The GDPR requires that the DPO operate independently and without instruction from their employer over how they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the ICO. Organisations also cannot tell their DPO how to interpret data protection law.
No conflicts of interest
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g., CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR and head of IT).