According to Robert Wassall, data protection lawyer and head of legal services at data compliance specialist ThinkMarble, this widespread practice is resulting in DPOs that have “non-existent expertise” on data protection, just so companies can meet the regulation's obligations.
Speaking to Verdict Encrypt, he said: “I’m almost tempted to say: what are they doing? Are they saying we’ve got a DPO because they want to be able to say ‘we’ve got a DPO’? But if they can’t fulfill that role, I think that they’re misleading themselves and they’re misleading anyone else who is relying on the fact that they have a DPO.”
For companies that make such appointments, Wassall argued, the potential threat is severe: “The most extreme obvious example is that they’re going to do something which could lead them sooner rather than later towards one of these fines that we hear so much about that the GDPR permits.”
Wassall claims that many companies have simply promoted an existing employee to the position, and that they are typically limited to junior employees due to the fact that the position needs to be independent.
However, once in place, a DPO could be hard to dismiss. According to guidance issued by the EU Article 29 Working Party, organisations are prohibited from dismissing or penalising DPOs for performing their tasks and they must ensure that DPOs report directly to "the highest management level" in the organisation.