Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer.
Like the United States, the appointment of a privacy officer was not required under the EU Privacy Directive. Unlike the United States, some individual member states – most notably Germany – enacted legislation that went beyond the requirements of the EU Privacy Directive required that most businesses that operated in that country appoint a data protection officer.
The EU’s new General Data Protection Regulation (“GDPR”) adopts the German concept that a data-heavy company must appoint a data protection officer. In addition, the GDPR purports to apply the requirement to data-heavy United States companies that process personal information and (1) intend to offer products or services to people in the EU, or (2) monitors people in the EU.1 Specifically the GDPR requires:
The following provides a snapshot of information concerning privacy officers:
Percentage of privacy officers that spend at least 50% of their time on privacy-specific activities.10
The average number of years of experience a privacy officer has in privacy related roles.11
Estimate of the number of new data protection officers that will be needed under the GDPR.12
Percentage of privacy officers that are currently housed within the Legal Department.13
3.3 – 25
The number of full time employees retained by Fortune 1000 companies to deal specifically with privacy-related issues.14
The following summarizes some of the duties of the data protection officers required by the GDPR:
1. GDPR Recitals ¶¶ 20, 21; GDPR Art. 3(1), (2).
2. GDPR Art. 35(1)(b).
3. GDPR Art. 35(1)(c).
4. GDPR Art. 35(4).
5. GDPR Art. 35(5).
6. GDPR Recital 75.
7. GDPR Art. 35(8); Recital 75..
8. GDPR Art. 36(3).
9. GDPR Art. 36.
10. IAPP, Benchmarking Privacy Management and Investments of the Fortune 1000, p.13 (2014), https://iapp.org/resources/article/full-report-benchmarking-privacy-management-and-investments-of-the-fortune-1000/
11. Id. at 11.
12. IAPP, Study: At Least 28,000 DPOs Needed To Meet GDPR Requirements (Apr. 19, 2016).
13. Id. at 21.
14. IAPP, Benchmarking Privacy Management and Investments of the Fortune 1000, p. 17, 20 (2014), https://iapp.org/resources/article/full-report-benchmarking-privacy-management-and-investments-of-the-fortune-1000/. Survey found that on average companies in the Fortune 1000 with an “early stage” privacy program had 3.3 FTEs whereas companies with a “mature stage” privacy program had 25 FTEs.
15. GDPR Art. 36(3).
16. GDPR Art. 36(1).
17. GDPR Art. 37(1)(a).
18. GDPR Art. 37(b).
19. GDPR Art. 37(b).
20. GDPR Art. 37(b).
21. GDPR Art. 36(2a).
22. GDPR Art. 35(9).
23. GDPR Art. 37(h), (g).