In a fresh report from Sweden, Integritetskyddsmyndigheten (the Swedish Authority for Privacy Protection, DPA) sent out a questionnaire in 2022 and got answers from a whooping 800 data protection officers. Well, the participation rate was only 23 per cent, so they say that it can’t be representative of all DPOs. The report was published in January 2023, and just like the title of this post, it covered data protection in practice. The questionnaire is sectioned into three subcategories:
- Whether DPOs have sufficient resources to carry out data protection work effectively.
- How data protection work needs to be organised to be effective.
- What the main challenges for practical data protection work are now (March 2022).
This post will briefly go through some findings of the report and then I will make some observations on the challenges for data protection work in practice.
The Report’s findings
The Swedish DPA says that data protection work in practice is carried out by DPOs. However, regarding the DPO’s resources, 25% of them aren’t allotted any time to specifically deal with data protection questions. For them, it is dealt with on an ad hoc-basis. Almost half of the respondents say that the allotted time is sufficient to carry out their tasks, and the other half think the opposite.
Regarding receiving training and competence development to be able to work in their current role, a majority say that it is adequate. An interesting comment from the DPA is that it seems like the private sector has more allotted time to do data protection work than the public sector. It also seems like DPOs work more on data protection issues than what is allotted by the employer. From my perspective, what I found quite fascinating is the split down the middle about if the allotted time is sufficient to carry out their tasks.
The key takeaways from the second subcategory are that:
- 4 out of 10 believe that their organisation works continuously and systematically with data protection issues.
- Around half feel that their data protection concerns are heard by management or the controller, and they feel that they are not involved in a timely manner.
- Just 12 per cent of DPOs are involved from the start in projects about innovation, development, or change management.
- Not surprisingly, full-time DPOs perceive the role as clearer than those who only work half-time in the role.
The last subcategory is about the greatest challenges for data protection work in practice. Here, the DPA provided twelve different alternatives for the DPOs to choose from, and I will only touch upon the top three ones. Firstly, half of the respondents experienced that the GDPR is perceived to hinder or impede business and operations. Furthermore, half have experienced difficulties in creating policies and procedures that work. And lastly, 39 per cent thought the balance between giving advice, being in control, and monitoring compliance with the GDPR is difficult. The DPA analysed the trends from 2019 and noticed that initial challenges with interpreting the regulation have transitioned from a teething problem to a change management process.
So, what might DPOs do to overcome the challenges they face?
Having sufficient resources is essential to carry out data protection work effectively. Otherwise, the DPO could feel how demotivating the work is, how the organisation works against them, and in the end, fatigue. There are a couple of ways to potentially solve this issue. One is to negotiate with the organisation or data controller about increasing the allocated time, from zero to part-time, or increase the part-time a bit or to a full-time task. Maybe the controller and the DPO could come to an agreement that an additional resource is needed. However, that could prove to be difficult if the budget is tight.
Another way of finding a solution, especially if the budget is tight, is to delegate operational data protection work to other departments in the organisation, to a so-called privacy champion or ambassador. The main things a DPO should concern themself with, according to Article 39 of the GDPR, is to:
- Inform and advise the data controller.
- Monitor compliance with the GDPR, other data protection legislation, and the controller’s policy (including assigning responsibilities, awareness-raising and training of staff involved in processing operations, and related audits).
- Cooperate with and be a contact point for the supervisory authority.
From our experience, there are colleagues in HR and IT that are involved in the processing operations and could lend a helping hand with more operation work, other than the things in the numbered list above. A perk of having this arrangement is, besides finding friends in a lonesome profession, that the DPO will gain insights and perspectives in and from other departments that otherwise potentially wouldn’t happen.
What we see in the second subcategory is that there are problems with working with data protection continuously and systematically, as well as being involved early by management or in different projects. One consideration to do is that the organisation might not have a properly functioning data protection forum with concerned stakeholders. Depending on the circumstances, the controller could have periodic data protection meetings, for example, every week, month, quarter, or even semi-annual. Relevant people to invite to the meeting is of course circumstantial, but explore if, for example, C-suite level, directors, and other specific key roles (IT-, product-, project-, HR-manager) could be invitees. In this way, it will increase awareness about data protection, involving the DPO more and potentially earlier, and the work would become more continuous and systematic and more sustainable long-term.
Regarding the last subcategory, my conclusion is that it is hard to change organisations. People are set in their ways, unwilling to change, and business operation is an overriding goal. To find ways forward in the change management process, a DPO has to be creative and willing to experiment to find sustainable solutions that work for the organisation. We must acknowledge that the DPO’s work is hard, difficult, and gradual. An idea could be to set goals for the DPO with measurable sub-goals to visualise what has been done. Try to set goals that increase buy-in (if the goals are shared), and that enables the DPO to see where there are gaps in the organisation’s privacy culture. Focus on experimentation and deliverable goals.
The report from the Sweden indicates that many DPOs face challenges in carrying out their tasks effectively due to insufficient resources and inadequate involvement in data protection work. The report found that while some DPOs have adequate resources and training to work on data protection issues, there are others who struggle with a lack of time and support from the controller.
Sadly, the report points to the fact that many organisations in Sweden do not work continuously and systematically with data protection, and DPOs are not involved in a timely manner. Lacking in these areas can make it difficult for DPOs to ensure that data protection is incorporated in the organisation’s work culture and projects.