What is the DPO's role in risk analysis? Please give concrete examples of their tasks in this process.

ANSWER

The DPO's role and activities in connection with conducting a risk analysis are determined by the scope of their tasks under Article 39(1) GDPR (in particular points (a) and (b) of that article):

"The data protection officer shall have at least the following tasks:

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
• to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of personnel involved in processing operations, and the related audits (…)."

The DPO does not conduct the risk analysis, but should be involved in assessing it for GDPR compliance. In practice, the following activities related to risk analysis should remain on the DPO's side:

• informing the controller (processor) of the obligation to conduct a risk analysis;
• verifying the risk analysis conducted for GDPR compliance;
• providing recommendations on possible changes or supplements;
• periodically auditing the risk analysis and providing recommendations for changes or supplements;
• training the controller's personnel in conducting risk analysis.