EDPB launches coordinated enforcement action on the role of DPOs

28/03/2023 - On the 15th of March 2023, the European Data Protection Board (EDPB) launched its second initiative under the ‘Coordinated Enforcement Framework’ (CEF). Whereas in 2022, the EDPB focused on the use of cloud services by the public sector, this year the EDPB will focus on Data Protection Officers (DPO).  

Background 

The GDPR emphasizes cooperation between national data protection authorities (DPAs) and introduces a one-stop-shop mechanism for case handling. As the EDPB plays a key role when it comes to coherence in this field, through consistency procedures, regular meetings and guidance, the CEF was introduced by the EDPB. The CEF aims to support and build on mechanisms for cooperation in the GDPR and is intended as proactive action, rather than reactive. Consult the visual below for an overview of the structure of the CEF: 

source: EDPB  

Focus on the designation and position of DPOs 

As part of the current CEF initiative, the EDPB will focus on the designation and position of DPOs. The aim is to verify whether DPOs have the position in their organization that is required by articles 37-39 GDPR and the resources to carry out their tasks.  

Practically, the coordinated action will be supported by 26 DPAs across the EU, who are expected to solicit organizations in the weeks and months ahead. DPAs will, for example, send questionnaires to organizations consulting about the DPO role. Where applicable, they may also conduct more formal investigations into the role.  

Impact 

In 2019, an IAPP report stated that 500,000 organizations had registered a DPO under the GDPR. In the 4 years since that report, it is expected even more organizations have since registered a DPO. The impact of the current CEF initiative may thus very well impact a large number of organizations. Many of which may currently still be struggling to adequately define and embed the DPO role and the allocation of sufficient resources for the role.  

Although the initiative has been welcomed by a number of DPOs, who see it as a way to clarify expectations and to promote privacy on the EU level, the initiative may also create risks for certain organizations who are in doubt about the correct implementation of the DPO role within their organization. 

How we can help 

Considerati offers two dedicated DPO services. Firstly, we offer DPO as a Service (DPOaaS). With DPOaaS, Considerati registers as your organization's DPO. In this process, Considerati takes on the entire DPO role in line with the GDPR requirements. We do so by providing you with a dedicated DPO, who is supported by the team of legal privacy consultants within Considerati. This provides your organization with a qualified DPO without large investments.   

We also offer DPO Support for organizations that already have a DPO but are looking for assistance. In this case, your existing DPO will be supported by the legal privacy team from Considerati on both operational and strategic topics. A practical solution for organizations and their existing DPOs. 

Get in touch with us should you wish to receive additional information about our DPO services.