Learning to walk a tightrope: Challenges DPOs face in the day-to-day exercise of their responsibilities

Abstract

The present paper takes the provisions of the General Data Protection Regulation (GDPR) on the data protection officer (DPO) as a starting point to assess how the role is developing in practice, and discusses the challenges DPOs may face in the day-to-day exercise of their responsibilities. In particular, the paper focuses on how the stipulations covering the function can be implemented in practice, taking into account that a balancing act may often be required when designing it, and when choosing the best person for the role. The paper explores how the functional independence of the DPO can be ensured, discussing the tension between the role of DPO as independent advisor of the organisation, while still either being an employee or a contractor of the organisation. Attention is being paid to design of the position, that is, the positioning of the DPO (internal versus external DPO, part-time or full-time DPO), the hierarchical position in the organisation and the resourcing of the DPO, as well as the required knowledge (data protection expertise, legal background, IT background, risk management and audit experience, but also in-depth understanding of the controllers’ processing operations). The paper concludes that all elements set down in the GDPR must be duly combined and weighed in order to ensure that the DPO can fulfil their role in a manner that not only complies with the letter, but also with the intention of the law. As time progresses, it will not become easier for DPOs to fulfil their tasks, but rather more demanding. On the one hand, this is due to the increasing complexity of processing operations (including the fact that processing for various reasons is taking place in the cloud), which requires DPOs to understand both the business needs, but also technical intricacies in more detail. On the other hand, organisations are fascinated by and want to make use of new technologies, which may often be challenging from a data protection point of view. The paper concludes that, like the tightrope walker, the DPO is constantly balancing — when the balance is right, both the organisation and the DPO benefit.