Skip to main content

DPO Survey

First national benchmark shows how different Belgian organisations are handling the GDPR requirements

Brussels, 10 October 2022


Deloitte Belgium and Beltug are issuing a report on how Belgian organisations have dealt with the requirements that are mandated by the General Data Protection Regulation (GDPR) of 2018 and how the role of data protection officers is being fulfilled in practice.

The General Data Protection Regulation (GDPR) aims to drastically improve the privacy of European citizens. All organisations need to take privacy seriously and appoint a data protection officer (DPO). With this research, Deloitte Belgium and Beltug want to offer midsized and large companies and their DPOs a benchmark to compare their own approach with that of other organisations.

The DPO plays an important role in privacy governance. This is a young profession, and companies are looking for information on how other organisations are dealing with their privacy challenges. DPOs are in a special position, as they work within the company to guide the privacy approach, yet need to stay independent. It is up to the business divisions to take the decisions and implement the privacy measures.


The role and position of the DPO varies in each organisation

The survey highlighted a big difference in how organisations employ DPOs. It was found that a bit more than half of the organisations leverage a full-time DPO and external staff to help support privacy-related issues. However, some organisations have only employed a part-time DPO, with no external support. Of course, the privacy challenges of a B2C company differ from those of an industrial factory.

Furthermore, DPOs are employed in different business units: the DPOs of 23% of the respondent organisations work in the legal department, 23% in compliance, 9% in the IT & Security department, and 45% in other departments.

“These differences demonstrate that there is not one particular, preferred DPO model that is currently being used. The survey also shows that the yearly budget that is spent on data protection compliance varies greatly between companies. Most of the respondents state that their resources have remained stable since 2018. Meanwhile, with the increasingly rapid evolution of global (digital) data protection regulations, we predict that organisations that fail to accurately determine how to deploy the DPO role and allocate appropriate resources will be at risk of falling seriously behind with their data protection obligations,”

says Alexandra Jaspar, Director & Privacy lead Data Protection and Privacy at Deloitte.


“Additional challenges are coming, with the increasing digitisation leading to a fast-growing use of personal data.”

Areas of compliance that avoid financial or reputational harm are prioritised

The results from the survey show that the most mature areas of compliance are data subject requests and data breach management. The maturity of these compliance areas further supports the notion that organisations have chosen to prioritise those privacy compliance obligations that have a clear ‘external’ component.

“According to the DPOs in the survey, a decisive factor influencing an organisation’s priorities is legal certainty. When there are clear-cut rules applying to a certain area of compliance, it is easier for an organisation to make choices. When rules are subject to interpretation, organisations tend to be reluctant, postpone taking action and potentially challenge their DPO’s advice.”

Danielle Jacobs, CEO Beltug

The survey also found that there are significant variations in terms of maturity levels between the different data protection initiatives within each organisation. At the same time, the data protection regulatory landscape is continuously changing through new regulations, court opinions and regulatory guidance. Due to these factors, the so-called ‘baseline’ compliance expectations are shifting. This will require organisations to start focusing more on less mature data protection initiatives such as third-party data transfers, document retention, privacy by design, and so on.

Culture and change management processes are key challenges for data protection compliance

When DPOs were asked what they see as the most important challenges today, they listed cross-border data transfers, allocating (enforcing) appropriate accountability at business level, and finding where data are within the organisation.T

he survey highlights how DPOs largely believe that the governance regarding personal data and information security can be improved, and consider these areas to be more paramount in the operational landscape of their organisation. There are three central areas where there is a lack of governance: lack of awareness and support at the top management level, no clear assignment of privacy accountability or policy enforcement, and lack of workable policies and procedures.

“Working with a DPO and ensuring the right level of data protection is a question of culture and change management, because in order to achieve compliance, data protection must be effectively embedded within the entire organisation’s processes, internal rules and way of working. The DPO should not and cannot make this happen alone.”

Erik Luysterborg, Data Privacy and Data Protection partner at Deloitte

About this research

A qualitative survey of 44 targeted questions was carried out with about 30 members of the Beltug Privacy Council, who cover the major industry sectors such as finance, banking and insurance, healthcare and pharmaceuticals, and the public sector. The respondents comprise full-time and part-time DPOs appointed from large and midsized Belgian organisations.

To discover the complete report, please visit