The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these national actions are analyzed and bundled, generating deeper insights into a particular topic. Last year, the EDPB had selected the use of cloud-based services by the public sector for its first coordinated enforcement action. So, this second topic will be of more relevance to a wider set of organizations. Given that the report on the outcome of the 2022 coordinated action is expected to be adopted before the end of the year, companies can expect a report on the DPO position sometime in 2023.
Putting it into Practice. Companies subject to GDPR, whether US-based or operating in the EU, are reminded of the requirement to appoint a DPO where certain thresholds are met under Article 37. There are many factors to consider when selecting an individual for this position, including whether the individual may have a conflict of interest and the relevant expertise. The EDPB’s guidelines provide some insights on these points. The Berlin Commissioner recently issued at 525,000 euro fine to a company for violation of the DPO requirements, signaling that this topic may be of increasing interest to EU regulators.