A study by the International Association of Privacy Professionals (IAPP) has conservatively estimated that once the GDPR takes effect in May 2018, at least 28,000 data protection officers (DPOs) will be needed in Europe and the United States alone for companies to be GDPR compliant.
It went on to estimate that as many as 75,000 DPO positions will be created in response to the GDPR around the globe.
The GDPR is being hailed as a major overhaul of data protection laws, and it will now act as the regulation which governs how any company handling EU citizens' data, regardless of whether or not that company is located within the EU.
One of the GDPR's many requirements is that public bodies and certain companies processing personal data on a “large scale” must have a data protection officer (DPO). As companies seek to become GDPR compliant, one of the things which they will have to consider is who will fill the DPO role, who the DPO will report to, and its remit within their company.
The requirement for a DPO was inspired by a similar program that Germany has had in place for a decade, and other economies, including France and Sweden, for example, have the concept of the DPO well established.
The IAPP said, “A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.”
It would appear that many companies remain in a wait-and-see mode with regards of appointing a DPO. The IAPP conducted a study with TRUSTe, being released here at the Data Protection Conference in Brussels, which has found that four in 10 companies plan to make their current privacy leader their DPO.
Half of respondents said they will appoint someone on the privacy leader's team or train up someone already within the organisation. Fewer than 10 percent report that they will have to hire from outside the company or outsource the role to a law firm or consultancy.
The European Union's group of privacy regulatory agencies, the Article 29 Working Party, has said it will release guidance regarding compliance with the mandatory data protection officer role starting in December of this year.
Simon Moffatt, digital identity strategy & architecture, ForgeRock told SCMagazineUK.com: "The GDPR will see organisations in the UK, Europe and beyond facing up to their legal obligations as data processors. The Data Protection Officer will clearly be a new position for many organisations, especially outside of Europe. Initially, this may lead to confusion and recruitment headaches, with issues such as appropriate job descriptions and being able to map them to suitably-qualified individuals.
Thomas Fischer, threat researcher and security advocate at Digital Guardian told SC: "The IAPP study is based on the size of the company and the verticals that are most likely to be storing private personal data. While IAPP admit the 75,000 is a minimum, this number is very likely to grow. It actually seems to be somewhat conservative, and could be underestimating the amount of personal data that will be covered by GDPR. The DPO is also very similar to the "privacy officer" role that some companies have implemented to manage Safe Harbour compliance. We may find that these roles are merged into one."