The position of the data protection officer (FG) - the internal privacy supervisor - within organizations is far from always in order. This is according to research by the European Data Protection Board (EDPB) ahead of Privacy Day on Jan. 28, 2024. The results of the study confirm the picture that the Autoriteit Persoonsgegevens (AP) sees in daily practice.
A large proportion of FGs cannot act independently. And lack the ability to communicate signals of potential privacy violations directly to senior management.
While these outcomes are worrisome, the majority of FGs indicate that they are nevertheless able to do their jobs well. For example, because they have sufficient knowledge, skills and resources. And that they can perform their duties properly without interference from higher-ups.
An FG oversees the application of and compliance with privacy laws within an organization. FGs have an independent function. It is mandatory for some organizations to appoint an FG. In the Netherlands, there are now about 12,000 organizations with an FG.
The EDPB, with the help of 25 European privacy regulators, conducted a 2023 survey on the functioning of FGs in both government organizations and companies. Some 17,000 respondents participated in this "Designation and Position of Data Protection Officers" survey. This provided valuable insights into the work and position of FGs.
The majority of those surveyed say they have the necessary skills and knowledge and receive regular training. They have clearly defined tasks, which are in line with the AVG.
In addition, they indicate that in most cases they receive sufficient information to perform their duties and that their advice is followed reasonably well. Moreover, most believe they have the resources to do their jobs.
However, there are still too many FGs who are not in such a position. For example, because they cannot perform their work independently.
The research report provides recommendations to strengthen the independence of FGs and ensure they have the necessary resources to perform their duties.
Organizations would do well to ensure that FGs have adequate opportunities, time and resources to refresh their knowledge and keep abreast of the latest developments.
Privacy regulators can do more to raise awareness within organizations. But enforcing when violations occur is and remains important as well.
