EU law will require 75,000 data protection officers by 2018
Thu 10 Nov 2016
The introduction of the EU’s General Data Protection Regulation (GDPR) in May 2018 will require the provision of 75,000 data protection officers in companies worldwide, according to latest estimates from The International Association of Privacy Professionals (IAPP).
The Regulation, which is to cover the handling of EU citizen data by any global government agency or company, will stipulate that an organisation processing ‘large scale’ personal data must have a data protection officer (DPO). The officer must also be ‘independent’ from the company that funds the position.
Earlier in the year, an IAPP report predicted that close to 28,000 DPOs would be required in Europe and the U.S. alone. Now, the privacy association has released a figure closer to 75,000 for new DPO positions.
The group’s research estimated that around 50% of major EU companies would need a DPO in the fields of transportation and storage, accommodation and food and professional scientific and technical activities. It also predicts that 100% of large ‘information and communication’ companies in the EU will require a DPO.
The association excluded micro, small, and medium-sized companies, despite many of these engaging in ‘large scale’ data processing.
The DPO stipulation mirrors a similar regulation in Germany, which has had an established DPO framework for the last ten years. France and Sweden also have similar concepts, but the DPO role has never really extended outside of Europe.
The GDPR requires that the DPO be ‘designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices.’ Responsibilities will include regulatory compliance tasks, training of staff around proper data handling, and coordinating with supervisory boards. The Officer must also demonstrate the ability to understand and balance data protection risks.
According to preliminary IAPP research, four out of ten companies affected by the GDPR plan to make their current privacy officer their new DPO. A further 50% said that they would be appointing a member of their existing privacy team, or training up another individual from within their organisation.