The European Data Protection Board (EDPB) has published a report of its investigation into Data Protection Officers (DPOs). The research reveals that DPOs in many organisations lack sufficient resources to fulfil their tasks, and sometimes hold senior positions that could present a conflict of interest.
DPO requirements under the GDPR
The GDPR requires an organisation to appoint a DPO if the organisation:
- Is a public authority or body, or
- Engages in regular, systematic monitoring of people in the EU as part of its core activities, or
- Processes “special category data” or data about criminal convictions on a large scale.
A DPO’s tasks include informing and advising the organisation on data protection, monitoring GDPR compliance, and cooperating with individuals and the regulator.The GDPR requires that a DPO has sufficient resources to carry out their tasks, reports to the highest level of management, and is not disciplined merely for doing their job.
Key DPO challenges
After distributing a survey agreed by the EDPB, Data Protection Authorities (DPAs) across 25 EU member states received over 17,000 responses—around 15,000 from organisations and the remainder from DPOs themselves.
The EDPB’s report suggests that many DPOs are struggling to secure the time and resources mandated under the GDPR. Here are some highlights from the report:
- Twelve organisations had not appointed a DPO despite being required to do so.
- Just 69% of DPOs have sufficient resources to fulfil their tasks.
- Only 39% of DPOs have been allocated a budget by their organisation.
- 49% DPOs “always” have sufficient information about their organisation to fulfil their tasks.
- 70% of DPOs dedicate less than 91% of their working hours to their DPO duties.
- 30% of DPOs receive less than 32 hours of training per year, with 4.5% receiving none at all.
- While 73% of DPOs have “expert knowledge of data protection”, 10% of DPOs have “no particular expertise on data protection”.
- Only 38% of organisations have a Deputy DPO.
On the bright side…
Despite the challenges faced by DPOs, the EDPB identified some positive trends:
- DPOs generally have a good level of expertise and experience in data protection.
- Most organisations consult their DPO when appropriate, and DPOs generally offer effective and expert guidance when consulted.
- Individuals usually have the opportunity to consult with the DPO about their organisation’s data processing activities.
The EDPB also noted that the DPO role is becoming increasingly respected and professionalised.
Having concluded this stage of its research, the EDPB plans to take the following measures:
- Awareness: National DPAs will conduct campaigns to raise awareness of DPO requirements.
- Guidance: The EDPB intends to publish guidelines of recommendations regarding DPO obligations under the GDPR.
- Enforcement: Where an organisation has neglected to appoint a DPO (if required to do so), appointed an inappropriate member of staff as the DPO, or failed to provide their DPO with sufficient resources, it might face enforcement action from its local DPA .
With this aspect of the GDPR in the spotlight, it’s a good time to ensure your DPO is sufficiently qualified and has the independence, time, and resources they need to carry out their tasks.
As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.