Written by Tom Gilligan

In January 2024, the European Data Protection Board (EDPB) released its report on the 2023 Coordinated Enforcement Action (CEF) regarding the role and designation of Data Protection Officers (DPOs). The report was based on feedback from 25 participating regulators, though various countries focused their inquiries differently, making direct comparisons challenging.

The EDPB made a number of recommendations about:

• Lack of awareness of need to appoint a DPO
• Insufficient resources allocated to the DPO
• Insufficient expert knowledge and training of the DPO
• DPOs not being fully entrusted with the tasks required by GDPR
• Conflicts of interest and lack of independence of the DPO
• Lack of reporting by the DPO to the organisation’s highest management level
• Further guidance from SAs would help

The Data Protection Commission (DPC) sent the questionnaire to 100 organisations and asked for completion on a voluntary basis. 66 organisations responded in total, 35 public bodies, 8 not for profits and 23 private organisations.

The DPC’s findings are set out on pages 65 to 69 of Appendix 1.2 National Reports on the CEF DPO.

The DPC noted positives including that DPOs are consulted on data protection issues and their involvement in problem-solving. The DPC noted 3 substantive issues of concern:

1. Resources – many respondents did not have sufficient resources and the role was part-time. The DPC recommended that data controllers document how they determined the level of resources and whether it is adequate.
2. Conflicts of interest – many DPOs had a conflicting role, and the report gives several examples. The DPC recommends that data controllers document how they deal with conflicts for the DPO role.
3. Tasks assigned to the DPO – many DPOs were involved in decision-making and carrying out other tasks that the data controller is responsible for e.g. completing records of processing activities, data protection impact assessments (DPIAs) and subject access requests. The DPC says these tasks are for the organisation. It noted that DPIAs should be completed by the business unit as they have the best expertise to complete the DPIA.

ADPO’s recommends the following actions for all DPOs:

1. Always respond to a DPC questionnaire.
2. Document your data protection experience, organisational knowledge and identify training gaps – all based on the complexity and scale of data processing at your organisation.
3. Re-evaluate if you are performing tasks that the DPC believes should not be carried out by the DPO.
4. Assess and document if you have sufficient resources.
5. Document an assessment of potential conflicts of interest and the safeguards that exist to mitigate potential conflicts.

ADPO, as part of CEDPO, will be launching its own anonymous DPO questionnaire shortly. We intend to discuss the aggregate results with the EDPB and the DPC. Please help us by completing the questionnaire.