Board (EDPB) launched a coordinated enforcement action under the Coordinated Enforcement Framework (CEF), which focused on the designation and position of Data Protection Officers. Data Protection Authorities (DPAs) across the EEA took part in the action. In Ireland, the DPC participated by sending questionnaires to 100 organisations to aid a fact-finding exercise on the implementation of the role of the DPO in Ireland. ADPO contributed to guidance on completing the questionnaire for organisations and data protection officers. Some of our members will have participated in this action by completing a questionnaire.

The EDPB has published its report on the Designation and Position of Data Protection Officers. The report includes two appendices: i. the national reports for each participating DPA (the DPC’s report includes commentary on its findings); and ii. the statistics broken down by each participating DPA (for example, the response rate to the questionnaire in Ireland was 66%).

The EDPB’s report is based on data collected by 25 DPAs from more than 17,000 responses. The report looks at the challenges for DPOs when completing the tasks required by GDPR and included recommendations to address them. The challenges identified were:

• absence of designation of a DPO, even if mandatory;
• insufficient resources allocated to the DPO;
• insufficient expert knowledge and training of the DPO;
• DPOs not being fully or explicitly entrusted with the tasks required under the GDPR;
• conflicts of interests and lack of independence of the DPO;
• lack of reporting by the DPO to the organisations’ highest management level;
• and requirement for further guidance from supervisory authorities.

The recommendations include actions that DPAs may take to strengthen the role of the DPOs, such as awareness-raising activities, information, and enforcement actions. The report also provides an overview of the enforcement actions taken by DPAs for non-compliance with the legal requirements for DPOs. DPAs have completed investigations and adopted decisions on topics such as DPO independence, conflict of interests with the DPO’s assigned tasks, the level of support provided for DPO, failure to report to the highest management level, failure to appoint a DPO, and lack of DPOs’ involvement. These topics form the basis of many of the challenges reported by DPOs and organisations in the questionnaire. Enforcement actions have been recommended by the EDPB in the report as a means of educating controllers and processors and addressing some of the identified challenges.

The report provides an opportunity for organisations to consider how they are resourcing their DPOs to carry out the tasks required by the GDPR, identify particular challenges their DPOs face and to adopt relevant recommendations. The EDPB indicated that there may be further developments during the course of 2024, with the endorsed WP29 ‘Guidelines for Data Protection Officers’ likely to be updated to assist organisations.