Skip to main content

Data Protection Officer Benchmark

Deloitte and Beltug Survey Report

Regulators are starting to look closer at how companies have operationalised privacy governance. With that in mind, we surveyed data protection officers (DPOs) in the Beltug Privacy Council to share best practices on how to improve the effectiveness of the DPO function and privacy governance.

The GDPR was launched in May 2018, yet from our experience, privacy remains a very sensitive topic in all sectors. Many data protection officers (DPOs) have identified the need for more benchmarking, specifically on how the DPO role is managed in companies.

We surveyed data protection officers who are members of the Beltug Privacy Council to not only gain insights into the strengths and weaknesses of organisations’ data protection compliance programmes, but DPO (governance)-related issues such as how the DPO operates within the organisation and what the DPOs’ main challenges are.


Key findings


  • There is no silver bullet, one-size-fits-all solution when it comes to the DPO function. A clear (privacy) mandate is more important than where the DPO function should sit.
  • An effective data protection governance structure (and mandate) is often lacking, which leads to the risk of the so-called “paper tiger syndrome”.
  • Organisations should reconsider which privacy areas they invest in. Inward looking privacy compliance areas are still very immature, putting companies at risk in light of current privacy regulator expectations as well as a host of upcoming new EU data regulations.
  • The role of the DPO is clearly changing from that of a fire fighter to that of a facilitator.
  • The main challenges for DPOs, according to them, are lack of resources, lack of management support, no clear assignment of accountability for privacy compliance (outside of DPO office), lack of (continued) awareness throughout the organisation.

The Deloitte and Beltug Survey Report provides insightful takeaways for companies to improve the effectiveness of their DPO function and their overall privacy (by design) governance.

We identified five focus areas for the DPO function. Explore them in the full report.