"The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Ulrich Bäumer and Stephanie Ostermann of the , an online legal update service for companies and law firms worldwide.

"The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally, say Bäumer and Ostermann. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."

The new legislation would require organizations to demonstrate that they have undertaken regular data protection audits and privacy impact assessments using recognized industry standards, including demonstrating that privacy compliance and risk mitigation steps have been implemented before putting in place new processing systems and activities.