With the passage by the EU Parliament of the General Data Protection Regulation, a five-year process has come to a close and organizations across the Continent are now preparing for a number of new requirements for data collection and processing.
One requirement in particular relates to staffing, something not before seen in European law outside of Germany: Certain organizations will now have to hire, appoint, or contract a data protection officer. Our research indicates the number of DPOs required under the GDPR in Europe alone will be, at the least, 28,000. This number is an estimate based on official statistics about public and private sector data controllers in the EU, taking into account a set of conservative assumptions, as detailed below.
Article 37 of the General Data Protection Regulation requires controllers and processors of personal information to designate a data protection officer when:
(a) The processing is carried out by a public authority or body (except courts); or
(b) The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”
A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.
Methodology
Using publicly available statistics from Eurostat, we calculated the approximate number of large EU enterprises (defined there as those with more than 250 employees) in each of 13 non-financial industry sectors: mining and quarrying; manufacturing; electricity, gas, steam and air conditioning supply; water supply, sewerage, waste management and remediation; construction; wholesale and retail trade, repair of motor vehicles; transportation and storage; accommodation and food service activities; information and communication; real estate activities; professional, scientific and technical activities; administrative and support service activities; and repair of computers and personal and household goods.
To be conservative, we excluded all micro, small and medium-sized companies, even though many of them will no doubt engage in the large-scale monitoring or processing of sensitive data and thus be required under the GDPR to appoint a DPO.
We then made a number of calculated assumptions:
• We assumed that any company with at least 5,000 employees would process and monitor human resource data on a “large scale” and would thus need a DPO for such processing. Going by average employee data supplied by Eurostat, we determined roughly 15 percent of all large enterprises had at least 5,000 employees.
• We also assumed that, due to the data-intensive nature of their operations, for the following industry categories up to 50 percent of large companies would need a DPO: transportation and storage (e.g., airlines); accommodation and food service (e.g., hotels); and professional, scientific and technical activities (e.g., accounting firms).
• Finally, we assumed 100 percent of the large enterprises in “information and communication” would need a DPO.
Based upon these assumptions, we estimate that 11,790 non-financial private sector enterprises in the EU would require a DPO under the GDPR.
We further assumed that 100 percent of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO due to the nature of their business.
Lastly, we assumed that many U.S. companies obliged to comply with the GDPR would also require a DPO, and of those companies we assumed that most of those who self-certified under the Safe Harbor (4,500) are likely included in that number. The Department of Commerce reports 60 percent of the companies were SMEs unlikely to have a EU headquarters and just 150 were EU companies with U.S. subsidiaries. Thus, we assume a large majority will need a DPO.
Our total estimate based on these assumptions is approximately 24,000 private sector DPOs.
For public authorities, according to a 2010 report on Public Employment in EU Member States, there were around 19,000,000 public administration employees in the EU. At an average of 1,000 employees per agency – the average size of a “large” private enterprise in the EU – that amounts to 19,000 large public agencies across the EU, which will need a DPO and be too large to be covered by a DPO at a senior agency. We can assume some sharing among them – conservatively one DPO for every five agencies – for a total of approximately 4,000 DPOs required in the public sector.
Our research thus suggests that the number of DPOs required under the GDPR will be, at a minimum, 28,000.
What will these data protection officers need to do? The IAPP Westin Fellows, as part of their reports on the top 10 operational impacts of the General Data Protection Regulation, have prepared a detailed report on the DPO’s duties, which you can find here.
In short, while Article 35 does not establish the precise credentials data protection officers must carry, it does require that they have “expert knowledge of data protection law and practices.” The GDPR’s recitals suggest the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
The data protection officer’s tasks are also delineated in the regulation to include:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments when required under Article 33.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
According to the European Data Protection Supervisor’s paper on “Professional Standards for Data Protection Officers,” the most relevant certification for a DPO is “the one provided by the International Association of Privacy Professionals.” Similarly, Eric Lachaud, in his article “Should the DPO Be Certified?,” for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.
The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.