GDPR requires DPOs: EU institutions leading by example

Wojciech Wiewiórowski

As you know, the General Data Protection Regulation was finally adopted two weeks ago after lengthy negotiations - a victory for the protection of fundamental rights in Europe. The Regulation requires public authorities - and, in some cases, private companies - to appoint a data protection officer, DPO. The DPO's job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues. According to an estimate by the International Association of Privacy Professionals, the GDPR will result in European governments and businesses requiring about 28 000 data protection officer posts. One can therefore reasonably expect that data protection professionals will be in high demand in the coming months as European authorities and companies respond to the requirements of the Regulation.

This is an area where the EU institutions are well advanced and can provide genuine expertise, since we have been under the obligation to designate a DPO since 2002. The EU DPOs, around 60 in total, organise themselves in a network, which the EDPS actively supports. The main feature of this network is the DPO meetings which take place twice a year and which have been a regular fixture in the EDPS calendar since 2004. At these meetings, DPOs share experiences from their respective institutions with one other and with their supervisory authority - us. They are also an opportunity for the EDPS to present our policies and activities to DPOs. The DPOs are our close partners and main contact points within the EU institutions and bodies and these meetings are therefore of utmost importance to both DPOs and the EPDS.

On 28 April the EDPS will have the pleasure of meeting the EU DPOs at Eurofound in Dublin. Topics of discussion in Ireland will include the EDPS' e-communications guidelines, staff appraisal, whistleblowing and cloud computing. We are confident that the event will be a success and look forward to this opportunity to interact with our data protection partners and reinforce our much-valued collaboration.

The implementation of the GDPR will certainly represent new challenges for public authorities and companies in the EU when it comes to responding to the DPO requirement. Since the EDPS is 'co-rapporteur' in the subgroup of the WP29, responsible for preparing "DPO Guidelines" that help organisations in the public and private sector to prepare for the entry into force of the Regulation, we also have a unique opportunity to share our expertise and best practice in the field, beyond the EU bubble.