CNIL Probes Role of Data Protection Officers in AI Act Compliance
French DPA CNIL is taking part in an initiative to assess the impact of AI on the role of data protection officers (DPOs), it announced Wednesday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The observational survey, which also includes the Ministry of Labor and Social Affairs and the French Association of Data Protection Correspondents, will address several questions, CNIL said, according to a translation. These include the current methods of AI governance within organizations, the role the DPO plays in those methods, and the main challenges that DPOs face with regard to tools and training.
The result, due in the first half of 2026, will help CNIL assist DPOs and professionals integrate new regulatory challenges into their practice, it said.
As AI systems are rapidly integrated into many organizations and the EU AI Act creates additional challenges, DPOs must understand the developments of the AI law, which is expected to be aligned with the GDPR, while at the same time keeping up with technological developments, the DPA said.
Simultaneously, there are new roles emerging in the field of compliance, such as AI compliance officer and digital ethics officer, CNIL said. These developments raise questions about the place of DPOs and how far their jurisdiction extends.
The GDPR requires DPOs to be involved in all matters relating to personal data, regardless of the technology used, the DPA said. But AI systems often operate using personal data, and in that case, an organization must involve the DPO from the outset to ensure that any used AI systems comply with data protection law.
However, getting DPOs involved in processing carried out by AI doesn't mean making them the lead person responsible for compliance with AI regulations within their organizations, CNIL noted. Enforcement of the AI Act will require skills that, to date, aren't necessarily expected of a DPO. Companies will need to define the terms of DPO involvement, as well as what additional expertise is needed for good governance of AI systems, CNIL said.
DPOs have many assets they can leverage to play a key role in AI Act compliance, the watchdog added. The act complements the GDPR by setting the conditions required to develop and deploy trustworthy AI systems, so "mastering the principles of the GDPR undeniably facilitates compliance with the AI Act."
Additionally, the two regulations are similar in having a risk-based approach, an accountability principle, a requirement for documentation and transparency, and the protection of fundamental rights. A large part of a DPO's skills related to GDPR compliance could be leveraged to ensure proper application of the AI Act, CNIL said.
Capitalizing on those skills is a "relevant approach" for organizations that now must integrate the requirements of the AI Act, it said. "While the deployment of AI represents a challenge, relying on solid and recognized skills is a guarantee of effectiveness."