EDPB: Organisations must ensure that DPOs have sufficient resources

The European Data Protection Board (EDPB) has found that Data Protection Officers (DPOs) often have insufficient resources or training. The lack of resources was mostly evident in the public sector, where 61% of respondents reported problems as opposed to 33 % in the private sector.

While most respondents say they have ‘experience’ or ‘expert knowledge’, the DPAs stress that there is a need for continuous training as data protection is an evolving field. There are also the new EU laws to consider in the digital field (The Digital Services Act, The Digital Markets Act, the Data Act, the Digital Governance Act and the AI Act). The DPAs therefore conclude that national DPAs and the EDPB should provide more training and guidance to DPOs. Organisations should ensure that DPOs have enough time to refresh their knowledge, and document their training needs and progress.

The DPAs say that many organisations have failed to properly define the role and tasks of the DPO. Some controllers burden their DPOs with tasks that are outside of the GDPR, sometimes leading to a conflict of interests. Controllers should ensure that they are actively reviewing and promoting the DPOs’ involvement in their organisations.

Several DPAs raised concerns about external DPOs taking on too many clients and therefore not being able to dedicate enough time for each organisation.

The results are based on EU DPAs Coordinated Enforcement Action on Data Protection Officers, and were published on 16 January. The EDPB 2024 action will be on the implementation of the right of access by data controllers.

See: EDPB - Coordinated Enforcement Action, Designation and Position of Data Protection Officers

Our 37th International Conference, 1-3 July 2024 at St. John’s College, Cambridge has sessions on the role of Data Protection Officers, EU initiatives, UK legislation and many other subjects. The first sessions have been announced and registration is open.