European Union data protection rules will require the appointment of 28,000 data protection officers (DPOs) in the next two years in Europe and the US alone, a study revealed.
Even though the final version of the General Data Protection Regulation (GDPR) requires only public authorities and other entities engaged in profiling to appoint a DPO, the staffing impact will be substantial, according to a study by the International Association of Privacy Professionals (IAPP)
By the time the GDPR comes into force in early 2018, thousands of European firms outside Germany will have to hire, appoint or contract a data protection officer for the first time, but the IAPP study is the first to estimate the size of the challenge.
Article 37 of the GDPR requires controllers and processors of personal information to designate a data protection officer when the processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39.
These tasks involve regulatory compliance, training staff on proper data handling and co-ordinating with the supervisory authority, with an ability to understand and balance data processing risks.
Even though a single DPO may represent a group of undertakings or multiple public authorities or bodies, the IAPP study shows staffing requirements are likely to present a big challenge.
Read more about the GDPR
- EU data protection rules affect everyone, say legal experts.
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
- Most cloud providers remain unprepared to meet the requirements of the EU General Data Protection Regulation.
Research methodology and parameters
The IAPP study used publicly available statistics from Eurostat to calculate the approximate number of large EU enterprises with more than 250 employees that are likely to require DPOs.
To be conservative in its estimates, the IAPP excluded all micro, small and medium-sized companies, even though many of them will engage in the large-scale monitoring or processing of sensitive data.
The study assumes that any company with at least 5,000 employees would process and monitor human resource data on a “large scale” and would thus need a DPO for such processing.
According to employee data supplied by Eurostat, roughly 15% of all large enterprises had at least 5,000 employees.
The study also assumes that, due to the data-intensive nature of their operations, up to 50% of large companies would need a DPO in the transportation and storage, accommodation and food service, and professional, scientific and technical sectors.
The study also assumed 100% of the large enterprises in “information and communication” would need a DPO.
Based on these assumptions, the IAPP estimates 11,790 non-financial private sector enterprises in the EU will need a DPO under the GDPR.
The study assumed 100% of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO, due to the nature of their business.
Lastly, the study assumed that many US companies obliged to comply with the GDPR would also require a DPO; of those companies, the study assumed that those who self-certified under the now-defunct Safe Harbour agreement – some 4,500 – are likely not to have an EU subsidiary and so not likely to be counted already as an EU enterprise.
The IAPP’s total estimate based on these assumptions is approximately 24,000 private sector DPOs.
DPOs in the public sector
For public authorities, according to a 2010 report – Public Employment in EU Member States – there were around 19 million public administration employees in the EU. At an average of 1,000 employees per agency – the average size of a “large” private enterprise in the EU – that amounts to 19,000 large public agencies across the EU, which will need a DPO and will be too large to be covered by a DPO at a senior agency.
The study assumes some sharing among agencies– conservatively one DPO for every five agencies – for a total of approximately 4,000 DPOs required in the public sector.
The GDPR requirements are expected to result in a recruitment drive for DPOs, but the competition is likely to be fierce in the light of the ongoing shortage of cyber security and privacy professionals, which is likely to spark a training drive for DPOs.
As many commentators are warning, organisations that have waited for the publication of the final text of the GDPR before taking action are likely to struggle for compliance by the time the rules are enforced, and finding a DPO could be one of the most challenging areas.
According to the European Data Protection Supervisor’s paper on Professional Standards for Data Protection Officers, the most relevant certification for a DPO is “the one provided by the International Association of Privacy Professionals”.
However, Eric Lachaud, in his article Should the DPO Be Certified? for Oxford University’s International Data Privacy Law journal, concludes that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals and Certified Information Privacy Manager.