TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Study: At least 28,000 DPOs needed to meet GDPR requirements Related reading: MEPs finalize GDPR, DPD

rss_feed

""

""

With the passage by the EU Parliament of the General Data Protection Regulation, a five-year process has come to a close and organizations across the Continent are now preparing for a number of new requirements for data collection and processing.

One requirement in particular relates to staffing, something not before seen in European law outside of Germany: Certain organizations will now have to hire, appoint, or contract a data protection officer. Our research indicates the number of DPOs required under the GDPR in Europe alone will be, at the least, 28,000. This number is an estimate based on official statistics about public and private sector data controllers in the EU, taking into account a set of conservative assumptions, as detailed below.

Article 37 of the General Data Protection Regulation requires controllers and processors of personal information to designate a data protection officer when:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.

Methodology

Using publicly available statistics from Eurostat, we calculated the approximate number of large EU enterprises (defined there as those with more than 250 employees) in each of 13 non-financial industry sectors: mining and quarrying; manufacturing; electricity, gas, steam and air conditioning supply; water supply, sewerage, waste management and remediation; construction; wholesale and retail trade, repair of motor vehicles; transportation and storage; accommodation and food service activities; information and communication; real estate activities; professional, scientific and technical activities; administrative and support service activities; and repair of computers and personal and household goods.

To be conservative, we excluded all micro, small and medium-sized companies, even though many of them will no doubt engage in the large-scale monitoring or processing of sensitive data and thus be required under the GDPR to appoint a DPO.

We then made a number of calculated assumptions:

• We assumed that any company with at least 5,000 employees would process and monitor human resource data on a “large scale” and would thus need a DPO for such processing. Going by average employee data supplied by Eurostat, we determined roughly 15 percent of all large enterprises had at least 5,000 employees.

• We also assumed that, due to the data-intensive nature of their operations, for the following industry categories up to 50 percent of large companies would need a DPO: transportation and storage (e.g., airlines); accommodation and food service (e.g., hotels); and professional, scientific and technical activities (e.g., accounting firms).

• Finally, we assumed 100 percent of the large enterprises in “information and communication” would need a DPO.

Based upon these assumptions, we estimate that 11,790 non-financial private sector enterprises in the EU would require a DPO under the GDPR.

We further assumed that 100 percent of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO due to the nature of their business.

Lastly, we assumed that many U.S. companies obliged to comply with the GDPR would also require a DPO, and of those companies we assumed that most of those who self-certified under the Safe Harbor (4,500) are likely included in that number. The Department of Commerce reports 60 percent of the companies were SMEs unlikely to have a EU headquarters and just 150 were EU companies with U.S. subsidiaries. Thus, we assume a large majority will need a DPO.

Our total estimate based on these assumptions is approximately 24,000 private sector DPOs.

For public authorities, according to a 2010 report on Public Employment in EU Member States, there were around 19,000,000 public administration employees in the EU. At an average of 1,000 employees per agency – the average size of a “large” private enterprise in the EU – that amounts to 19,000 large public agencies across the EU, which will need a DPO and be too large to be covered by a DPO at a senior agency. We can assume some sharing among them – conservatively one DPO for every five agencies – for a total of approximately 4,000 DPOs required in the public sector.

Our research thus suggests that the number of DPOs required under the GDPR will be, at a minimum, 28,000.

What will these data protection officers need to do? The IAPP Westin Fellows, as part of their reports on the top 10 operational impacts of the General Data Protection Regulation, have prepared a detailed report on the DPO’s duties, which you can find here.

In short, while Article 35 does not establish the precise credentials data protection officers must carry, it does require that they have “expert knowledge of data protection law and practices.” The GDPR’s recitals suggest the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

The data protection officer’s tasks are also delineated in the regulation to include:

  • Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
  • Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
  • Advising with regard to data protection impact assessments when required under Article 33.
  • Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
  • Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.

According to the European Data Protection Supervisor’s paper on “Professional Standards for Data Protection Officers,” the most relevant certification for a DPO is “the one provided by the International Association of Privacy Professionals.” Similarly, Eric Lachaud, in his article “Should the DPO Be Certified?,” for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.

The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.

 

3 Comments

If you want to comment on this post, you need to login.

  • comment Gonca Dhont, CIPP/E, CIPM • Apr 20, 2016
    Rita/Sam – big thanks for this (yet another) eye-opener research from IAPP . The fight for talent is just about the start here in Europe! I think one other factor which could multiply this number is ‘# of DPOs per private enterprise’.  I am assuming that some of those 24k private companies in your research will wish/have to appoint more than 1 DPO in Europe (1 per similar jurisdiction for example) otherwise it is not realistic to expect a super-DPO who knows all about different (non-privacy) local laws, local DPA reflexes and different cultural expectations of European data subjects which are all too important to perform this job well.  
    In order to meet the demand, our community must grow. This will happen by time in years with the availability of resources (such as uni degrees, courses/certifications from associations & training companies, even DPA efforts perhaps) and when businesses learn to recognize the talent & drive in young people and in experienced pros who come from other corporate functions.  Long way to go but we'll get there! Gonca Dhont | DPO Network Europe
  • comment Andrew Sanderson • Apr 25, 2016
    Hallo Rita/Sam - great article & thanks for sharing the methodology. I think the private sector requirement may be significantly higher: “regular and systematic monitoring of data subjects on a large scale” can also by done by small organisations (as measured by # employees) with a large customer base, in sectors like online portals, ecommerce or direct marketing. Plus, most B2B organisations address prospects and customers via digital techniques like inbound & outbound marketing, where monitoring and analysis of individual behaviour are key to gaining insights and competitive advantage. One-to-One digital marketing has gone from strength to strength over the last 15 years because it paves the way for effective Face-to-Face selling. GDPR means that Permission-based marketing will be essential for any International organisation selling into Europe, not just firms based in the EU. They're *all* going to need DPOs.
  • comment Sam • Apr 26, 2016
    Andrew and Gonca - Really, we couldn't agree more. We wanted to come out of the gate as conservatively as possible, so that people wouldn't think an organization dedicated to promoting the privacy profession was trying to be hyperbolic. In reality, we think the number of needed DPOs will probably be much higher. Both of your points are well taken, and companies looking to fill these roles should definitely not wait until the last minute, or they may be left with few good candidates from which to choose.