The GDPR was launched in May 2018, yet from our experience, privacy remains a very sensitive topic in all sectors. Many data protection officers (DPOs) have identified the need for more benchmarking, specifically on how the DPO role is managed in companies.

We surveyed data protection officers who are members of the Beltug Privacy Council to not only gain insights into the strengths and weaknesses of organisations’ data protection compliance programmes, but DPO (governance)-related issues such as how the DPO operates within the organisation and what the DPOs’ main challenges are.

Key findings

• There is no silver bullet, one-size-fits-all solution when it comes to the DPO function. A clear (privacy) mandate is more important than where the DPO function should sit.
• An effective data protection governance structure (and mandate) is often lacking, which leads to the risk of the so-called “paper tiger syndrome”.
• Organisations should reconsider which privacy areas they invest in. Inward looking privacy compliance areas are still very immature, putting companies at risk in light of current privacy regulator expectations as well as a host of upcoming new EU data regulations.
• The role of the DPO is clearly changing from that of a fire fighter to that of a facilitator.
• The main challenges for DPOs, according to them, are lack of resources, lack of management support, no clear assignment of accountability for privacy compliance (outside of DPO office), lack of (continued) awareness throughout the organisation.

The Deloitte and Beltug Survey Report provides insightful takeaways for companies to improve the effectiveness of their DPO function and their overall privacy (by design) governance.