The FabLab Group (established by WP29) drew up the summary document that will lead to issue best practices and guidelines about: the role of the DPO, Data Portability, DPIA and criteria on the Privacy Certification. As for the DPO, as you may have already had occasion to read, I am among those who support the thesis that this is eminently a warranty role, therefore not an operational one, different from the Privacy Officer. For that reason I find it interesting this proposition about the duties of the Data Controller in front of the DPO: “Authorize the DPO to be included and have a real involvement in all protection activities“. So, if we were talking about an operative role, which enforces policy in the company (a privacy officer or compliance manager), would you need a mandate from top management to engage him in privacy activities? Of course not. So it follows that we are talking about a warranty role; or not?!
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2016/20160930_fablab_results_of_discussions_en.pdf