S17_Banner_300x250-COPY
Radar_Webcon_Generali_300x250_ad_3.7.17Radar-01
iapp-privacycore
Study: At least 28,000 DPOs needed to meet GDPR requirements

With the passage by the EU Parliament of the General Data Protection Regulation, a five-year process has come to a close and organizations across the Continent are now preparing for a number of new requirements for data collection and processing.

One requirement in particular relates to staffing, something not before seen in European law outside of Germany: Certain organizations will now have to hire, appoint, or contract a data protection officer. Our research indicates the number of DPOs required under the GDPR in Europe alone will be, at the least, 28,000. This number is an estimate based on official statistics about public and private sector data controllers in the EU, taking into account a set of conservative assumptions, as detailed below.

Article 37 of the General Data Protection Regulation requires controllers and processors of personal information to designate a data protection officer when:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.

Methodology

Using publicly available statistics from Eurostat, we calculated the approximate number of large EU enterprises (defined there as those with more than 250 employees) in each of 13 non-financial industry sectors: mining and quarrying; manufacturing; electricity, gas, steam and air conditioning supply; water supply, sewerage, waste management and remediation; construction; wholesale and retail trade, repair of motor vehicles; transportation and storage; accommodation and food service activities; information and communication; real estate activities; professional, scientific and technical activities; administrative and support service activities; and repair of computers and personal and household goods.

To be conservative, we excluded all micro, small and medium-sized companies, even though many of them will no doubt engage in the large-scale monitoring or processing of sensitive data and thus be required under the GDPR to appoint a DPO.

We then made a number of calculated assumptions:

• We assumed that any company with at least 5,000 employees would process and monitor human resource data on a “large scale” and would thus need a DPO for such processing. Going by average employee data supplied by Eurostat, we determined roughly 15 percent of all large enterprises had at least 5,000 employees.

• We also assumed that, due to the data-intensive nature of their operations, for the following industry categories up to 50 percent of large companies would need a DPO: transportation and storage (e.g., airlines); accommodation and food service (e.g., hotels); and professional, scientific and technical activities (e.g., accounting firms).

• Finally, we assumed 100 percent of the large enterprises in “information and communication” would need a DPO.

Based upon these assumptions, we estimate that 11,790 non-financial private sector enterprises in the EU would require a DPO under the GDPR.

We further assumed that 100 percent of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO due to the nature of their business.

Lastly, we assumed that many U.S. companies obliged to comply with the GDPR would also require a DPO, and of those companies we assumed that most of those who self-certified under the Safe Harbor (4,500) are likely included in that number. The Department of Commerce reports 60 percent of the companies were SMEs unlikely to have a EU headquarters and just 150 were EU companies with U.S. subsidiaries. Thus, we assume a large majority will need a DPO.

Our total estimate based on these assumptions is approximately 24,000 private sector DPOs.

For public authorities, according to a 2010 report on Public Employment in EU Member States, there were around 19,000,000 public administration employees in the EU. At an average of 1,000 employees per agency – the average size of a “large” private enterprise in the EU – that amounts to 19,000 large public agencies across the EU, which will need a DPO and be too large to be covered by a DPO at a senior agency. We can assume some sharing among them – conservatively one DPO for every five agencies – for a total of approximately 4,000 DPOs required in the public sector.

Our research thus suggests that the number of DPOs required under the GDPR will be, at a minimum, 28,000.

What will these data protection officers need to do? The IAPP Westin Fellows, as part of their reports on the top 10 operational impacts of the General Data Protection Regulation, have prepared a detailed report on the DPO’s duties, which you can find here.

In short, while Article 35 does not establish the precise credentials data protection officers must carry, it does require that they have “expert knowledge of data protection law and practices.” The GDPR’s recitals suggest the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”

The data protection officer’s tasks are also delineated in the regulation to include:

  • Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
  • Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
  • Advising with regard to data protection impact assessments when required under Article 33.
  • Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
  • Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.

According to the European Data Protection Supervisor’s paper on “Professional Standards for Data Protection Officers,” the most relevant certification for a DPO is “the one provided by the International Association of Privacy Professionals.” Similarly, Eric Lachaud, in his article “Should the DPO Be Certified?,” for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.

The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.

 

Written By

Rita Heimes, CIPP/US

Written By

Sam Pfeifle

3 Comments

If you want to comment on this post, you need to login.

  • Gonca Dhont, CIPP/E, CIPM Apr 20, 2016

    Rita/Sam – big thanks for this (yet another) eye-opener research from IAPP . The fight for talent is just about the start here in Europe! I think one other factor which could multiply this number is ‘# of DPOs per private enterprise’.  I am assuming that some of those 24k private companies in your research will wish/have to appoint more than 1 DPO in Europe (1 per similar jurisdiction for example) otherwise it is not realistic to expect a super-DPO who knows all about different (non-privacy) local laws, local DPA reflexes and different cultural expectations of European data subjects which are all too important to perform this job well.  
    In order to meet the demand, our community must grow. This will happen by time in years with the availability of resources (such as uni degrees, courses/certifications from associations & training companies, even DPA efforts perhaps) and when businesses learn to recognize the talent & drive in young people and in experienced pros who come from other corporate functions.  Long way to go but we'll get there! Gonca Dhont | DPO Network Europe
  • Andrew Sanderson Apr 25, 2016

    Hallo Rita/Sam - great article & thanks for sharing the methodology. I think the private sector requirement may be significantly higher: “regular and systematic monitoring of data subjects on a large scale” can also by done by small organisations (as measured by # employees) with a large customer base, in sectors like online portals, ecommerce or direct marketing. Plus, most B2B organisations address prospects and customers via digital techniques like inbound & outbound marketing, where monitoring and analysis of individual behaviour are key to gaining insights and competitive advantage. One-to-One digital marketing has gone from strength to strength over the last 15 years because it paves the way for effective Face-to-Face selling. GDPR means that Permission-based marketing will be essential for any International organisation selling into Europe, not just firms based in the EU. They're *all* going to need DPOs.
  • Sam Apr 26, 2016

    Andrew and Gonca - Really, we couldn't agree more. We wanted to come out of the gate as conservatively as possible, so that people wouldn't think an organization dedicated to promoting the privacy profession was trying to be hyperbolic. In reality, we think the number of needed DPOs will probably be much higher. Both of your points are well taken, and companies looking to fill these roles should definitely not wait until the last minute, or they may be left with few good candidates from which to choose.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»