The present paper takes the provisions of the General Data Protection Regulation (GDPR) on the data protection officer (DPO) as a starting point to assess how the role is developing in practice, and discusses the challenges DPOs may face in the day-to-day exercise of their responsibilities.In particular, the paper focuses on how the stipulations covering the function can be implemented in practice, taking into account that a balancing act may often be required when designing it, and when choosing the best person for the role. The paper explores how the functional independenceof the DPO can be ensured, discussing the tension between the role of DPO as independent advisor of the organisation, while still either being an employee or a contractor of the organisation. Attention is being paid to design of the position, that is, the positioning of the DPO (internal versusexternal DPO, part-time or full-time DPO), the hierarchical position in the organisation and the resourcing of the DPO, as well as the required knowledge (data protection expertise, legal background, IT background, risk management and audit experience, but also in-depth understanding of thecontrollers’ processing operations). The paper concludes that all elements set down in the GDPR must be duly combined and weighed in order to ensure that the DPO can fulfil their role in a manner that not only complies with the letter, but also with the intention of the law. As timeprogresses, it will not become easier for DPOs to fulfil their tasks, but rather more demanding. On the one hand, this is due to the increasing complexity of processing operations (including the fact that processing for various reasons is taking place in the cloud), which requires DPOs tounderstand both the business needs, but also technical intricacies in more detail. On the other hand, organisations are fascinated by and want to make use of new technologies, which may often be challenging from a data protection point of view. The paper concludes that, like the tightropewalker, the DPO is constantly balancing — when the balance is right, both the organisation and the DPO benefit.
展开▼
