GDPR ‘To Require’ 75,000 Data Protection Officers Worldwide

The EU’s General Data Protection Regulation (GDPR) may spur a hiring boom before it comes into force in early 2018, as it will require the introduction of “at least” 75,000 data protection officer (DPO) positions around the world, according to new findings.

When the regulation takes effect on 25 May 2018 it will apply not only to the EU’s 28 member states, but to any country handling EU citizens’ data – and the EU is the top trading partner for 80 countries.

Privacy regulation shift

One of the regulation’s requirements is for public authorities and companies processing personal data on a “large scale” to have a DPO, typically a lawyer with knowledge of privacy law, and the position must by law be “independent” of the organisation that funds it.

While such positions have become established in countries such as Germany, France and Sweden over the past decade, they are relatively unknown outside the EU, the International Association of Privacy Professionals (IAPP) said in a new report.

That means the regulation is likely to represent a significant undertaking for companies and organisations looking to come into compliance with it, the IAPP said.

It estimated that even within the EU roughly 11,790 non-financial, private sector enterprises would require a DPO, as well as all financial institutions (7,226) and life insurance (535) enterprises, and another 4,000 for the public sector.

The IAPP estimated about 9,000 US companies would be required to hire someone for the position.

Data protection requirements

The organisation then calculated the number of positions that would be required in other countries, based on their proportion of trade with the EU, taking the US – which represents 17.1 percent of Europe’s global trade – as a benchmark.

It found, for instance, that China would require 7,568 DPOs, Switzerland 3,682, Russia 3,068, Turkey 2,045, Norway 1,790 and Japan 1,688.

In total the IAPP estimated 75,000 DPOs positions would be required in Europe and elsewhere, which it said is a “conservative” estimate.

In a survey the company found 40 percent of respondents planned to make their current privacy leader their DPO, with another 50 percent saying they would appoint someone on the privacy leader’s team or train someone already within the organisation.

Fewer than 10 percent said they would have to hire from outside the company or outsource the role to a law firm or consultancy. Eighty percent said they would appoint a DPO to comply with the regulation.

But those figures only represent the IAPP’s own members or groups who subscribe to its newsletter, and as such are already aware of privacy issues.

Companies caught unawares

“There will undoubtedly be some variation in how average companies around the world comply, especially if they have not yet set up a formal privacy office of some kind,” the IAPP stated.

It cited a recent report that found the average privacy office has only existed for six years, with even “mature” offices having been in place for just over 11 years.

The Article 29 Working Party, the EU’s group of privacy regulatory agencies, has said it will release guidance regarding the mandatory data protection officer role beginning in December.

A June study found only 4 percent of small businesses understood the effect GDPR would have on them, whilst 82 percent of companies have either not heard of GDPR or don’t understand its impact.

UK information commissioner Elizabeth Denham said in September the regulation would come into effect before Britain leaves the European Union, acknowledging the EU referendum had thrown Britain’s data protection plans into “a state of flux”.

Why not test your knowledge of European tech pioneers and the EU’s contribution to the industry?Try our quiz!