Deloitte Belgium and Beltug are issuing a report on how Belgian organisations have dealt with the requirements that are mandated by the General Data Protection Regulation (GDPR) of 2018 and how the role of data protection officers is being fulfilled in practice.
The General Data Protection Regulation (GDPR) aims to drastically improve the privacy of European citizens. All organisations need to take privacy seriously and appoint a data protection officer (DPO). With this research, Deloitte Belgium and Beltug want to offer midsized and large companies and their DPOs a benchmark to compare their own approach with that of other organisations.
The DPO plays an important role in privacy governance. This is a young profession, and companies are looking for information on how other organisations are dealing with their privacy challenges. DPOs are in a special position, as they work within the company to guide the privacy approach, yet need to stay independent. It is up to the business divisions to take the decisions and implement the privacy measures.
The survey highlighted a big difference in how organisations employ DPOs. It was found that a bit more than half of the organisations leverage a full-time DPO and external staff to help support privacy-related issues. However, some organisations have only employed a part-time DPO, with no external support. Of course, the privacy challenges of a B2C company differ from those of an industrial factory.
Furthermore, DPOs are employed in different business units: the DPOs of 23% of the respondent organisations work in the legal department, 23% in compliance, 9% in the IT & Security department, and 45% in other departments.
“These differences demonstrate that there is not one particular, preferred DPO model that is currently being used. The survey also shows that the yearly budget that is spent on data protection compliance varies greatly between companies. Most of the respondents state that their resources have remained stable since 2018. Meanwhile, with the increasingly rapid evolution of global (digital) data protection regulations, we predict that organisations that fail to accurately determine how to deploy the DPO role and allocate appropriate resources will be at risk of falling seriously behind with their data protection obligations,”
says Alexandra Jaspar, Director & Privacy lead Data Protection and Privacy at Deloitte.
“Additional challenges are coming, with the increasing digitisation leading to a fast-growing use of personal data.”
The results from the survey show that the most mature areas of compliance are data subject requests and data breach management. The maturity of these compliance areas further supports the notion that organisations have chosen to prioritise those privacy compliance obligations that have a clear ‘external’ component.
“According to the DPOs in the survey, a decisive factor influencing an organisation’s priorities is legal certainty. When there are clear-cut rules applying to a certain area of compliance, it is easier for an organisation to make choices. When rules are subject to interpretation, organisations tend to be reluctant, postpone taking action and potentially challenge their DPO’s advice.”
Danielle Jacobs, CEO Beltug
The survey also found that there are significant variations in terms of maturity levels between the different data protection initiatives within each organisation. At the same time, the data protection regulatory landscape is continuously changing through new regulations, court opinions and regulatory guidance. Due to these factors, the so-called ‘baseline’ compliance expectations are shifting. This will require organisations to start focusing more on less mature data protection initiatives such as third-party data transfers, document retention, privacy by design, and so on.
When DPOs were asked what they see as the most important challenges today, they listed cross-border data transfers, allocating (enforcing) appropriate accountability at business level, and finding where data are within the organisation.T
he survey highlights how DPOs largely believe that the governance regarding personal data and information security can be improved, and consider these areas to be more paramount in the operational landscape of their organisation. There are three central areas where there is a lack of governance: lack of awareness and support at the top management level, no clear assignment of privacy accountability or policy enforcement, and lack of workable policies and procedures.
“Working with a DPO and ensuring the right level of data protection is a question of culture and change management, because in order to achieve compliance, data protection must be effectively embedded within the entire organisation’s processes, internal rules and way of working. The DPO should not and cannot make this happen alone.”
Erik Luysterborg, Data Privacy and Data Protection partner at Deloitte
A qualitative survey of 44 targeted questions was carried out with about 30 members of the Beltug Privacy Council, who cover the major industry sectors such as finance, banking and insurance, healthcare and pharmaceuticals, and the public sector. The respondents comprise full-time and part-time DPOs appointed from large and midsized Belgian organisations.
To discover the complete report, please visit: https://www2.deloitte.com/be/en/pages/governance-risk-and-compliance/solutions/dpo-benchmark.html
Deloitte in Belgium
Deloitte has more than 5,700 employees and 11 offices in Belgium, making it the country's largest organisation in audit, accounting, legal and tax advice, consulting, financial, and risk advice.
With these services, Deloitte helps the largest national and international companies as well as SMEs, governments and non-profit organisations move forward. Deloitte Belgium is an independent and autonomous organisation affiliated with Deloitte Touche Tohmatsu Limited (DTTL). In FY2024, the organisation achieved turnover of EUR 819.4 million.
Deloitte Belgium BV is the Belgian subsidiary of Deloitte NSE LLP, a firm affiliated with Deloitte Touche Tohmatsu Limited, which consistently aims to provide the highest quality in the professional services and advice. These services are based on a global strategy covering more than 150 countries. To realise this, they rely on the expertise of 460,000 professionals on all continents. For the 2024 financial year, turnover exceeded USD 67.2 billion.
Deloitte refers to a Deloitte member firm, one or more related partnerships, or DTTL, a UK private limited liability company. DTTL and all affiliates are legally separate and independent entities. DTTL (aka “Deloitte Global”) does not provide services to clients. Visit www.deloitte.com/about for a more detailed description of DTTL's legal structure and affiliates.