Top 10 Challenges For DPOs

Hosted by Zara Turner, Oliver Rear and David Holmes.

purple data protection podcast icon

What Are The Top 10 Challenges For DPOs?

During this week’s episode of the Data Protection Made Easy Podcast our hosts share insights from our GDPR Support desk, sharing details on the top 10 requests received. We joined our community of Data Protection Practitioners to share ideas on how to avoid some of these challenges and what to do when one arises.

Our hosts came prepared with plenty of useful resources including a list of the top 10 challenges they recieve on the support desk, we wanted to host this session as we thought DPOs would find it a point of comfort, every DPO we work with faces similar challenges and there are some areas of Data Protection which are universally hated and certain processes that people would rather pass on to someone else, the chart below provides a perfect insight into what other DPOs are going through and where they are utilising our team here at Data Protection People.

Inbound Support Desk Requests

Inbound Support Desk Requests

What do we cover:


    • Applying for exemptions;
    • What falls under the scope of a SAR e.g. work phones, Teams messages – our advice on what you should focus on.

Data Processors/DPA

    • DPA reviews – key areas that struggle within contract reviews: written instructions, controller’s obligations and rights, security of processing (assisting the controller with communication of data breach to data subjects etc.).
    • What does it mean if the DPA doesn’t meet all of the requirements of Art 28(3)?

Data Sharing

    • DSAs: what are the key things that we look for? Data subject’s rights and data breaches.
    • Consider the need for flexibility against the desire to have a standardised procedure (within the contract) for data sharing.
    • When getting requests for information from Police etc. When you are actually obliged to provide information?

Policies & Procedures

    • Importance of having an IGF in place and the need to review these policies – the number of policies quoting old law etc.

Data breaches

    • Importance of fully analysing a data breach, how it occurred and its implications.
    • How to avoid and prevent potential data breaches.


    • Tend to be difficult for individuals who don’t have much experience in Data Protection (as often individuals who complete DPIAs are) – the key thing is to provide as much detail as possible to make it easy for a 3rd party to review and understand.
    • Key risks to always consider are data subject rights and breaches.
    • Can separate risks into two categories: risk to organisation and risk to data subjects.

Other rights requests

    • Mainly right to erasure or removal of consent – important to know when these rights requests apply. Also, that does not invalidate previous processing on basis of consent, only future processing on consent.

Lawful grounds

    • Key issue of relying on consent when consent is not appropriate, often view consent as being necessary for data processing but is not.
      Privacy information
    • Importance of covering all of your processing within a privacy notice, transparency requirements – considering child-friendly language etc.


    • Particularly tricky in the housing sector with tenants CCTV, the key recommendation is to discourage the use of CCTV (outside of property boundary) by tenants due to issues of operating in compliance with Data Protection laws.

Tune in to part 2

We will be returning with part 2 of this discussion on the 7th of October 2022, if you would like to be notified when the invite to that session is available, get in touch with one of the team or follow us on LinkedIn where we share regular updates on our events.

If you would like to work with our GDPR Support Desk and have the stress of any of the challenges above taken off your hands, get in touch with one of the team or contact us here.