According to the IAPP, estimated half-million organizations registered data protection officers across Europe in 2019. The emergence of this new role, which was imposed by the GDPR, put a lot of pressure on organizations to instigate much-needed changes in their organizational structure to create a space for a DPO, and not without a struggle.
Privacy professionals were appointed under the time constraint, in organizations that weren’t prepared properly for the role, without a defined budget, and most of the time without a clear vision of where DPO should be in the organizational structure. Ultimately this caused a lot of problems and challenges for a DPO later on.
Although not all organizations responded to the challenge equally, due to specifics of their industry, different levels of GDPR readiness, data protection awareness, or any other number of reasons, two years into the GDPR, all DPOs have at least one challenge in common:
1. Lack of support from key stakeholders
2. Lack of cooperation with other organizational units
3. Lack of personnel
4. Budget squeeze
5. Lack of independence
6. Lack of DPO tools
7. Lack of judicial practice
1.Lack of support from key stakeholders
One of the most demanding challenges most DPOs’ are facing is a lack of proper support from key stakeholders in the organization. In order to overcome this challenge, the DPO will have to rely on lobbying and creating relationships within the company.
As we mentioned in our blog on privacy governance models, key stakeholders are organizational roles upon whose engagement depends the success of privacy program – CMO, head of IT, the board, or business owners.
The DPO cannot operate without those key figures in ensuring air-tight compliance. In the absence of their support, the DPO can expect difficulties when trying to implement privacy procedures or defend the proposed privacy budget. That is why the DPO will have to persuade stakeholders to support their agenda.
If the top management did not properly set up the stage for a DPO in terms of the position within the organization, overcoming this challenge becomes that much difficult.
Properly introducing key stakeholders with the importance of data protection within the organization and underlining the benefits they can expect in their field of interest can turn them into allies. If you want to create support for your privacy program you can read more in our DPO guide.
2.Lack of cooperation with other organizational units
There is a lot of things on your plate when you are a DPO. From monitoring compliance with the data protection laws and cooperation with supervisory authority to handling complaints and providing advice. It is unreasonable to expect one person to do everything!
That is why the division of responsibilities and cooperation with other organizational units is crucial. Different organizational units need to cooperate with the DPO to identify personal data collection points and data processing activities. Updating their procedures and educating personnel on data protection policies directly related to their everyday tasks is another important task.
However, it is not uncommon for a DPO to encounter resistance when trying to push new policies and new organizational culture to already established parts of the organization.
If you are experiencing a complete absence of cooperation a proper boost from the top management can help immensely. Giving a DPO the authority to appoint tasks, autonomy in decision making, and genuinely supporting the privacy program will advance the cooperation.
Once you manage to establish the cooperation, if the technical requirements are in place, the DPO will have a better overview of all processing activities while delegating the execution of tasks to different organizational units.
3.Lack of personnel
It is no secret that the privacy market has gone through a talent crisis. We mentioned this as one of the 7 data privacy trends for 2020 at the beginning of the year. GDPR requirement to appoint a DPO depleted the market from resources, that were scarce to begin with, and it has become quite a challenge for a DPO to find the right people and assemble the privacy team.
The lack of talent is just one of the possible reasons why DPOs despair when it comes to assembling the team. Lack of the budget is another important show stopper, but the size of the company and specifics of the industry will also dictate the number of employees in the privacy team.
According to IAPP research, a lot of DPOs’ do not have full-time privacy staff. Staff who devote part of their time to privacy outnumber full-time staff by a ratio of about 2:1.
One of the ways the DPO can tackle this challenge is by in-house training and delegating administrative tasks to other departments and share the workload.
Insufficient budget is a challenge that most head departments are facing. There never seems to be enough understanding for the needs of an organizational unit, especially when the department is not core-business.
Nonetheless, it is expected that DPO handles the supervisory authorities, leads in-house training, oversees the compliance, implement procedures and technology, or handles complaints with ease.
In total, 62% of privacy professionals feel their privacy budget is insufficient to meet their obligations.
Although the privacy spend has shown a decrease in 2019 when compared to 2018 (the year of EU General Data Protection Regulation enforcement), some researches are showing a shift in perception of data privacy.
Organizations are moving away from merely aligning with regulatory requirements, to seeing it as a great risk mitigator and added value to the core business of the organization and therefore plan to increase their data privacy spend.
This is mostly happening because companies who invested in their privacy programs are seeing real results, as stated in the Cisco Data Privacy Benchmark Study 2020:
Most organizations are seeing very positive returns on their privacy investments, and more than 40% are seeing benefits at least twice that of their privacy spend.
5. Lack of independence
Having a DPO that receives instruction on how to resolve issues related to data processing; does not have the necessary resources; is directed on how to resolve investigations; is not independent in performing their tasks means an organization is undermining privacy program and directly violating GDPR Article 38.
The reason why GDPR insists on DPO independence is the recognition that the DPO plays a crucial part in ensuring compliance with the Regulation.
That is why DPO should enjoy some sort of job security. IAPP states that this does not mean that the DPO enjoys permanent job security or tenure. DPO can be disciplined or even terminated for other legitimate reasons, such as disciplinary turpitude, but DPO cannot be penalized for carrying out their duties.
If you find yourself in a situation like this, don’t be shy, kindly remind the management of the GDPR requirements and your position and tasks defined in the decision on your appointment.
6. Lack of DPO tools
Most DPOs have a vision of where they want to take their privacy program and steps that need to be taken to achieve it. However, the struggle is mostly with technical execution. It becomes increasingly difficult to administer and propagate data protection rules across the organizations’ systems, monitor GDPR compliance, keep compliant records of processing activities, and have an overview of all data processing practices.
As we mentioned in our guide, one of the tasks of a DPO is to advise on the selection of methodology and other technical solutions for privacy program implementation, such as records of processing activities platform, risk assessment tools, data protection impact assessment (DPIA) tools, software for legitimate interest assessments or for managing data subject access requests and other.
68% of respondents rated systems and technology as very effective for data privacy compliance in recent study by FTI Consulting
If your organization requires the use of DPO tools, and publicly available templates are not good enough to meet your needs, opt for one of the advanced technical solutions.
7. Lack of judicial practice
Given that the GDPR came into force only 2 years ago, and only 273 fines have been issued so far, there are not many legal decisions that could help the DPO in interpreting the provisions of the GDPR.
Although DPO cannot influence how judicial practice will evolve, they are required to carefully consider every decision they are making and exercise extra caution. The interpretation of the GDPR can be tricky since some terms are not thoroughly elaborated, while some articles can be interpreted in more than one way.
However, there are guidelines and best practices issued by national supervisory authorities that can help when making decisions in your organization.
Stay informed on what is going on in the world of data privacy by attending conferences and subscribing to newsletters from different privacy portals that will bring news to your inbox and keep you informed. Join Linkedin groups to follow the news and be a part of the community.
How happy are Privacy Professionals?
When we sum up all DPO challenges, it can seem a pretty ungrateful role to fill in. However, in IAPPs’ first-ever “happiness indicator,”
“33% of privacy professionals assigned the highest satisfaction score to their jobs (“very satisfied”), with another 49% selecting the next highest score (“satisfied”). Only 8% said they were either unsatisfied or very unsatisfied.”
So, all in all, we can assume privacy professionals are enjoying their sudden increase in demand in the past couple of years. Nonetheless, it does not mean they have an easy task to face. It will probably take a few years for this new role to settle in the organizational organigram, however, things are looking up.
Still, the DPO should be relentless in their efforts to secure their independence, fight for their budget, and educate top management, and a little bit of cockiness is desired. Leave the persona of critic or inspector behind and start forming allies, which has proved to be crucial.