EU Thon Hotel, Brussels 14.10.2024
The CEDPO DPO Conference – The DPO in the Digital Age
Since being recognised as a legal person (AISBL) in January 2024 in accordance with Belgian law, CEDPO held its first-ever conference in Brussels on October 14, 2024. One of CEDPO’s core values since its inception in 2011 has been to strive to be a deliberative body not only in privacy and data protection matters, but importantly, in supporting the Data Protection Officers (DPOs) in their undertakings to ensure organisational compliance with the GDPR and related privacy and data security regulations across the EU.
In this dynamic digital environment, the DPO stands as a pivotal figure, ensuring the ethical handling of personal data in the face of rapid technological advancements. With the onward march of new technologies, such as artificial intelligence, it has become an operational reality, and necessity, for DPOs and data protection professionals to deal with the reality of novel, transformative high-risk technologies being rapidly utilised within organisations.
One cannot overemphasise the importance of the AI Act and other areas of EU legislation that come into play, such as the impact of the Data Act or the advent of NIS2. It is, therefore, imperative to identify and acknowledge the role of DPOs in overseeing the protection of personal data as part of the broader AI and cybersecurity strategy.
The Conference
In addition to the lineup of renowned and experienced industry speakers, the conference featured a number of distinguished speakers from the regulatory and legislative sectors, including Mr Wojciech Wiewiórowski, the European Data Protection Supervisor, Mr Cian O’Brien, Deputy Commissioner of the Irish Data Protection Commission, Ms Karolina Mojzesowicz, Deputy Head of Data Protection Unit at the European Commission (DG Justice and Consumers), Ms Sixtine Crouzet of the European Data Protection Board, Ms Isabelle Vereecken, Head of Secretariat at the EDPB, and Ms Alice Darmon, Legal Counsel at CNIL. The expertise and insights that they shared were invaluable to the conference.
The conference consisted of five sessions which included four panels and a concluding fireside interview.
Some of the key takeaways from the conference as expressed by both speakers and delegates were as follows:
- GDPR as a Cultural Shift: The GDPR continues to represent a fundamental change in corporate and organisational culture. Comparing the landscape before the GDPR to today, highlights a significant evolution; we anticipate additional shifts with the AI Act that the DPO must be able to address.
- DPOs are at a crossroads: Recent surveys (CNIL/EDPB/CEDPO) show that significant progress has been made with regard to the role and status of DPOs. However, there is still some way to go to ensure that all the DPO-specific requirements of the GDPR are met, in particular, those that shape their role and status, specifically the resources made available to them, and the independence that they must be afforded. CEDPO’s 2024 survey also shows that increased vigilance is needed to protect DPOs’ mental health and to guard against the threat of burnout.
- The Era of New Digital Regulations: The EU digital and regulatory landscape is currently in transformation with a wave of new regulations, including the Digital Services Act (DSA), Digital Markets Act (DMA), Data Governance Act (DGA), Data Act, NIS2, and the AI Act. DPOs need to continuously update their knowledge to best perform their duties as they relate to broader corporate governance functions and priorities.
- The Evolution of the DPO Role: An essential question arose: what is the future role of the DPO? There is growing consensus that DPOs will serve a pivotal coordination role within evolving data governance teams. It was made clear at the conference that organisational teams, including the DPO, should work in cooperation to achieve compliance with the AI Act and other regulatory requirements as needed. The DPOs alone, are unable to incorporate all these disparate, complex skills, but they are optimally placed to lead a team made up of these various skill sets.
- Education and Leadership: DPOs must take the lead in educating employees and management of AI implications with respect to the processing of personal data.
- Continuous Development and Capacity: Ongoing training is crucial for DPOs to stay updated on emerging regulations. Also, depending on the size and activities of the company, sufficient resources should be available. Therefore, the DPO requires a dedicated budget. Several studies, including the recent CEDPO survey, highlighted the lack of financial and human resources of the DPOs. CEDPO is exploring ways to determine/standardise appropriate budget levels based on sector-specific criteria.
- Building Leadership Skills: It’s not just about compliance. DPOs need to be equipped with robust project management and leadership skills. This is critical to avoid being perceived solely as an “audit” function and to keep up with dynamic business requirements. The DPO role extends beyond compliance. It also concerns safeguarding human dignity in the digital era, and balancing data subject rights with organisational strategy and commercial objectives.
- Embracing Evolution: Recent surveys reveal a positive trend – DPOs are not just adapting, they are optimistic about their evolving roles. They are ready to embrace AI innovations and new regulations, stepping forward as genuine leaders in the data space.
- Regulatory Context: From the supervisory angle, the Belgian Data Protection Authority emphasized AI’s pervasiveness in everyday operations. They are already addressing AI-related inquiries, such as banks leveraging legitimate interests for AI models. The Irish DPC also stated that it was preparing for addressing AI issues with a view to long term involvement in AI regulation enforcement where data protection issues are concerned. Just as the DPO’s role needs to evolve to meet the widening digital policy and legislative landscape, data protection authorities similarly see the need to expand their expertise to address these new areas.
Paul Jordan, Senior Policy Advisor of CEDPO had this to say: “Based on the quality of exchange between delegates and speakers, the DPO Conference highlighted the need for an annual event of this nature. An event where DPOs and data governance professionals from across the EU/EAA can come together to network and discuss the evolution of the EU digital framework, the data economy and the data protection challenges of the day. The opportunity to interact with the European Institutions and national supervisory authorities present was also welcomed by all involved.”
A huge thank you goes to all our speakers, sponsors, and delegates for making the event a reality and a resounding success! We look forward to planning for next year’s edition and hope to see you all again soon!