by Bharat Mistry
New figures from jobs site Indeed this week reveal that vacancies for Data Protection Officers (DPOs) have soared by 709% in the two years since the EU General Data Protection Regulation (GDPR) was ratified two years back. It’s a shame that, with so long to prepare, organisations are only now wising up to the implications of the region-wide privacy law. Our own research has shown that many other areas of investment are also lacking.
What are needed most now are cool heads and a long-term, strategic approach to GDPR compliance. Racing to finish before the May 25 deadline could lead to mistakes and gaps which may cause more harm than good. Think of this as a continuous process, not a one-off Y2K-style effort.
The role of the DPO
The Data Protection Officer is one of the key elements of any GDPR compliance programme. According to the ICO, one is required if you are a public authority, if your core activities require “large scale, regular and systematic monitoring of individuals”, or if your core activities include “large scale processing of special categories of data or data relating to criminal convictions and offences.” DPOs are responsible for a range of key activities including monitoring internal compliance, advising on privacy impact assessments and data protection obligations, and acting as an interface with the ICO.
As such, it’s no surprise there’s been a spike in demand. The number of candidates looking for these roles has also jumped significantly over the past two years, by 297, according to Indeed. Their average UK salary of £47,483 is nearly double the average UK wage of £27,600. But with possible fines of up to 2% of global annual turnover (or €10m, whichever is higher) for failing to appoint a DPO, the clock is clearly running out. There have even been reports of vendors offer virtual DPO services to fill the shortfall.
The bigger picture
In many ways, this last-minute rush to find a DPO is symptomatic of a wider failure of firms to prepare for the coming regulation. Government research from earlier this year claimed that only 38% of UK businesses have even heard of the new law. This chimes with our own global poll, which reveals that under a third (31%) of organisations have invested in encryption — a key technology mentioned by name in the GDPR. In total, just half (51%) said they have increased security investments to help with compliance, despite a quarter complaining that “lack of sufficient IT security protection” (25%) and a “lack of efficient data security” (24%) are the biggest challenges to compliance efforts.
Also, less than two-thirds (63%) of global organisations said they have a breach notification process in place for their customers. A fifth said they process will only notify the authorities, despite the GDPR demanding that customers also be contacted.
The good news is that the ICO is not in the mood to hand out gigantic fines from day one — it will reserve these as a last resort. Organisations should therefore be looking at the regulation as an opportunity to improve data management, build closer relationships with their customers and differentiate on privacy and security. CISOs could even tap this as a golden opportunity to secure funding for advanced threat detection and monitoring tools, as part of a layered approach to cybersecurity.
Most importantly, as the ICO has reiterated many times, preparations for the GDPR must not be treated as a one-off compliance effort. “You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018,” information commissioner Elizabeth Denham has said. While this might buy you extra time in the short-term, it means those organisations that thrive going forward will be the ones developing a long-term strategic approach, with key stakeholders from all parts of the business.