ar130405 - Fotolia

GDPR will require 75,000 DPOs worldwide, study shows

The General Data Protection Regulation is likely to help boost the data protection profession, with 75,000 data protection officers needed worldwide for organisations to comply with new EU rules

New European Union data protection rules will require the appointment of at least 75,000 data protection officers (DPOs) in the next two years, a study has revealed.

Even though the final version of the General Data Protection Regulation (GDPR) requires only public authorities and other entities engaged in profiling to appoint a DPO, the staffing impact will be substantial, according to the International Association of Privacy Professionals (IAPP) study.

The DPO requirement is borrowed from a similar programme in Germany, which has been in place for a decade. But it is a new concept almost everywhere else and is bound to generate some confusion, the IAPP warned.

An earlier study revealed that by the time the GDPR becomes enforceable on 25 May 2018, European firms outside Germany, and US firms that do business in the EU, will have to hire, appoint or contract around 28,000 data protection officers for the first time to ensure they comply with the new regulation.

At least 47,000 more DPOs will be required by firms outside of the EU and the US because of the global reach of the GDPR, the latest study found.

“The data protection profession has been growing steadily for many years. We expect to see even more growth as result of the GDPR mandate,” said Trevor Hughes, president and CEO of the IAPP.

“But good business is also a major driver; organisations today simply must address privacy concerns to succeed in the information economy,” he said.

Under its own terms, the GDPR governs the privacy practices of any company handling EU citizens’ data, whether or not that company is located in the EU. The EU represents the world’s largest economy and the top trading partner for 80 countries, and, as a result, many companies around the globe trade with EU citizens and are thus subject to the GDPR.

Article 37 of the GDPR requires all controllers and processors of personal information of EU citizens to designate a data protection officer when the processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

Data protection is a big responsibility

The DPO position is by law “independent” from the organisation that funds it and is unique in many ways that may be foreign to those working in economies outside the EU.

As organisations globally look to come into compliance with the GDPR, they will have to make certain decisions about who will fill the role, to whom that role will report, and how that role will operate inside the organisation, according to the IAPP.

Appointing a data protection officer is just the beginning, said Omer Tene, vice-president of research and education at the IAPP. “Organisations will need to ensure DPOs are well qualified and trained in the growing body of knowledge of the privacy profession, including law, technology and data management best practices,” he said.

Read more about the GDPR

A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfil the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.

Based on the calculation that the US will need 9,000 DPOs and that the US represents 17.1% of Europe’s global trade, the study extrapolates the number of DPOs required by other trading partners.

Using this methodology, the IAPP study showed the countries that will require the greatest number of DPOs outside Europe and the US are China (7,568), Switzerland (3,682), Russia (3,068), Turkey (2,045), Norway (1,790) and Japan (1,688).

In an attempt to meet the GDPR’s requirement, a study by IAPP and Trust-e showed that four in 10 companies plan to make their current privacy leader their DPO. Another 50% say they will appoint someone on the privacy leader’s team or train up someone already within the organisation. Fewer than 10% report that they will have to hire from outside the company or outsource the role to a law firm or consultancy.

GDPR presents operational hurdle

Most companies appear to be erring on the side of caution, with 80% of respondents saying they plan to appoint a DPO to comply with the GDPR.

However, the IAPP said it should be noted the study was conducted with respondents known already to the IAPP. “There will undoubtedly be some variation in how average companies around the world comply, especially if they have not yet set up a formal privacy office of some kind,” the IAPP said.

Privacy remains “new” in many parts of the world, the IAPP said, and even where it is more firmly established, organisational privacy departments are still relatively recent inventions.

For more mature countries, the IAPP said the DPO requirement of the GDPR should present little problem, but for those just getting up to speed, it may present more of an operational hurdle.

Read more on Privacy and data protection