European data protection authorities are woefully underfunded, finds study

A vast majority of Europe's governments are failing the GDPR by failing to allocate sufficient resources or manpower to their data protection authorities to monitor tech infringements of the data security regulation, research has revealed.

A study conducted by web browsing service provider Brave recently revealed that European governments have not sufficiently equipped their data protection national authorities to enforce the GDPR.

According to Brave, very few expert tech investigators are working to uncover private sector GDPR breaches and as a result, even when a data breach is identified, DPAs hesitate to use their powers against major tech firms because they cannot afford the cost of legally defending their decisions against ‘Big Tech’ legal firepower.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities. Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene,” he added.

The study revealed the following facts with reference to GDPR enforcement across Europe:

  • Only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists.
  • Half of EU GDPR enforcers have small budgets (under €5 million).
  • The UK Government’s privacy watchdog (ICO) is Europe’s largest and most expensive to run. But only 3% of its 680 staff is focussed on tech privacy problems.
  • The Irish Data Protection Commission is Google and Facebook’s ‘lead authority’ GDPR regulator in Europe. But while the number of complaints it deals with is accelerating, increases to its budget and headcount are decelerating.
  • Since 2018, ICO’s budget has increased from €30 (£26.2 million) to €61 million (£53.3 million).

Talking about the increasing investment in tech specialists, a spokesperson from the Information Commissioner's Office told IT Pro that “the ICO recognises the vitally important role of technical specialists in addressing data protection and privacy concerns, and this is reflected in our priorities and technology strategy.”

“While we are not yet at the level of capacity and capability we are planning for we will continue to invest significantly in this area,” the spokesperson added.

Colin Truran, Principal Technology Strategist at Quest, told Teiss that “we knew GDPR would open up a can of worms from the outset, and it was reported that the data protection authority would struggle to have the resources to cope, so to some extent this is not a surprise. However, with that all said and done, it begs the question why only 3% of the UKs ICO staff is focusing on tech, when many of us would consider that to be a starting point.

“Tech giants often have trouble balancing data privacy with business goals, but data protection should not be designed to just go after the obvious targets. It’s also about making sure that every organisation has data privacy high up their action list and not just thinking that if they keep their heads down they will go unnoticed. We need to have a balanced approach as any organisation large or small, tech or charity has the potential to hold and subsequently lose personal information,” he added.

ALSO READ: Is the ICO all carrot and no stick? Security Leaders discuss!

MORE ABOUT: