It’s no wonder that GDPR is the reason behind the rising numbers of Data protection officers (DPO). GDPR, all across Europe, made it obligatory for organisations to hire a DPO. So that processing of personal data can take place safely.
The changes brought in by GDPR felt two years on from its implementation. One of these changes was the requirement for certain organisations to appoint a DPO. Only, if they satisfy the requirements under the law.
According to the Information Commissioner’s Office (ICO), the role of a DPO is to,
“assist you to monitor internal compliance, inform and advise on your data protection obligations. He provides advice regarding Data Protection Impact Assessments (DPIAs). And, act as a contact point for data subjects and the supervisory authority.”
So, the duty imposed on organisations is to make sure they have appointed an independent employee to demonstrate internal compliance and inform or advise on data protection obligations.
Before GDPR, the DPO role was only related to Germany and the Philippines, because these two are the only countries that have mandatory DPO laws.
Before coming into effect, it was expected that GDPR would transform the situation.
Whereas, in 2017, the International Association of Privacy Professionals (IAPP) expected that GDPR would increase the requirement of hiring new DPOs around 75000 in both private and public sectors.
They also evaluated that out of 75000 Data Protection Officers, 28000 DPOs are what Europe needs this time.
But this was a major under-estimation which IAPP cleared by showing the latest figures. Almost half a million DPOs registered in private and public sectors across the 26 countries of the European Economic Area (EEA).
This is approximately more than six times the actual estimation.
Across Austria, Bulgaria, Denmark, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, Sweden and the United Kingdom, 376,306 DPO registrations are found there, and the IAPP extrapolated that figure and applied it to estimate the number of DPOs in the remaining EEA countries.
The data showed a positive change in the numbers of Data Protection Officers. However, it is quite tough to pin down the exact numbers of DPOs in places.
For instance, a few organisations hire external DPOs, meaning a single person works simultaneously with multiple organisations.
Caitlin Fennessy, a Certified Information Privacy Professional with the IAPP, highlighted the fact that there are around 52,000 organisations with registered DPO in France. On the contrary, the actual number of DPOs were around 18,000.
It reflects that definitely more DPOs appointed before the arrival of GDPR.
Are DPOs making organisations more secure?
The question raises here is that, are the Data Protection Officers making organisations more protected than before.
A survey of February 2019 manifested 59,000 data breaches that reported to data protection authorities since the regulation came into force across the EEA.
The Netherlands, Germany and the UK reported 15,400, 12,600, and 10,600 breaches, respectively.
Each of them represented a significant increase from the past years. It is also evidence that the GDPR has impacted data breach reporting levels.
Lately, ICO announced a very high profile data breach penalties. Within a week of July 2019, the ICO broke its previous records by imposing a fine of £183 million to British Airways. It was around 1.5% of their income in 2017.
Following this scenario, The International Marriott Hotels chain handed with a £99 million penalty, and that was almost 3 percent of their 2018 revenue.
If fines imposed under GDPR can go up to 4 percent of the annual revenue of the organisations. Then there’s the scope that future penalties can hit offenders harder than before.