The arrival of the General Data Protection Regulation (GDPR) in 2018 saw the creation of a new position in many businesses - that of the Data Protection Officer (DPO). In fact, GDPR legislation now requires any organisation that processes and/or stores personal data for EU citizens to appoint a DPO, who is responsible for ensuring the organisation meets its data privacy and protection obligations.
Needless to say, the majority of DPOs have their plates pretty full at present, juggling the escalating threat landscape with the ongoing battle to meet regulatory compliance in the midst of a pandemic. However, according to a recent survey, these are far from the only worries they face. Rapidly shrinking budgets, under-resourced teams, lack of security-centric culture and low support at the executive level are all making it harder and harder for many to do the job effectively. This article will look more closely at some of these trends and examine what DPOs can do to tip the odds back in their favour before it’s too late.
The perennial fight for budget continues
Like so many corners of the security industry, the fight for budget has quickly become one of the toughest obstacles facing DPOs everywhere. Of course, budgetary issues aren’t a new phenomenon, but when considered against a backdrop of rising cyber crime, tougher legislation and near daily global headlines about the latest major data breach, it represents an extremely worrying trend. In many cases, the budget at a DPO’s disposal is less than five percent of the organisation’s total governance, risk and compliance budget, making it near impossible to cover all the bases needed to keep data safe.
This could be attributed to the fact that only a relatively low number of high-profile GDPR fines have been handed out to date, meaning companies are still either too relaxed or simply not informed enough to understand just how important compliance really is.
Lack of recruitment concerns masking a more serious issue
Interestingly, very few DPOs claim they are currently experiencing the recruitment issues so keenly felt across the wider IT security industry. However, there’s a strong chance this is simply down to the small team sizes most DPOs have at their disposals.
In fact, research suggests that a quarter of all organisations have just one privacy specialist on their entire staff (usually the DPO themselves), while a significant majority have less than ten employees focused on data protection roles. In short, teams simply aren’t big enough to be encountering the resourcing issues so prevalent elsewhere, which is a major problem in itself.
Poor executive support/understanding lies at the root of many issues
Many of the challenges currently facing DPOs, including those above, can ultimately be traced back to the same core issue – a lack of support and/or understanding of data privacy and protection at the executive level. With corporate culture set at the top of most organisations, it perhaps comes as no surprise that if the board doesn’t take data protection seriously, neither will most other employees. However, a security orientated culture plays an absolutely pivotal role in any/every robust data security programme. Without it, a breach is all but inevitable. It’s just a question of when.
Education: The most potent weapon in every DPO’s arsenal
All of these issues serve to highlight what is perhaps the most critical aspect of any DPO’s job - education.
At the most basic level, this means regularly speaking to stakeholders at every level of the organisation, explaining the importance of security best practice and, where necessary, hammering home the ramifications of a data breach. It’s often surprising how few senior decision makers truly understand the extent of the damage that can be caused until it’s properly spelled out for them.
Of course, in reality this can be far from straightforward most of the time. Understanding the different needs of individual groups within the organisation, addressing strategic concerns, communicating effectively and maintaining an open door for any/all data protection concerns are important aspects of the job too. Remember, no one said being a DPO was easy!
An uncertain future holds a golden opportunity
With the COVID-19 pandemic currently wreaking havoc on the business sector as we know it, many organisations face a fight for their very future over the next 12 months. Brand traits such as integrity and reliability look set to become more important to customers than ever, which means robust security will too. With this in mind, DPOs have a golden opportunity to move data protection right to the top of the corporate agenda, securing the budget and resources they need in the process. But if they stay silent and fail to educate stakeholders properly at this delicate time, there’s a risk that even existing budgets could be sacrificed in the desperate fight to survive by any means necessary.
Author: Jan van Vliet, VP EMEA at Digital Guardian