How do we ensure the independence of the Data Protection Officer?
May 25th has come and gone and with it the deadline for GDPR and the employment of a Data Protection Officer for the companies which are obliged to have a DPO.
The GDPR requires that the DPO is independent and does not perform other duties that could lead to a conflict of interest. This can be ensured by the DPO reporting directly to the top management level and by not receiving instructions on how he or she should perform tasks or how he or she should feel about a particular task.
But how should we relate to the situation in which the DPO has performed part of the implementation of GDPR and subsequently in his or her role as DPO monitor and control this work? Does this situation meet the requirement of the DPO’s independence? And if not, how do we ensure the DPO’s independence now and going forward?
These are important questions the top management should consider ensuring compliance with GDPR.