The report of the Coordinated Enforcement Framework (CEF) on DPOs, sponsored by the EDPB and adopted on January 16, 2024, aggregates the findings of the participating supervisory authorities, with a focus on the challenges identified in this area, such as
- insufficient resources for DPOs,
- lack of adequate knowledge and training, and
- risks of conflicts of interest.
The report provides recommendations to address these challenges.
Summary
The following is a brief summary of the critical profiles that emerged from the CEF.
Failure to designate the DPO, even if mandatory
Recommendations and points of attention: increase awareness initiatives on appointment requirements, provide clear guidelines, take enforcement actions.
Insufficient resources
Recommendations and points of attention: Detailed prior assessment by controllers and processors to determine the resources needed for a DPO on a case-by-case basis. Ensuring that adequate resources are allocated. Verification of workload to ensure compliance with GDPR obligations. Guidelines and training materials to assist from supervisory authorities.
Insufficient specialized knowledge and expertise
Recommendations and points of attention: Data controllers and processors must ensure that DPOs have sufficient opportunities, time and resources to keep abreast of the latest developments, particularly with regard to new EU legislation related to digital and AI.
Inadequate specification of the tasks prescribed by the GDPR
Recommendations and points of attention: The supervisory authority could help in emphasizing the distinction between obligations of data controllers/processors and DPOs. Embedding the DPO and its opinions in the authority’s contact processes with data controllers/ controllers.
Promotion of the DPO’s role within the controller’s organization. Increased effectiveness to the DPO’s annual report.
Conflicts of interest and lack of independence
Recommendations and points of attention: Conflict of interest practice is still lacking and is likely to worsen in view of the new roles potentially assigned to this figure under EU digital legislation.
Deficiencies in DPO reporting to senior management
Recommendations and points of attention: Incentive for the implementation of industry models and standards.