What is the DPO's performance of tasks with due regard to the risk?
The provision on the tasks of the DPO (Article 39(2) of the GDPR) clearly indicates the need to adapt the mode and methods of work to the specifics of data processing and the risks involved. The DPO is to perform his or her tasks with due regard to the risks associated with the processing operations, taking into account the nature, scope, context and purposes of processing. This is a general, common-sense principle that the DPO can refer to many aspects of his or her daily work. Performing tasks "with due regard to the risk" requires the DPO to prioritize his or her work and focus on aspects that entail greater risk.
According to the Article 29 Working Party, this approach should make it easier for the DPO to advise the controller on, among other things:
- which areas should be internally or externally audited,
- what training should be provided to employees or managers responsible for data processing,
- which processing operations should be allocated more time and resources.
The DPO, when performing his or her tasks (Article 39(2) of the GDPR), should therefore apply solutions tailored to the needs of the organisations where he or she performs his or her function, as well as the characteristics of the specific data processing and the risks involved. The need to perform tasks in the above manner is consequently expected to lead to more effective personal data protection.