As we approach the anniversary of the EU General Data Protection Regulation (GDPR), we are finally starting to get a picture of data protection officers’ responsibilities and what the job looks like in practice.

CPO Magazine conducted a survey of over 250 data protection officers (DPOs) most of whom work for some of the world’s largest companies in the technology and finance sectors. They spoke about how they are responding to a post-GDPR world, the challenges they face when massive data breaches still happen with disappointing regularity, and what privacy policies and procedures they are prioritizing in the face of a public that has grown more aware of their data privacy rights. This allows us to see how the role of data protection officer has developed over the first year the GDPR — and where it could be headed next.

The data protection officer role under the GDPR

A data protection officer is responsible for overseeing an organization’s data protection strategy and implementation. They are the officer that ensures that an organization is complying with the GDPR’s requirements. According to GDPR Article 39, a data protection officer’s responsibilities include:

  • Training organization employees on GDPR compliance requirements
  • Conducting regular assessments and audits to ensure GDPR compliance
  • Serving as the point of contact between the company and the relevant supervisory authority
  • Maintaining records of all data processing activities conducted by the company
  • Responding to data subjects to inform them about how their personal data is being used and what measures the company has put in place to protect their data
  • Ensuring that data subjects’ requests to see copies of their personal data or to have their person data erased are fulfilled or responded to, as necessary.

These are some of the requirements contained in the text of the GDPR. But the new survey is the first look at what challenges data protection officers faced in the actual execution of their duties.

Challenges data protection officers faced in 2018

The most substantial finding from the survey is just how difficult it has been for DPOs to embed data protection best practices into their larger organizations. Nearly one in four (23 percent) of DPOs said their main challenge was obtaining sufficient resources for their work, and an additional 13 percent said they did not have the support of management. Taken together, that’s over 40 percent of DPOs saying that their organization is not adequately prioritizing data security.

These subjective reports are born out by the budgets that show that nearly half (46 percent) of the organizations surveyed spent less than 5 percent of their annual governance, risk, and compliance budget on data protection activities. Larger companies paid more than smaller companies, but 48 percent of companies that had between 1,001 and 5,000 employees worldwide spent less than $250,000 on data protection and privacy activities.

Perhaps unsurprisingly, with the lack of budget and support, 75 percent of companies had data protection departments of 10 or fewer employees, including roughly 40 percent of companies with more than 5,000 employees, and 23 percent of enterprises had one employee working on data protection. The report states that the companies did not intend to have such low headcounts, but they are the logical results of budgeting and organizational challenges.  

Data protection officers’ goals for 2019

According to the surveyed data protection officers, the two most popular priorities for 2019 are to create a culture of data protection awareness and to enhance the governance of data processing activities, each of which received 26 percent of the response. The DPOs who said building greater data protection awareness was their priority were split almost evenly in how they would go about creating that awareness: 35 percent said they would conduct awareness campaigns, 35 percent said they would institute formal employee training sessions, and 31 percent said they would regularly update senior executives in a top-down approach. For the DPOs who were more concerned about improving the governance of data processing activities, the two processes they focused on most were responding to data subject requests (31 percent) and consent management (29 percent).

The priority the DPO chose was also a function of how long they had been on the job and how much the data protection program had matured at their organization. According to the survey, a DPO’s first priority is generally to create data protection awareness among the company’s staff. As the data protection program matures and the organization, as a whole, more consistently applies data protection best practices, the DPO can move on to prioritizing the enhanced governance of data processes and then to deploy new technologies and business models to improve GDPR compliant data processing activities.

Lessons for businesses

The first takeaway from this report is that data protection is still in its very early stages at most large companies. Data protection teams are understaffed and underfunded, and one year into the GDPR, it seems as though their priorities reflect companies that are just beginning to grapple with GDPR compliance.

This also suggests that companies have not prioritized their data protection programs. This may be a reflection of how few GDPR fines have been assessed so far. Something to keep an eye on will be whether the funding of data protection activities increases as GDPR fines do.

One thing we have seen is that data protection officers remain in high demand, according to the job site Indeed. The number of postings for privacy-oriented positions has spiked over the past year. So it seems likely the number of companies with robust privacy departments will likely increase in the coming years.

If your business is still grappling with GDPR compliance questions, the resources on this website can help. Our GDPR compliance checklist is a good place to start. You can also search the full text of the GDPR to find answers to specific questions.