According to a blogpost by Pinsent Masons data protection experts Marc Dautlich and Paul Greaves, GDPR requires that DPOs operate independently and without instruction from their employer over the way they carry out their tasks.
Organisations are prohibited from dismissing or penalising DPOs for performing their tasks and they must ensure that DPOs report directly to "the highest management level" in the organisation.
They cite guidance issued by the EU Article 29 Working Party which states: "The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data".
The guidance added that this could preclude other senior executives as well as people performing "other roles lower down in the organisational structure" from taking on the DPO.
Dautlich and Greaves write: "How could a DPO provide independent advice on data protection and issues of compliance if they are simultaneously responsible for new products or services or are involved in selecting, implementing or championing the associated technology, systems or processes?"