As the EU General Data Protection Regulation approaches its first birthday, hundreds of thousands of privacy professionals have jobs tied to the milestone. New IAPP research indicates that an estimated 500,000 organizations have registered data protection officers across Europe under the GDPR.
The GDPR, which has been in force since May 2018, requires public authorities and companies monitoring individuals or processing special categories of their data on a large scale to register a DPO who has “expert knowledge of data protection law and practices.” In 2017, an IAPP study estimated the GDPR would create a need for at least 75,000 DPOs worldwide. As the GDPR’s first year draws to a close, we examined how many organizations put DPOs to work in practice. It turns out, our initial estimate, which seemed huge at the time, fell far short of the reality.
The new estimate, which indicates a half-million organizations already registered DPOs, combined with new data from IAPP’s latest salary survey, sheds light on the rapid growth of the privacy profession and the expanding role of DPOs in Europe and beyond.
The new estimate, which indicates a half-million organizations already registered DPOs, combined with new data from IAPP’s latest salary survey, sheds light on the rapid growth of the privacy profession and the expanding role of DPOs in Europe and beyond. As European Data Protection Board Chair Andrea Jelinek said at the 2019 IAPP Global Privacy Summit, “the importance of the DPO cannot be overestimated.”
Methodology
IAPP’s current assessment is based on DPO registration data received from data protection authorities in Austria, Bulgaria, Denmark, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, Sweden and the United Kingdom, which together account for about 80% of European Economic Area gross domestic product. In these 12 EU member states alone, at least 376,306 DPO registrations were sent to DPAs. Using this data, along with GDP figures and publicly available statistics from Eurostat on the number of enterprises active in the economy, we calculated the number of DPO registrations per country as a percentage of GDP and total company presence. We found that the number of enterprises in the economy was a more accurate predictor than GDP of the number of organizations registering DPOs. From this data, we estimated the number of DPOs in the remaining EEA countries, assuming that in aggregate they would have an approximately equal percentage of DPOs in relation to total company presence. Recognizing the different standard for DPO registrations in Germany, which required the appointment of DPOs pre-GDPR and therefore results in a higher number of registrations, German numbers were calculated separately based on data received from the federal and state-level data protection authorities. The German total of close to 200,000 organizations with a registered DPO was added to the extrapolated EEA total (minus Germany).
The estimated 500,000 organizations that have registered DPOs across the EEA include both private-and public-sector organizations. While we lack sufficient data to approximate the percentages of public versus private entities at the EU level, the data we have suggests that public authorities represent a sizeable portion of the total. For instance, in Ireland, public authorities have submitted 18% of DPO registrations, whereas in Italy, the public sector accounts for 35 % of registrations.
Since organizations are permitted to use external DPOs, who, in turn, may serve multiple organizations, the number of DPOs is lower than the total count of organizations. In France, the pooling effect is significant. While almost 52,000 organizations have registered, the actual DPO population is just shy of 18,000. At the same time, in many organizations, the DPO does not work alone, but rather as one member of a team of privacy professionals.
Looking forward and more broadly
Our findings led us to consider how the roles of DPOs in Europe compare to those of their foreign counterparts and whether the number of European DPOs is comparable to the number of privacy professionals in the United States, which has a similar GDP. In the IAPP’s latest salary survey, we found that the salary of a typical DPO in the United States was $140,000 compared to $88,000 in the EU. However, the DPO title was less frequently used in the United States, where the chief privacy officer title was far more common. A typical CPO in the U.S. commanded $212,000, whereas in the U.K., the median salary was $185,000, and in the rest of the EU, it was $142,000. The CPO title was less frequently used outside of the United States.
This raises the question: Has a gap emerged between the roles and responsibilities of U.S. and EU privacy officers? If so, might the GDPR’s requirement that the “data protection officer shall directly report to the highest management level” eventually help more EU privacy professionals rise to the C-suite over time?
This raises the question: Has a gap emerged between the roles and responsibilities of U.S. and EU privacy officers? If so, might the GDPR’s requirement that the “data protection officer shall directly report to the highest management level” eventually help more EU privacy professionals rise to the C-suite over time? Perhaps more interestingly, looking forward, will replication of data protection officer requirements in U.S. or foreign legislation lead to the continued growth of the privacy profession globally? In this next few years, we will likely find out.