Four years after GDPR, DPOs still lack resources


Appeared in 2018 with the entry into force of the General Data Protection Regulation (GDPR), the Data Protection Officer (DPD, or DPO in English) now plays a central role in the governance of personal data.

Since the creation of this responsibility in 2018, their number has increased (there were 21,000 in 2018 and 29,000 in 2021). However, the means allocated to the exercise of this profession are often insufficient.

According to a recent study published by the consultancy firm Grant Thornton, the DPO often has the feeling of being “an orchestra conductor without an orchestra”. In the study, 55% of respondents believe that the resources allocated to them are insufficient. Respondents believe that the scope of their function remains “sometimes underestimated”, including in large companies that display data governance strategies.

Onboard teams and deal with third parties

For example, DPOs encounter difficulties in monitoring the compliance of third parties. Existing tools and methods, such as sending compliance questionnaires, seem to them “unsatisfactory” and time-consuming. 43% of DPOs believe that verification work with contractors is often too heavy to manage.

While it seems difficult to “get” operational teams on personal data protection topics, 34% of DPOs also note that the level of overall acculturation in the company is still too low.

The feeling of not being supported enough also varies according to the department to which the DPOs are attached. Historically, DPOs were mainly attached to CIOs or legal departments. Since four, a migration has taken place. Today, 13% of DPOs report to the risk department and 21% to general management. On the other hand, 10% remain attached to an IT department.

It should be noted that a large majority of DPOs perform their duties internally, and a smaller proportion perform externally or on shared workstations. This of course depends on the needs and profiles of the companies or public bodies concerned. This distinction is also not without consequence on the degree of involvement and the level of training required for the position.





Source link -97