DPO Role Survey
The role and function of a data protection officer ("DPO") are evolving and will underpin data protection compliance under the proposed European General Data Protection Regulation.
Recognising the critical importance of the DPO function and oversight as a prerequisite for data privacy corporate accountability, many organisations have invested strategically in developing a DPO function, but little is known about how existing DPOs envisage their current role being impacted by, and changing, under the Regulation.
As part of the Centre's project to explore the changing role of a DPO, we surveyed 43 practising DPOs from a range of industry sectors and a variety of geographical locations , about their role and function. This paper summarises the insights we have drawn from the survey.
While two thirds of survey respondents agreed that there is a disconnect between current organisational practices and the proposals set out in the Regulation, the survey revealed very little consensus in interpreting the future role and function of the DPO, or in assessing the likely impact and change required to implement the Regulation.
Several key themes emerged:
• Only a few countries currently mandate the appointment of a DPO, yet there has been marked growth in the number of DPOs that are appointed. The range of tasks that the DPO is expected to undertake has broadened, and the size and resources of the DPO team, and other personnel tasked with data privacy compliance in organisations, are growing.
• The role of the DPO requires a certain degree of flexibility in order to accommodate the needs of different types of organisations, differing corporate cultures, and divergent cultural and legal traditions.
• Some respondents see no tension between this need for flexibility and the prescriptive role and function of the DPO set out in the Regulation. Some were already familiar with a number of these requirements. Others took the view that what is prescribed by the Regulation will be reflected in a multitude of ways in practice.
• Other respondents expressed unease at the rigidity of the DPO provisions in the Regulation. There is concern that some regulators may interpret these requirements literally, resulting in a prescriptive "one-size-fits-all" role for DPOs that will not be appropriate (or workable) for all organisations.
The survey results identify the need for consensus amongst all stakeholders - businesses, public authorities, regulators, and data subjects - to build a shared vision of the role and the function of the DPO. If that is not possible, then there should be acceptance of the fact that the role and function of the DPO can legitimately take many guises. In light of a more harmonised approach to data privacy regulation and compliance across the EU, it is critical to ensure consistency of regulator expectations and the consistent interpretation of the formal requirements of the DPO role.