Study: GDPR's global reach to require at least 75,000 DPOs worldwide
Enter The EU's General Data Protection Regulation will take effect in May 2018. Under its own terms, the Regulation governs the privacy practices of any company handling EU citizens' data, whether or not that company is located in the EU. Because the EU's 28 member states together represent the world's largest economy and the top trading partner for 80 countries, many companies around the globe buy and sell goods to EU citizens and are thus subject to the GDPR.
One of the GDPR's requirements is that public authorities and certain companies processing personal data on a "large scale" must have a data protection officer. Further, the DPO position, by law "independent" from the organization that funds it, is unique in many ways and may be particularly foreign to those working in economies outside the EU. As organizations globally look to come into compliance with the GDPR, they will have to make certain decisions about who will fill the role, to whom that role will report, and how that role will operate inside the organization.
And a lot of organizations will have to do that calculus: Earlier this year, an IAPP study conservatively estimated that, once the GDPR takes effect, at least 28,000 DPOs will be needed in Europe and the United States alone. Applying a similar methodology, we now estimate that as many as 75,000 DPO positions will be created in response to the GDPR around the globe.
The DPO requirement is borrowed from a similar program Germany has had in place for a decade, and other economies, including France and Sweden, for example, have the concept of the DPO well established. Still, it's a new concept almost everywhere outside the EU and is bound to generate some confusion.
Article 37 of the General Data Protection Regulation requires controllers (those who collect and "own" the data) and processors (generally, third party vendors) of personal information to designate a data protection officer when:
(a) The processing is carried out by a public authority or body (except courts); or
(b) The controller's or processor's "core activities" require "regular and systematic monitoring of data subjects on a large scale" or consist of "processing on a large scale of special categories of data."
A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices" and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.
Using publicly available statistics from Eurostat, we calculated the approximate number of large EU enterprises (those with >250 employees, by the EU's definition) in each of 13 non-financial industry sectors: mining and quarrying; manufacturing; electricity, gas, steam and air conditioning supply; water supply, sewerage, waste management and remediation; construction; wholesale and retail trade, repair of motor vehicles; transportation and storage; accommodation and food service activities; information and communication; real estate activities; professional, scientific and technical activities; administrative and support service activities; and repair of computers and personal and household goods.
To be conservative in our estimates, we excluded all micro, small, and medium-sized companies, even though many of them will engage in the large-scale monitoring or processing of sensitive data.
We then made a number of calculated assumptions:
- We assumed that any company with at least 5,000 employees would process and monitor human resource data on a "large scale" and would thus need a DPO for such processing. Going by average employee data supplied by Eurostat, we determined roughly 15 percent of all large enterprises had at least 5,000 employees.
- We also assumed that, due to the data-intensive nature of their operations, for the following industry categories up to 50 percent of large companies would need a DPO: transportation and storage (e.g. airlines); accommodation and food service (e.g. hotels); and professional, scientific and technical activities (e.g. accounting firms).
- Finally, we assumed 100 percent of the large enterprises in "information and communication" would need a DPO.
Based upon these assumptions, we estimated that 11,790 non-financial, private-sector enterprises in the EU would require a DPO under the GDPR.
We further decided that 100 percent of all financial institutions (7,226) and life insurance enterprises (535) would require a DPO due to the nature of their business.
For public authorities, according to a 2010 report on Public Employment in EU Member States, there were around 19,000,000 public administration employees in the EU. At an average of 1,000 employees per agency - the average size of a "large" private enterprise in the EU - that amounts to 19,000 large public agencies across the EU, which will need a DPO and be too large to be covered by a DPO at a senior agency. We can assume some sharing among them - conservatively one DPO for every five agencies - for a total of approximately 4,000 DPOs required in the public sector.
We assumed that many U.S. companies obliged to comply with the GDPR would also require a DPO, and of those companies we assumed that those who self-certified under the Safe Harbor (4,500) are likely not to have an EU subsidiary and thus not likely to be counted already as an EU enterprise. As we discovered in the IAPP-EY Annual Privacy Governance Report, moreover, only 50 percent of companies that expect to comply with the GDPR were Safe Harbor participants, signaling that the number of US companies that would be obliged to comply is on the order of 9,000.
Now, to extend the requirement to the rest of the globe: If the U.S. comprises 17.1 percent of Europe's global trade, and requires 9,000 DPOs, we can then calculate how many DPOs other major European trading partners will likely require, using the amount of trade as a rule of thumb. Following is the projected DPO requirements for each of the top 10 European trading partners, as well as a few other countries that have been active in data protection regulation:
DPO Positions Needed for Top 10 EU Trading Partners
DPO Positions for Other Common Trading Partners
Where will these 75,000 DPOs come from? Many companies remain in a wait-and-see mode. The European Union's group of privacy regulatory agencies, the Article 29 Working Party, has said it will release guidance regarding compliance with the mandatory data protection officer role starting in December of this year.
However, the IAPP does now have preliminary data on how companies are preparing. In a study conducted with TRUSTe, also being released here at the Data Protection Conference in Brussels, the IAPP has found that four in 10 companies plan to make their current privacy leader their DPO. Another 50 percent say they will appoint someone on the privacy leader's team or train up someone already within the organization. Fewer than 10 percent report that they will have to hire from outside the company or outsource the role to a law firm or consultancy.
Further, they are erring on the side of caution. Eighty percent of respondents said they would appoint a DPO to comply with the GDPR.
However, it must be noted the study was conducted with respondents known already to the IAPP, both members and others who subscribe to the organization's daily newsletter. There will undoubtedly be some variation in how average companies around the world comply, especially if they have not yet set up a formal privacy office of some kind.
Privacy remains "new" in many parts of the world. But even where it is more firmly established, organizational privacy departments are still relatively recent inventions. As we learned in the 2016 IAPP-EY Privacy Governance Report, the average privacy office is just more than six years old, and even those that report themselves "mature" average just over 11 years in existence.
For those mature programs, the DPO requirement of the GDPR should present little problem. For those just getting up to speed, it may present more of an operational hurdle.
Note: According to the European Data Protection Supervisor's paper on "Professional Standards for Data Protection Officers," the most relevant certification for a DPO is "the one provided by the International Association of Privacy Professionals." Similarly, Eric Lachaud, in his article "Should the DPO Be Certified?," for Oxford University's International Data Privacy Law journal, reaches the conclusion that the most appropriate certification for the DPO is a combination of the IAPP's Certified Information Privacy Professional credential for EU professionals (CIPP/E) and Certified Information Privacy Manager (CIPM). The IAPP also offers the Certified Information Privacy Technologist (CIPT) credential, as well as a version of the CIPP for the United States, and one for Canada and the U.S. federal government.
The CIPP/E, CIPP/US, CIPM, and CIPT credentials are certified under ISO standard 17024:2012.