Greetings from the Nordics,
A sunless period of winter is behind us, and we are heading toward spring!
We celebrated Data Protection Day here in Helsinki with local privacy professionals a couple of weeks ago. During the day, we heard, among other things, the latest news from Finland's data protection authority. One of its focus areas in 2023 is the position of the data protection officer. In September 2022, the European Data Protection Board introduced a topic for the next coordinated action, which will concern the designation and position of the DPO. It is clear DPOs need support and resources in their work within the organizations.
Sweden’s data protection authority, the Integritetsskyddsmyndigheten, recently published “Data Protection in practice” containing responses from more than 800 DPOs from Swedish organizations. A similar survey was published in 2019, and it is interesting to see how some results have changed for the better, while some issues are still challenging.
The report found half of DPOs felt they have enough time to work effectively with data protection. However, a quarter lack specific time allocated for data protection issues. It is concerning that 30% of respondents reported they did not receive sufficient training and skills in their role, which means a number of organizations are not receiving proper internal advice on data protection issues. Considering how to organize appropriate, readily available training to give data protection professionals sufficient “knowledge” tools to do their important work is a common challenge for member states.
Less than half of the DPOs said data protection work is systematic, and only half reported they are able to convince management of the importance of data protection issues, but those are not included in a timely manner. This means organizations have not been able to integrate data protection into their regular control, support and core processes. It has not become a natural part of development, change and improvement processes. Only one-tenth are included in different projects from the beginning and one-fifth are included only in the final stage.
DPOs see the biggest challenges in creating practical procedures and integrating data protection rules within their organization. More DPOs feel the biggest problem is a lack of commitment and knowledge on the part of management, while fewer feel interpreting the regulations is the major challenge. When comparing the results to a previous survey from 2019 the biggest challenges with upward trends are: the EU General Data Protection Regulation is perceived as an obstacle for the organization, the lack of involvement from management and the lack of knowledge from management.
I find this quite worrying. If DPOs do not get sufficient support from management and there is a lack of knowledge throughout the organization, data protection work cannot be done properly. This is a common problem for us. The only downward trend among these challenges is improved clarity when interpreting provisions, which means lots of learning has taken place. The authorities and the courts are working on interpreting the rules and giving guidance.
As we can see, development has happened, but there is still more work to do. Interestingly, the Court of Justice of the European Ruling issued a significant ruling for data protection officers in that they can "maintain other tasks and duties within their role" if there is not a conflict of interest. A strong community is a great resource for a DPO, but it is not enough. I think it is important for the DPAs and the EDPB to recognize this as one of the spotlight topics for the year. It will be interesting to see the results. What we can do is support one another — let’s keep that in mind!