The latest report from the UK Data Protection Index was published last month, and it seems that DPOs are feeling rather pessimistic. Each quarter, the Index asks the same baseline questions in order to be able to track evolving trends and, judging by this latest set of results, the overwhelming trend is downwards:
The last point seems to us to be the most troubling. You would expect that, if a DPO is doing their job well, their organisation’s compliance would only be on the increase… wouldn’t you? In this blog, we consider what may be causing this crisis in DPOs’ confidence.
It seems that the COVID-19 pandemic has a lot to answer for, and a reduction in DPOs’ confidence in their organisation’s compliance may be another thing to add to the list.
As businesses were forced to move online and shift to remote working, or close their doors altogether, data protection considerations understandably were not at the top of the priority list when survival was at risk. This is reflected in the fact that DPOs’ perception of the level of precedence given to data protection in their organisation dropped by 7 percentage points over the last quarter.
Whilst understandable, the impact of the pandemic on businesses and working practices was, however, a double whammy. It caused businesses to leave data protection somewhat on the back burner, whilst also forcing mass adoption of remote working practices which came with new, significant, data protection risks and considerations. It is, therefore, no wonder that DPOs feel their organisation’s compliance may have slipped.
In addition, another impact of the pandemic was that it created increased distance between DPOs and their colleagues. Given that a large proportion of many organisations’ workforce have been working from home for over a year now, it has been more difficult for DPOs to connect with colleagues about any issues or concerns they may have. In this new working culture, small problems that would otherwise have been raised in the office over a coffee or at the water fountain go unsaid, leading to larger more serious issues and, possibly, non-compliance down the line. Often, these are problems that, had they been brought to the DPO’s attention earlier, might have been nipped in the bud far sooner – preventing that incident from turning into a breach, for example.
Lack of ongoing resources
Another factor that must be highlighted, that sits closely with the lowering precedence of data protection within organisations’ priorities, is the lack of ongoing resources dedicated to data protection compliance. Since the UK Data Protection Index began in July 2020, it has asked the same question:
If your budget for data protection activities were to be increased by 20%, which area would you give the highest priority over the next quarter?
Respondents can choose from a range of answers, including staff training; improving info security/cybersecurity; Software that complements privacy by design. This aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles./platforms; and attending events and conferences. However, in all five surveys carried out since July 2020, additional internal resources has been at the top of the list.
When we consider why this might be the case, the obvious answer is, again, that the pandemic has tightened the purse strings of all organisations. Whilst this in undoubtedly true, anecdotal evidence from talking to our clients and other data protection professionals suggests that the issue runs far deeper, relating back to how data protection compliance was communicated to organisations when the GDPR was first introduced in 2018.
When the GDPR was first introduced it was truly transformative, and many organisations wasted no time in hiring a DPO and providing them with all the resources they needed to start making some drastic changes to compliance frameworks and data processing activities. All in all, engagement was extremely high, as organisations got to grips with this new era of data protection regulation, in part motivated by the possibility of huge fines (€20 million or 4% of global annual turnover) the likes of which had never been seen before.
This was hugely positive, however, it appears that over time organisations’ appetite for change and engagement with data protection issues has tailed off somewhat. Now, this may be partly because the aforementioned huge fines for non-compliance have yet to materialise, removing the stick which DPOs could wield if needed to get engagement. But, another highly likely possibility is that organisations now feel that they have “done” data protection, seeing the introduction of the GDPR as a change management project, one that has now been completed – job done, compliance achieved.
This scenario points to the common misconception that compliance is a destination, a box that needs to be ticked and once it’s done, it’s done. In actual fact, compliance with data protection laws is a journey that is ongoing and requires buy-in from all employees in an organisation, every day. Because of the ongoing nature of data protection compliance, it requires ongoing resourcing to maintain data protection standards, through the provision of staff training; investment in appropriate information and cyber security; time with and buy-in from key stakeholders etc. Without adequate resources, compliance will ultimately slip, as seen in this quarter’s Index results.
Although this quarter’s Index paints a rather bleak picture of organisational compliance, it is hoped that as we enter the post-pandemic era and return back to some form of normality, organisations can begin to refocus on areas of business that have somewhat fallen by the wayside, including data protection.
A wider action for the data protection industry, however, is to begin to re-frame the narrative around data protection compliance with organisations. Work needs to be done to instil a culture of compliance in all organisations that means data protection is always on the agenda, and DPOs have the resources required to keep moving compliance forward.
Hopefully, if DPOs can help to get data protection back up the priority list within their organisations, the picture will be a much more positive one by next quarter.
The next Index report will be published in December, where we will also ask DPOs their opinion on the recent proposed changes to UK data protection laws.
If you are a data protection professional and would like to add your voice to future reports, sign up here.
Fill in your details below and we’ll get back to you as soon as possible