DPO what to expect

Track: GDPR
When: Wed DS-3
Participants Vijay Nair Vijay Nair

A Data Protection Officer is acting in an independent manner.


Article 38(3) establishes some basic protections to help ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within their organisation. Controllers/processors are required to ensure that the DPO “does not receive any instructions regarding the exercise of [his or her] tasks.”


The DPO informs and advise the controller or the processor and the employees who carry out processing of their obligations under the GDPR. The DPO has to provide staff training who deal with the data processing. He/She designs guidance documents such as Policies and keep them up-to-date. Audits and risk assessments must be carried out. Process requests and complaints and inform people of their data protection rights.

The DPO has to provide advice in respect of data protection impact assessments and monitor the compliance of the controller and processors’ performance. The DPO is also the link between a company and GDPR authorities to cooperate with the supervisory authority and to act as the point of contact for the supervisory authority.


Support must be provided: Article 38(2) of the GDPR requires the organisation to support its DPO by “providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge”.

Some DPO will also have other responsibilities within the company. It is allowed under the GDPR. However any conflict of interest has to be taken very seriously.



Register as participant

To register as participant add DPO what to expect to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions