I still don’t think the GDPR envisioned the DPO as a ‘gatekeeper’, so much as advisor. I mean, look at Article 39:
The data protection officer shall have at least the following tasks:
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation …;
to monitor compliance with this Regulation, … including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
That isn’t a position that blocks decisions, which is what a gatekeeper is. A gatekeeper blocks bad decisions from happening. Sometimes, a GC has that authority, but more commonly, it’s people in the C-Suite who have the veto button. A DPO gives guidance and advice, but we have absolutely no control beyond persuasion (same as any engineer or low-level product counsel).
Right. I read “ensure compliance”, not “replace CEO’s decision making”. But that’s why I’d think that, as drafted, it seemed that policymakers envisioned this a the position that “makes sure the GDPR is implemented”. But of course it ended up being a position that, as it can only advise, ends up getting ignored and later told “make this complaint ”...
I still don’t think the GDPR envisioned the DPO as a ‘gatekeeper’, so much as advisor. I mean, look at Article 39:
The data protection officer shall have at least the following tasks:
to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation …;
to monitor compliance with this Regulation, … including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
That isn’t a position that blocks decisions, which is what a gatekeeper is. A gatekeeper blocks bad decisions from happening. Sometimes, a GC has that authority, but more commonly, it’s people in the C-Suite who have the veto button. A DPO gives guidance and advice, but we have absolutely no control beyond persuasion (same as any engineer or low-level product counsel).
Right. I read “ensure compliance”, not “replace CEO’s decision making”. But that’s why I’d think that, as drafted, it seemed that policymakers envisioned this a the position that “makes sure the GDPR is implemented”. But of course it ended up being a position that, as it can only advise, ends up getting ignored and later told “make this complaint ”...