Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

7 Data Protection Officer (DPO) challenges

DPO challenges

According to the IAPP, an estimated half million organizations registered data protection officers across Europe in 2019.

The emergence of this new role, imposed by the General Data Protection Regulation (GDPR), puts a lot of pressure on organizations to instigate much-needed changes in their organizational structure and to create a space for a Data Protection Officer.

Privacy professionals were appointed under time constraints in organizations that weren’t prepared for the role, without a defined budget, and most of the time without a clear vision of where DPO should be in the organizational structure.

Although not all organizations responded to the challenge equally due to the specifics of their industry, different levels of GDPR readiness, or any other number of reasons, all DPOs have at least one challenge in common.

1. Lack of support from key stakeholders

One of the most demanding challenges most DPOs face is a lack of proper support from key organizational stakeholders. To overcome this challenge, the DPO will have to rely on lobbying and creating relationships within the company.

As we mentioned in our blog on privacy governance models, key stakeholders are organizational roles crucial for the privacy program’s success – the CMO, Head of IT, the Board, or business owners.

The DPO cannot operate without those key figures to ensure air-tight compliance. Without their support, the DPO can expect difficulties when implementing privacy procedures or defending the proposed privacy budget.

That is why the DPO will have to persuade stakeholders to support their agenda. If the top management did not properly set up the stage for a DPO in terms of the position within the organization, overcoming this challenge becomes that much more difficult.

Properly introducing key stakeholders to the importance of data protection within the organization and underlining the benefits they can expect in their field of interest can turn them into allies. If you want to create support for your privacy program, you can read more in our DPO guide.

[RELATED TOPIC: Creating support for your privacy program]

2. Lack of cooperation with other organizational units

There are many things on your plate when you are a DPO. From monitoring compliance with the data protection laws and cooperation with the supervisory authority to handling complaints and providing advice.

It is unreasonable to expect one person to do everything!

The division of responsibilities and cooperation with other organizational units is crucial.

Different organizational units need to cooperate with the DPO to identify personal data collection points and data processing activities.

Updating their procedures and educating personnel on data protection policies directly related to their everyday tasks is another important task.

However, it is not uncommon for a DPO to encounter resistance when pushing new policies and organizational culture to already established parts of the organization.

If you are experiencing a complete absence of cooperation, a proper boost from the top management can help immensely. Giving a DPO the authority to appoint tasks, decision-making autonomy, and genuinely supporting the privacy program will advance cooperation.

Once you establish the cooperation, if the technical requirements are in place, the DPO will have a better overview of all processing activities while delegating the execution of tasks to different organizational units.

3. Lack of personnel

It is no secret that the privacy market has gone through a talent crisis. We mentioned this as one of the 7 data privacy trends for 2020 at the beginning of the year.

GDPR’s requirement to appoint a DPO depleted the market of scarce resources, to begin with, and it has become quite a challenge for a DPO to find the right people and assemble the privacy team.

The lack of talent is just one of the possible reasons why DPOs despair when it comes to assembling the team.

Lack of the budget is another important show-stopper. Still, the company’s size and the specifics of the industry will also dictate the number of employees in the privacy team.

According to IAPP research, many DPOs do not have full-time privacy staff. Staff who devote part of their time to privacy outnumber full-time staff by a ratio of about 2:1.

One of the ways the DPO can tackle this challenge is by in-house training delegating administrative tasks to other departments, and sharing the workload.

4. Budget squeeze

An insufficient budget is a challenge that most head departments face. There never seems to be enough understanding of the needs of an organizational unit, especially when the department is not a core business.

Nonetheless, DPO is expected to handle the supervisory authorities, lead in-house training, oversee compliance, implement procedures and technology, or easily handle complaints.

 

results of IAPP research on data privacy budget

In total, 62% of privacy professionals feel their privacy budget is insufficient to meet their obligations.

Although privacy spend has shown a decrease in 2019 when compared to 2018 (the year of EU General Data Protection Regulation enforcement), some researchers are showing a shift in the perception of data privacy.

Organizations are moving away from merely aligning with regulatory requirements to seeing it as a great risk mitigator and added value to the organization’s core business, and therefore, plan to increase their data privacy spending.

This is mostly happening because companies who invested in their privacy programs are seeing real results:

Most organizations are seeing very positive returns on their privacy investments, and more than 40% are seeing benefits at least twice that of their privacy spend.

5. Lack of independence

Having a DPO that receives instruction on how to resolve issues related to data processing; does not have the necessary resources; is directed on how to resolve investigations; and is not independent in performing their tasks means an organization is undermining the privacy program and directly violating GDPR Article 38.

The reason GDPR insists on DPO independence is the recognition that the DPO plays a crucial part in ensuring compliance with the Regulation.

That is why DPOs should enjoy some job security. IAPP states that this does not mean the DPO enjoys permanent job security or tenure.

DPO can be disciplined or even terminated for other legitimate reasons, such as disciplinary turpitude, but DPOs cannot be penalized for carrying out their duties.

Don’t be shy if you find yourself in a situation like this. Kindly remind the management of the GDPR requirements and your position and tasks defined in the decision on your appointment.

6. Lack of DPO tools

Most DPOs have a vision of where they want to take their privacy program and the steps needed to achieve it. However, the struggle is mostly with technical execution.

It becomes increasingly difficult to administer and propagate data protection rules across the organizations’ systems, monitor GDPR compliance, keep compliant records of processing activities, and have an overview of all data processing practices.

As we mentioned in our guide, one of the tasks of a DPO is to advise on the selection of methodology and other technical solutions for privacy program implementation, such as records of processing activities platform, risk assessment tools, data protection impact assessment (DPIA) tools, software for legitimate interest assessments or for managing data subject access requests and other.

68% of respondents rated systems and technology as very effective for data privacy compliance in recent study by FTI Consulting

If your organization requires DPO tools and publicly available templates are not good enough to meet your needs, opt for one of the advanced technical solutions.

When considering purchasing GDPR software, most professionals rely on independent evaluations from trusted research companies like Forrester or Gartner.

7. Lack of judicial practice

Given that the GDPR came into force relatively recently, and only about 600 fines have been issued so far, there are not many legal decisions that could help the DPO interpret the provisions of the GDPR.

Although DPOs cannot influence how judicial practice will evolve, they are required to carefully consider every decision they are making and exercise extra caution.

The interpretation of the GDPR can be tricky since some terms are not thoroughly elaborated, while some articles can be interpreted in more than one way.

However, there are guidelines and best practices issued by national supervisory authorities that can help when making decisions in your organization.

Stay informed on what is going on in the world of data privacy by attending conferences and subscribing to newsletters from different privacy portals that will bring news to your inbox and keep you informed.

Join LinkedIn groups to follow the news and be a part of the community.

Download Guide for a Successful DPO

How happy are Privacy Professionals?

It can seem like a pretty ungrateful role when we sum up all DPO challenges. However, in IAPPs’ first-ever “happiness indicator,”

“33% of privacy professionals assigned the highest satisfaction score to their jobs (“very satisfied”), with another 49% selecting the next highest score (“satisfied”). Only 8% said they were either unsatisfied or very unsatisfied.”

So, all in all, we can assume privacy professionals are enjoying their sudden increase in demand in the past couple of years.

Nonetheless, it does not mean they have an easy task to face. It will probably take a few years for this new role to settle in the organizational organigram, however, things are looking up.

Still, the DPO should be relentless in their efforts to secure their independence, fight for their budget, and educate top management, and a little bit of cockiness is desired.

Leave the persona of critic or inspector behind and start forming allies, which has proved crucial.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top