How would you align the incentives of a Data Protection Officer with the goals of the organization?

 In a previous posts, we have blogged about the onerous EU privacy rules.  Just came across another, a GDPR Data Protection Officer or DPO.

According to Article 38, other employees in the organization aren’t allowed to issue any instructions to the DPO regarding the performance of their tasks. So, not only does the DPO have wide-ranging responsibilities, but the position is shielded from potential interference from the organization.

Wow. What is the performance metric, and are you prohibited by law from tying pay to performance as it could constitute "interference?"