MetaCompliance_Webcon
PrivacyCore_ad_300x250-01
OneTrust_Square Banner_300x250_DD_ROS_01_19
Study: GDPR’s global reach to require at least 75,000 DPOs worldwide

The EU’s General Data Protection Regulation will take effect in May 2018. Under its own terms, the Regulation governs the privacy practices of any company handling EU citizens’ data, whether or not that company is located in the EU. Because the EU’s 28 member states together represent the world’s largest economy and the top trading partner for 80 countries, many companies around the globe buy and sell goods to EU citizens and are thus subject to the GDPR.

One of the GDPR’s requirements is that public authorities and certain companies processing personal data on a “large scale” must have a data protection officer. Further, the DPO position, by law “independent” from the organization that funds it, is unique in many ways and may be particularly foreign to those working in economies outside the EU. As organizations globally look to come into compliance with the GDPR, they will have to make certain decisions about who will fill the role, to whom that role will report, and how that role will operate inside the organization.

And a lot of organizations will have to do that calculus: Earlier this year, an IAPP study conservatively estimated that, once the GDPR takes effect, at least 28,000 DPOs will be needed in Europe and the United States alone. Applying a similar methodology, we now estimate that as many as 75,000 DPO positions will be created in response to the GDPR around the globe.

Background

The DPO requirement is borrowed from a similar program Germany has had in place for a decade, and other economies, including France and Sweden, for example, have the concept of the DPO well established. Still, it’s a new concept almost everywhere outside the EU and is bound to generate some confusion.

Article 37 of the General Data Protection Regulation requires controllers (those who collect and “own” the data) and processors (generally, third party vendors) of personal information to designate a data protection officer when:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.

Methodology

Using publicly available statistics from Eurostat, we calculated the approximate number of large EU enterprises (those with >250 employees, by the EU’s definition) in each of 13 non-financial industry sectors: mining and quarrying; manufacturing; electricity, gas, steam and air conditioning supply; water supply, sewerage, waste management and remediation; construction; wholesale and retail trade, repair of motor vehicles; transportation and storage; accommodation and food service activities; information and communication; real estate activities; professional, scientific and technical activities; administrative and support service activities; and repair of computers and personal and household goods.

To be conservative in our estimates, we excluded all micro, small, and medium-sized companies, even though many of them will engage in the large-scale monitoring or processing of sensitive data.

We then made a number of calculated assumptions:

  • We assumed that any company with at least 5,000 employees would process and monitor human resource data on a “large scale” and would thus need a DPO for such processing. Going by average employee data supplied by Eurostat, we determined roughly 15 percent of all large enterprises had at least 5,000 employees.
  • We also assumed that, due to the data-intensive nature of their operations, for the following industry categories up to 50 percent of large companies would need a DPO: transportation and storage (e.g. airlines); accommodation and food service (e.g. hotels); and professional, scientific and technical activities (e.g. accounting firms).
  • Finally, we assumed 100 percent of the large enterprises in “information and communication” would need a DPO.

Based upon these assumptions, we estimated that 11,790 non-financial, private-sector enterprises in the EU would require a DPO under the GDPR.

We further decided that 100 percent of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO due to the nature of their business.

For public authorities, according to a 2010 report on Public Employment in EU Member States, there were around 19,000,000 public administration employees in the EU. At an average of 1,000 employees per agency — the average size of a “large” private enterprise in the EU — that amounts to 19,000 large public agencies across the EU, which will need a DPO and be too large to be covered by a DPO at a senior agency. We can assume some sharing among them — conservatively one DPO for every five agencies — for a total of approximately 4,000 DPOs required in the public sector.

We assumed that many U.S. companies obliged to comply with the GDPR would also require a DPO, and of those companies we assumed that those who self-certified under the Safe Harbor (4,500) are likely not to have an EU subsidiary and thus not likely to be counted already as an EU enterprise. As we discovered in the IAPP-EY Annual Privacy Governance Report, moreover, only 50 percent of companies that expect to comply with the GDPR were Safe Harbor participants, signaling that the number of US companies that would be obliged to comply is on the order of 9,000.

Now, to extend the requirement to the rest of the globe: If the U.S. comprises 17.1 percent of Europe’s global trade, and requires 9,000 DPOs, we can then calculate how many DPOs other major European trading partners will likely require, using the amount of trade as a rule of thumb. Following is the projected DPO requirements for each of the top 10 European trading partners, as well as a few other countries that have been active in data protection regulation:

DPO Positions Needed for Top 10 EU Trading Partners

US: 9,000
China: 7,568
Switzerland: 3,682
Russia: 3,068
Turkey: 2,045
Norway: 1,790
Japan: 1,688
South Korea: 1,330
India: 1,125
Brazil: 972

DPO Positions for Other Common Trading Partners

Canada: 920
Mexico: 767
Hong Kong: 715
Singapore: 715
Australia: 613
Israel: 460
Morocco: 460
Argentina: 255
New Zealand: 237
Uruguay: 51

Looking Forward

Where will these 75,000 DPOs come from? Many companies remain in a wait-and-see mode. The European Union’s group of privacy regulatory agencies, the Article 29 Working Party, has said it will release guidance regarding compliance with the mandatory data protection officer role starting in December of this year.

However, the IAPP does now have preliminary data on how companies are preparing. In a study conducted with TRUSTe, also being released here at the Data Protection Conference in Brussels, the IAPP has found that four in 10 companies plan to make their current privacy leader their DPO. Another 50 percent say they will appoint someone on the privacy leader’s team or train up someone already within the organization. Fewer than 10 percent report that they will have to hire from outside the company or outsource the role to a law firm or consultancy.

Further, they are erring on the side of caution. Eighty percent of respondents said they would appoint a DPO to comply with the GDPR.

However, it must be noted the study was conducted with respondents known already to the IAPP, both members and others who subscribe to the organization’s daily newsletter. There will undoubtedly be some variation in how average companies around the world comply, especially if they have not yet set up a formal privacy office of some kind.

Privacy remains “new” in many parts of the world. But even where it is more firmly established, organizational privacy departments are still relatively recent inventions. As we learned in the 2016 IAPP-EY Privacy Governance Report, the average privacy office is just more than six years old, and even those that report themselves “mature” average just over 11 years in existence.

For those mature programs, the DPO requirement of the GDPR should present little problem. For those just getting up to speed, it may present more of an operational hurdle.

Note: According to the European Data Protection Supervisor’s paper on “Professional Standards for Data Protection Officers,” the most relevant certification for a DPO is “the one provided by the International Association of Privacy Professionals.” Similarly, Eric Lachaud, in his article “Should the DPO Be Certified?,” for Oxford University’s International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP’s Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.

The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.

Written By

Rita Heimes, CIPP/US

Written By

Sam Pfeifle

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»