Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.
The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.
DPOs’ Role and Standards
The EDPB considers that DPOs are intermediaries between DPAs, individuals, and an organisation’s business units, and therefore play an essential role in contributing to data privacy compliance and protecting data subject rights. The GDPR provides for the mandatory designation of a DPO in certain circumstances, including if the core activities of an organisation consist of either the regular and systematic monitoring of EU residents on a large scale, or the large-scale processing of special category personal data, or personal data relating to criminal offences, of EU residents. The GDPR also prescribes various requirements and standards for DPOs, such as:
- The DPO must be professionally qualified and have expert knowledge of data protection law and practices.
- The DPO must not perform any other role or function which would create a conflict of interest with their role as DPO. European-level guidance, member state national courts and the Court of Justice of the European Union (CJEU) indicate that a conflict of interest may arise if a DPO performs an operational role in which the DPO determines the purposes and means of personal data processing. The CJEU has also confirmed that DPO conflicts of interest should be determined on a case-by-case basis.
- The DPO must engage in a timely manner with all matters relating to data protection and must report to the highest management level.
- The DPO should be available to all relevant data subjects and supervisory authorities.
- The DPO must carry out at least the specific tasks stipulated in the GDPR, for example, monitoring compliance with applicable data protection laws and internal policies, and cooperating with DPAs.
- Organisations must support the DPO in performing their function by providing adequate resources and sufficient access to personal data and processing operations.
The New CEF’s Purpose
The current CEF aims to assess compliance with these standards and requirements around the designation and position of DPOs. The EDPB states that participating DPAs will implement the CEF at a national level in several ways, including by sending questionnaires to DPOs to support fact-finding exercises and formal investigations.
The EDPB will analyse the CEF joint initiative’s results in a coordinated manner; DPAs will decide on possible further national supervision and enforcement actions. In addition, the aggregated results will generate a deeper insight into DPO compliance. The EDPB also considers that a targeted follow-up at the EU level could be necessary.
The 2022 Coordinated Enforcement Framework
The first CEF in 2022 concerned how the public sector uses cloud-based services. It commenced on 15 February 2022 and the EDPB adopted a final report on 17 January 2023. The final report provides a list of key points that stakeholders should consider when engaging cloud services, such as to carry out a Data Protection Impact Assessment (DPIA) to unequivocally determine the involved parties’ roles, and to examine and renegotiate the contract with the cloud service provider to establish a meaningful way to object to new sub-processors. Given this precedent, the 2023 DPO CEF might also result in harmonised guidance for organisations regarding their DPO governance activities, and practical steps DPOs should take.
Organisations should expect increased scrutiny, investigation, and enforcement activity around DPOs during the next year and should:
- ensure their DPOs are appropriately positioned within the company, with clear reporting lines to senior management levels and sufficient access to data and processing operations;
- ensure their DPOs are sufficiently resourced to carry out their tasks under the GDPR;
- document their DPO and broader data protection governance structures and roles. For DPOs with combined roles, this documentation should set out why the DPOs roles do not give rise to any conflict of interest; and
- keep such evidence readily accessible, in the event of questionnaires and other requests for information from DPAs.