Resources, Budget Remain An Issue for DPOs
In a recent survey, data protection officers cited a lack of budget and cohesion across all business units when it comes to developing an organization-wide data protection and privacy strategy as some of the role's top challenges.
As if data protection officers (DPOs) don't have enough on their plate right now - battling to meet regulatory compliance in a pandemic, learning to live with complications introduced by employees connecting remotely to work from home, etc. – they’re also struggling to get their work done with a depleting budget and diminishing resources.
According to a recently released survey of DPOs, more than 50 percent of respondents said that locking down the appropriate resources and budget to do their work and getting every department on the same page when it comes to carrying out data protection and privacy measures remain the toughest obstacles. All of this comes despite an uptick in data privacy legislation and news around the seemingly endless stream of data breaches.
According to the survey, CPO Magazine’s Data Protection & Privacy Officer Priorities 2020, more than a quarter of respondents, 27%, said that their biggest challenge has been budget restrictions and a lack of resources. The second biggest concern to DPOs is working with other business units to integrate data protection measures. 26% of respondents said getting everyone on the same page, across the organization, is also a challenge. Less pressing to organizations, at least according to the survey, is the hiring and retaining skilled personnel and keeping up with changing regulations. While only 11 percent said this was an issue to them, CPO suggests the figure could be masked by the budget issue since 57% of respondents are spending less than $250,000 throughout the organization on data protection and privacy measures.
The survey, released four weeks ago, polled 471 data protection and privacy officers across 16 industries. While the bulk were in the technology, software, and financial services field, some hailed from retail, entertainment, transportation, and hospitality sectors.
Budgetarily speaking, according to the survey, 57 percent of organizations have an annual budget of no more than $250,000 for data protection and privacy measures. It should probably come as little surprise that this figure is pretty small when viewed as a percentage of an organization’s risk and compliance budget overall.
It’s only when companies have more than 5,000 employees on staff that an organization begins to ratchet up its data protection activities. Companies with over 10,000 employees spent over $1,000,000 on data protection capabilities, according to the survey.
Overall, however, the numbers spent on data protection translate to less than 5% of an organization’s typical governance, risk, and compliance budget. CPO is attributing the relatively low spending to slower GDPR fines in the EU and the fact that some companies may not fully understand what it means to be compliant.
These numbers also correlate to show how few employees are in place at organizations in charge or data protection. 1 of 4 organizations have one privacy specialist on staff. 76 percent have 10 or fewer employees in roles focused on data protection and privacy.
This is a cyclical problem; as the survey notes, 53 percent of respondents said it was difficult to obtain the budget and executive support they need to meet compliance.
This is a challenge pretty much universally across companies, no matter the maturity. Only companies with a mature data protection program had little trouble (4%) getting executive level support. Those businesses are more concerned with hiring and retaining personnel trained in data protection in order to keep processed streamlined and efficient.
When it comes to priorities, 49 percent of respondents said building a “privacy-aware” culture and ensuring data processing activities can be governed – increasing scrutiny around cross border data transfers, data subject requests, and so on – is high on the lists of DPOs.
According to the survey, companies are also looking at ways to reduce data processing risks, that includes using data protection and privacy impact assessments, data inventory and mapping, and compliance management, anonymization and pseudonymization.
It will be interesting to see where some of these numbers chart in 2021. The survey was carried out before the spread of the COVID-19 coronavirus, meaning post-pandemic, businesses may have to reevaluate spending as it pertains to data protection and amid shifting priorities with many employees working from home for the foreseeable future.