The General Data Protection Regulation, which is an EU-wide privacy regulation, will take effect on 25 May 2018. It introduces a host of new privacy provisions, stipulations and fines, which will require companies to make significant investments into their data handling practices and technical measures.
One of the requirements for companies which process personal data is to appoint a DPO (Data Protection Officer). As a result, a study conducted by the International Association of Privacy Professionals (IAPP) does not surprise us – they predict that the GDPR will create the need for 28,000 DPOs in the EU and the US, with a total of 75,000 vacancies in the whole world.
Let’s take a closer look into the role and the obligations of a DPO, and what exactly is its importance.
The DPO: A Background
A function similar to a DPO already exists in certain EU countries – most notably, in Germany. With the GDPR, all companies doing business in the EU will have to appoint one if their core business consists of data processing activities. What constitutes ‘large-scale’ is unclear, and should be answered by the supervisory authorities, but appointing a DPO is good practice regardless. If you are processing special categories of data (sensitive data, like biometrics, ethnic, health data etc.) you must appoint a DPO regardless of the scale of processing. Public institutions must also appoint a DPO.
Companies that appoint a DPO must let them act independently; i.e. a DPO cannot receive orders from the management. A DPO may be an existing employee, or a new hire. Smaller companies can ‘share’ a DPO.
A DPO should have expert knowledge of data protection laws and practices. Particular education or mandatory credentials have not been specified in the GDPR, but evidently a DPO must be able to carry out their tasks. Failure to appoint a DPO can carry fines of up to EUR 10 million or 2 percent of a company’s global turnover, whichever is higher.
Tasks of a DPO
The tasks of a Data Protection officer, as per Article 39, are to:
- provide information and advice to the controller or the processor and their employees of their obligations
- monitor compliance with the GDPR and other privacy regulations
- raise awareness and train staff regarding compliance
- provide advice regarding data protection impact assessments
- cooperate with the supervisory authority
- serve as a contact point in a company for the authority
75 Thousand New DPOs
Almost half of companies are planning to appoint their current head of privacy department as their DPO. Most companies are still waiting to decide on their course of action since much is still unknown. The Article 29 Working Party is set to release further guidelines on the role of the data protection officer by the end of this year.
Regardless, the IAPP have conducted a study based on the available statistics from Eurostat, taking only large companies into account. Therefore, they have certainly underestimated the requirements for DPOs, since plenty of smaller companies will have to appoint one as well.
According to their estimate, roughly 12 thousand private sector enterprises will require a DPO. Their estimate was that all IT enterprises would require one, as well as half of accounting, transportation, accommodation, and professional, scientific, and technical activities companies. To that number, they added a DPO for each of the financial institutions (7,226) and insurance enterprises (535).
Furthermore, a DPO is a requirement for every public body. An estimated 19,000 public agencies will require at least 4,000 DPOs, and that is if they decide to share them.
The US is expected to require 9,000 DPOs, with China following suit with 7,500. Switzerland and Russia will require half that number. Turkey will require about 2,000, with Norway and Japan 300 less.
All this adds up to a huge amount – 75,000 worldwide and 28,000 in the EU and the US alone.
The IAPP has conducted an opinion poll which found out that fewer than 10 percent of all companies plan on hiring someone new or outsourcing the position. 40 percent plan on appointing someone from their organization, with a further 50 percent claiming they would train one.
But these figures represent companies well-versed in privacy issues (members of the IAPP) and are not a representative sample.
Of course, there will not be 75 thousand new hires, as companies will appoint their current privacy experts as DPOs, and smaller enterprises will share (outsource) them. However, our estimate is that we can expect a surge in demand for DPOs, and that worldwide, we are looking at 30,000 new DPO vacancies.
This effect will be particularly prominent in companies from outside the EU that are not used to dealing with such stringent privacy regulations, but will be required to before 25 May 2018, if they wish to operate within the EU.
The current state of affairs regarding DPOs is still very uncertain. Most companies are waiting for the authorities to develop their own guidelines, and then they will act correspondingly.
What is certain is that we will see plenty of new DPOs and that a large number of companies will be affected. This might not be bad after all, as the companies that invest in a DPO will enjoy better data security and safety, while also saving money by avoiding potential fines.