Data Protection and Privacy Officer Priorities 2020: How Organizations Are Adapting to a Rapidly Changing Regulatory and Security Landscape

Posted on by Wei Chieh Lim

This year’s CPO Magazine Data Protection and Privacy Officer Priorities report documents a landscape in which the GDPR is fully in effect and enforcement precedents are being established. Similarly, rigorous privacy legislation is emerging in the world’s finance and industrial centers, but an array of new cyberthreats is also emerging.

Privacy officers have more on their plates than ever. So, what are the priority concerns? Budget and staffing is an excellent place to start:

  • 27% of businesses named this as their current leading challenge
  • 57% are running on an annual budget of $250,000 or less
  • 76% have fewer than 10 employees in data protection and privacy roles

Organizations are also showing a strong preference for avoiding implementation of privacy technologies until data protection programs are at a fully mature stage; smaller companies with less revenue are tending to forgo this entirely.

More than 471 privacy professionals from around the world representing organizations in 16 industries were surveyed this year, and their feedback provided numerous useful insights.

2019’s trends and changes

Though the GDPR went into effect in mid-2018, the first enforcement action was not handed down until early 2019. This was the first full year in which we saw enforcement patterns and precedents begin to take shape. Fines occurred frequently in some countries, not so much (or not at all) in others. There was a total of more than 200 fines, but few were particularly harsh, and none came close to the GDPR maximum.

Other countries began to follow the EU’s lead in 2019. While the United States is still struggling to find common ground on a federal privacy bill, California passed its Consumer Privacy Act. A number of other nations passed bills in 2019, slated to go active in 2020—Brazil and India among them.

Naturally, this led to a considerable wave of compliance work. It also created something of an overnight market boom in privacy consultants, vendors and new technology options.

And this is before we even get to cyberthreats, which have become more frequent and sophisticated with each new year. Increased numbers of regulations and stiffer fines did not seem to have an effect on data breaches, which rose again in terms of both overall incidents and total number of individual records leaked.

All of this created some obvious new challenges for privacy officers, but there were also some surprising sources of organizational struggle.

The new challenges for DPOs

Privacy officers are facing two primary challenges: a simple lack of resources, and great difficulty in getting all of the organization’s units to adopt new privacy measures once they are drafted.

Some types of challenges vary greatly in terms of how mature the data privacy program is; others persist no matter what phase the company is in. For example, programs in all phases appear to struggle with integration issues across the business (27%). In the earlier stages of programs, budget issues are more pronounced (27%); the concern shifts to hiring and retaining qualified personnel as the program matures (30%).

Cost estimates also appear to be a universal problem, but one that is more pronounced in smaller organizations with smaller budgets. Disconnect between the executive suite and the privacy and technology departments regarding the cost of compliance requirements and data protection measures is common. Part of this may have to do with the GDPR being the only substantial new law to take effect in 2019, and the exact levels of enforcement not yet being defined. Of course, there is always a natural reticence in terms of spending money on preventive measures that non-experts might see as superfluous.

What Priorities Should DPOs Be Looking at Going Forward?

That briefly outlines the biggest challenges that privacy officers felt they were facing in 2019, but what was their organization spending the most time on? Concerns lined up with actions to a considerable degree here, as 49% of the respondents reported prioritizing the creation and implementation of a privacy-aware culture across the organization. Enhancing governance of data processing (25%) and improving compliance management processes (22%) were also among the highest priorities. Reflecting the new focus on GDPR terms, cross-border data transfers (33%) and data subject requests (32%) were the highest priorities among governance items.

One interesting item here is a significant focus on establishing general frameworks (40%) rather than focusing on the regulatory requirements of the EU or any particular part of the world. This would indicate that many organizations are proactively preparing for a future in which most of the major industrialized nations have national data privacy laws that are at least comparable to the GDPR.

These flexible frameworks that can be adapted to emerging regulations are key, as well as looping the upper executive suite into the conversation about the real costs of potential breaches and fines. The data also indicates that retaining key personnel was a consistent problem for larger organizations with a more mature data protection program.

And the need to prioritize a privacy-aware culture is clearly demonstrated not just by these survey numbers but by the amount of breaches and successful phishing attempts that continue to happen. In terms of specific risk reduction, organizations are most commonly implementing anonymization and pseudonymization solutions along with incident management and activity monitoring tools.

This just begins to scratch the surface of the insights provided by data protection officers, who also weighed in on how budgets are being allocated and teams are being trained, among other topics. The report also addresses the differences in challenges and priorities as the organization’s head count increases and the programs move through their various phases of maturity. 

Wei Chieh Lim

CEO, CPO Magazine and Swarmnetics


GDPR privacy

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs