Now into its second year, GDPR made sweeping changes to data protection rules, one of which was the requirement for public bodies, or organisations that carry out certain types of data processing activities to appoint a Data Protection Officer (DPO).
According to the Information Commissioner’s Office (ICO), the role of a DPO is to “assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.” The duty was placed on organisations to ensure they appointed a designated and independent employee to lead and demonstrate internal compliance and inform/advise on data protection obligations, amongst other things. Before the arrival of GDPR, the DPO role was rather niche, with Germany and the Philippines the only countries in the world with mandatory DPO laws. Even before it came into effect, GDPR was expected to transform that situation and in 2017, the International Association of Privacy Professionals (IAPP) estimated that GDPR would significantly increase the need for DPOs and would create the requirement for around 75,000 new DPOs worldwide across both private-and public-sector. Around 28,000 of those needed in Europe.
As it turned out, that was a major under-estimation and the latest figures collected by the IAPP show there are, in fact, something like half a million DPOs registered in private and public-facing organisations across the 26 countries of the European Economic Area (EEA). That equates to more than six times the original estimate.
Across Austria, Bulgaria, Denmark, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, Sweden and the United Kingdom, there were 376,306 DPO registrations and the IAPP extrapolated that figure and applied it to estimate the number of DPOs in the remaining EEA countries.
This data shows a very positive change in the number of DPOs, but the exact number of DPOs in places is tough to pin down with absolute certainty. For example, some organisations use external DPOs, meaning one individual can work with multiple organisations simultaneously, skewing the figures. A case in point comes from Caitlin Fennessy, a Certified Information Privacy Professional with the IAPP. She has pointed out that in France, for instance, there are almost 52,000 organisations with a registered DPO, but the actual number of individual DPOs in the country is around 18,000. We can be confident that there are significantly more DPOs that before GDPR arrived, but the actual figures are somewhat nebulous in nature.
Are DPOs making organisations more secure?
So, what has the growth in DPO posts had on data security and protection? It is still relatively early days, but there is some data available that offers guidance. A February 2019 survey found that there had been over 59,000 data breaches reported to data protection authorities across the EEA since the regulation came into effect. The Netherlands, Germany and the UK reported 15,400, 12,600, and 10,600 breaches respectively, each of which represented significant increases on previous years and evidence that the GDPR is having a significant impact on the levels of breach reporting.
This is also beginning to translate into enforcement action, and recently, there have been some very high-profile data breach penalties announced by the ICO. In just one week in early July this year, the ICO eclipsed its previous track record by handing out a fine of £183 million to British Airways (about 1.5 per cent of their 2017 income). A few days later, Marriott was given a £99 million penalty – that’s about 3 per cent of their 2018 revenue. Given that GDPR non-compliance fines can be imposed at up to 4 per cent of annual global revenue for the organisation in question, there’s scope for penalties to hit future offenders even harder.
By any measure, since GDPR came into effect, the number of registered DPOs has risen far more than anyone expected. What we can take from this is that many organisations out there are taking their responsibilities under GDPR seriously, as also evidenced by the significant rise in breaches being reported since the it came into force. It remains to be seen whether the high-profile penalty notifications we’ve seen this year are the shape of things to come, but at the moment, it certainly seems as if the data protection tide has turned.
Tim Bandos, VP of Cybersecurity, Digital Guardian