EDPB report on areas of improvement for the position of DPOs in EU

Why should I read this?

By way of background information, this report is published as a result of a year long initiative from various supervisory authorities (“SAs”). SAs have been collecting information on the position of data protection officers (“DPOs”) across their jurisdictions through questionnaires, followed by an analysis of all the gathered findings by the European Data Protection Board (EDPB). This EDPB report is a combination of these coordinated actions across 25 jurisdictions and will impact companies that require the appointment of a DPO.

This report above all provides a list of 7 recommendations that companies and their DPOs can take into account to address issues identified during the coordinated investigation phase. These findings from national supervisory authorities again emphasise the need to further strengthen and promote the role and importance of DPOs.

What does the report recommend?

The executive summary of the report identifies 7 areas of concern plus examples of recommendations for each problem area as set out below. Companies, DPOs and SAs should use such recommendations to address these challenges going forward, as they are now considered “best practise”.

Areas of concern	Recommendations
Absence of DPOs regardless of mandatory requirement	Even if a DPO is mandatory, not every company has one. Companies argue that when DPOs left, there was no one to fill the gap. Appointment of a deputy DPO is strongly recommended as a solution.
Insufficient resources allocated to DPOs	One of the main findings of insufficient resources proves to be a lack in human resources, which is problematic in terms of active and long-term compliance. Companies need to carefully assess what resources their DPO needs to properly exercise their functions. Ensuring compliance under GDPR will be significantly easier with a dedicated, full-time DPO, supported by a team and deputy DPO where appropriate.
Insufficient expert knowledge and training of DPOs	GDPR requires expert levels of knowledge. DPOs who do not meet that level do not necessarily meet GDPR requirements of expert levels of knowledge. Make sure to have a team of DPOs and more capacity to develop expert knowledge.
DPOs not being fully or explicitly entrusted with the tasks required under GDPR	DPOs are not always given the key role or tasks that are required under GDPR. It is recommended to have a clear defined list of tasks for the DPOs to easily determine the role of the DPO within organizations.
Conflict of interests and lack of independent role of DPOs	Regardless of the Guidelines on DPOs and the X-Fab Dresden case stating conflict of interests occur when DPOs also determine means and purposes for processing, the results still show risks of possible conflict of interests and lack of independence. Amongst others, a recommendation is to further develop the Guidelines on DPOs and formalise duties and conditions for DPO duties in an ‘engagement letter’.
Lack of reporting by DPOs to the highest management level of the organisation	SAs should provide further guidance on the legal obligation to have the DPO report to the organisation’s highest management level by way of adopting ‘best practise’ based recommendations or a template for DPO reporting to management.
Further guidance SAs	Based on the survey results, further guidance by the SAs could help address above identified areas of concern, in particular amending the Guidelines on DPOs.

What else do I need to know about the role of DPOs?

Due to new EU legislation in the digital field, such as the AI Act and Digital Services Act, DPOs are being tasked with new roles related to e.g. AI, ethics and data governance. New roles may lead to challenges such as conflict of interests, insufficient available resources and inadequate expert knowledge and training of DPOs. It is vital for companies to consider the task and support of the DPO to ensure they can continue to provide the best added value. An alternative could be to (partially) outsource your DPO needs. Eversheds has a DPO as a Service offer in place for almost 4 years. Such a model is able to provide your company with the expert level necessary to navigate this evermore complicating landscape of (personal) data governance.

On this report, it is also worth mentioning that there is no particular ranking in the focus areas and the report is lacking a comprehensive answer on how companies can measure/benchmark the role or position of the DPO within their organization. It will be interesting to see if such aspects will be addressed in the further development of the WP29 Guidelines on DPOs.