Half A Million DPOs in Place One Year Post-GDPR
One year after GDPR was first implemented, an estimated 500,000 organizations in Europe have registered data protection officers in place.
A staggering 500,000 organizations across the European Union have registered a data protection officer in the wake of last year's implementation of the General Data Protection Regulation.
The figure, via a recent study carried out by the International Association of Privacy Professionals, is more than six times the number of DPOs initially expected to be hired as a result of the landmark data privacy regulation.
In 2017 the IAPP estimated the GDPR would create a need for 75,000 DPOs worldwide, across private-and public-sector organizations, with more than 28,000 needed in Europe.
The latest figure, which is based on DPO registration data the IAPP received and tabulated, there are roughly half a million DPOs registered in both private- and public-facing organizations across the European Economic Area (EEA).
The IAPP based its findings on information it received from data protection authorities in Austria, Bulgaria, Denmark, Finland, France, Germany, Ireland, Italy, the Netherlands, Spain, Sweden and the United Kingdom, a large chunk of the EEA. There were 376,306 DPO registrations based on those numbers. The IAPP extrapolated that figure and applied it to estimate the number of DPOs in the remaining EEA countries.
"Using this data, along with GDP figures and publicly available statistics from Eurostat on the number of enterprises active in the economy, we calculated the number of DPO registrations per country as a percentage of GDP and total company presence. We found that the number of enterprises in the economy was a more accurate predictor than GDP of the number of organizations registering DPOs. From this data, we estimated the number of DPOs in the remaining EEA countries, assuming that in aggregate they would have an approximately equal percentage of DPOs in relation to total company presence.
Under the GDPR, public authorities or bodies must appoint a data protection officer to oversee an organization's data protection strategy and implementation to comply with the regulation. The role of the DPO has several tasks in addition to ensuring compliance, including cooperating with the supervisory authority, acting as a point of contact on issues relating to data processing, and being cognizant of the risk associated with processing data.
Prior to the implementation of GDPR, Germany and the Philippines were the only countries with mandatory DPO laws.
While the 500,000 figure is certainly encouraging, it's difficult to pinpoint the exact number of DPOs installed in the EU, let alone worldwide. Some organizations can use external DPOs, meaning some serve multiple organizations. As Caitlin Fennessy, a Certified Information Privacy Professional with the IAPP points out, in France almost 52,000 organizations have registered but the actual DPO population hovers around 18,000
The statistic comes as we inch closer to the one-year anniversary of the GDPR’s implementation date later this week, May 25. A survey earlier this year found that there had been over 59,000 data breaches reported to data protection authorities throughout Europe since the regulation went into effect. That number has almost certainly risen in the three months since the survey was published.
The IAPP's latest study granted the membership foundation an opportunity to dig deeper into the differences between data protection officers in the UK and the EU, namely the salary that DPOs in each region pulls.
In the IAPP’s latest salary survey, the average salary of a DPO in the United States was $140,000. That’s compared to $88,000 in the EU. Even in the US, where data privacy responsibilities can fall under the title Chief Privacy Officer, employees earn more, $212,000 to the UK's $185,000 and the EU's $142,000.