Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Learning to walk a tightrope: Challenges DPOs face in the day-to-day exercise of their responsibilities
Journal of Data Protection & Privacy,
3
(1),
69-81
(2019)
Abstract
The present paper takes the provisions of the General Data Protection Regulation (GDPR) on the data protection officer (DPO) as a starting point to assess how the role is developing in practice, and discusses the challenges DPOs may face in the day-to-day exercise of their responsibilities. In particular, the paper focuses on how the stipulations covering the function can be implemented in practice, taking into account that a balancing act may often be required when designing it, and when choosing the best person for the role. The paper explores how the functional independence of the DPO can be ensured, discussing the tension between the role of DPO as independent advisor of the organisation, while still either being an employee or a contractor of the organisation. Attention is being paid to design of the position, that is, the positioning of the DPO (internal versus external DPO, part-time or full-time DPO), the hierarchical position in the organisation and the resourcing of the DPO, as well as the required knowledge (data protection expertise, legal background, IT background, risk management and audit experience, but also in-depth understanding of the controllers’ processing operations). The paper concludes that all elements set down in the GDPR must be duly combined and weighed in order to ensure that the DPO can fulfil their role in a manner that not only complies with the letter, but also with the intention of the law. As time progresses, it will not become easier for DPOs to fulfil their tasks, but rather more demanding. On the one hand, this is due to the increasing complexity of processing operations (including the fact that processing for various reasons is taking place in the cloud), which requires DPOs to understand both the business needs, but also technical intricacies in more detail. On the other hand, organisations are fascinated by and want to make use of new technologies, which may often be challenging from a data protection point of view. The paper concludes that, like the tightrope walker, the DPO is constantly balancing — when the balance is right, both the organisation and the DPO benefit.
Keywords: data protection officer; independence; data protection; compliance; privacy; accountability; independent advisor
The full article is available to subscribers to the journal.
Author's Biography
Barbara Eggl was nominated as data protection officer (DPO) of the European Central Bank (ECB) in June 2015 and served in this function until 1 August 2019. She worked in central banking since 1982, first at the Austrian central bank and since 2002 at the ECB, where she first concentrated on institutional issues in the ECB’s Secretariat to the decision-making bodies. In her role as DPO, she advised ECB business areas, including the Single Supervisory Mechanism, on data protection issues and monitored compliance with EU data protection legislation. Barbara was instrumental in raising awareness on privacy and data protection in the ECB, and strived to ensure continued high standards of data protection compliance within the institution. She holds a doctorate in law from the University of Vienna and master’s degrees in economics from the University of Vienna and the London School of Economics. She also received data protection certification from the European Institute of Public Administration.
