Back to News
Welcome To Merje Banner (26)
Share this Article

MERJE Insights - The Rise of the Data Protection Officer

  • Publish Date: Posted almost 4 years ago
  • Author:by Michael Ayres

Currently in its second year, GDPR made drastic changes to data protection rules for global businesses doing business in the EU. This has subsequently resulted in a sharp increase in the hiring of data privacy professionals in the past year. 

Enter the rise of the Data Protection Officer or DPO, whose role is to act as the designated data protection and privacy champion for an organisation. This is a position which has firmly been placed in the spotlight as a result of those stringent GDPR mandates. 

The purpose of the role itself is multifaceted and it is the responsibility of the DPO to educate and build awareness within an organisation regarding how to protect the privacy of individuals during all stages of data processing. 

They must also monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments and act as a contact point for data subjects and the supervisory authority.

According to research released last year from the International Association of Privacy Professionals (IAPP), a surge in DPO appointments has taken place since the arrival of GDPR. In 2017, IAPP estimated that GDPR would create the need for about 75,000 DPOs worldwide. However, the latest research shows that the number of DPOs working in Europe alone is actually closer to 500,000.

The unprecedented appointment of DPOs undoubtedly comes as a result of the broad requirements by GDPR for organisations to create these roles. Companies must subsequently ensure that DPOs are suitably trained and qualified to protect privacy and individuals’ data.

This is because companies of all shapes and sizes hold significant amounts of valuable data relating to both their customers and clients which could be regarded as either sensitive or confidential.

In the past, regulated businesses have arguably been better equipped to store this data and other non-regulated firms less so. This has resulted in a series of significant data breaches, particularly since GDPR came into force, which saw personal information exposed or accessed without authorisation.

In fact, a 2019 survey found that there had been over 59,000 data breaches reported to data protection authorities across the EEA since the regulation came into effect. The Netherlands, Germany and the UK reported 15,400, 12,600 and 10,600 breaches respectively, each of which represented significant increases on previous years and evidence that the GDPR is having a significant impact on the levels of breach reporting.

Such breaches are difficult to identify, costly to address and cause reputational damage that some businesses never recover from. However, given the value of data and the inevitability of cyber risk, the best thing that companies can do to mitigate the effects of a breach is to implement a thorough risk management practice for the detection, containment and communication in the wake of an issue arising.

Past examples of high profile data breaches which have impacted billions of people and left an extraordinary number of records exposed have originated from commercial and tech giants and household names which include Yahoo, Facebook, Twitter, LinkedIn and Adobe. 

In July 2019, as GDPR legislation was gathering momentum, the Information Commissioner’s Office eclipsed its previous track record by handing out a fine of £183 million to British Airways for data breaches, which equated to about 1.5 percent of its 2017 income. A few days later, Marriott was given a £99 million penalty, about three percent of its 2018 revenue. Given that GDPR non-compliance fines can be imposed at up to four per cent of annual global revenue for the organisation in question, there is scope for penalties to hit future offenders even harder.

Obviously, breaches can come from a firm’s own incompetences in the data protection arena. However, cyber threats and cyber crime are evolving in tandem with this and are becoming increasingly sophisticated and complex. This means that firms are always potentially at risk and, no matter how much they try to ensure good information security measures are in place, hackers will do whatever it takes to break down those barriers. 

GDPR ensures that data is retained in the right way for the right length of time as people become increasingly aware and concerned about how their data is either being used to financially benefit big corporations or falling into the hands of cyber criminals.

This is another reason why data protection awareness is massively on the rise and has gone from being a small part of a company’s function, sometimes even being regarded as a tick box exercise, to now being taken incredibly seriously.

All of this has hugely affected the data protection market as firms set their sights on hiring the best talent in this arena. Given the sharp rise in prominence of data protection roles, this has made registered professionals who possess this skill-set highly desirable, far more than anyone could have anticipated. 

What can be surmised by this is that organisations out there are taking their responsibilities under GDPR seriously, as also evidenced by the significant rise in breaches being reported since GDPR came into force. As a result, people are increasingly choosing to move into this role, given its remit, vital function it plays within a business and promising career pathway which it can offer.

At MERJE, we have a range of leading organisations who are seeking to strengthen their data protection credentials and we also have a host of talented professionals who are trained in this skill-set.

To discuss your data protection recruitment or role requirements in more detail, please get in touch: