In a continuation of analysing the issues and challenges that DPOs face, we find that the challenges have an effect on the organisation and how qualified the DPOs are affected the vulnerability of the organisation to a data breach.
In part I of this article, it was found that many of the DPOs are “double-hatting” leading to the question on whether they have sufficient bandwidth to be properly trained or to do a proper DPO job. 90% of the DPOs indicated they spend less than 50% of their time in data protection related work and not surprisingly, the top-most challenge faced by DPOs face the challenge of having sufficient bandwidth to do a proper DPO job. If we break down the different types of DPOs, we can see that the largest group, the DPOs whoo Double-Hat with Other Functions do not have sufficient bandwidth/time to do a proper DPO job.
With the data protection given nominal attention, it leads to various challenges faced by DPOs in managing and operationalising a data protection programme. We can see from Table 1 that those who “Double-Hat” and Legal Counsel who act as DPOs have insufficient bandwidth/time to do a proper DPO job.
Table 1: Challenges faced by various types of DPOs
|Dedicated DPO||Double-Hat with other functions||Legal Counsel/DPO|
|1||Coordinating compliance across multiple stakeholders and departments||Having sufficient bandwidth/time to do a proper DPO job||Coordinating compliance across multiple stakeholders and departments|
|2||Implementing Data Protection policies||Implementing Data Protection policies||Having sufficient bandwidth/time to do a proper DPO job|
|3||Getting support from Senior Management||Conducting the Data Protection Impact Assessment (DPIA)||Conducting the Data Protection Impact Assessment (DPIA)|
|Co-operation from department heads to form the Data Protection Team||Coordinating compliance across multiple stakeholders and departments||Getting support from Senior Management|
|Drafting policies and standard operational procedures||Co-operation from department heads to form the Data Protection Team||Implementing Data Protection policies|
Coupled with the lack of time is the lack of experience. Most of the DPOs have less than two years of experience.
Table 2: Years of Experience in DPO Job
|No. of year(s) in job||DPO – Double-hatting||DPO – Dedicated||DPO – Legal Counsel|
About one in five of those involved in DP work responded that their organisation experienced some kind of data incident/breach in the last 36 months. This indicates that Singapore organisations are relatively safer than other global organisations. According to a study by the Ponemon Institute (by IBM) in 2019, companies have almost a 30% chance of experiencing data breach within 2 years. Despite that, this is still a matter of concern as it poses a significant risk to the organisation.
The lack of experience may be mitigated by training. This can be inferred from the result of the survey where the incidence of breached experienced by trained DPOs is half of the organisation managed by untrained DPOs; i.e. DPOs who are untrained are twice as likely to experience a data breach.
Given the growing trend for online transactions, work and learning, exacerbated by the pandemic, it is inevitable that data protection will become a requirement that is an integral business and life. As more countries enforce data protection law (e.g. Brazil brought forward the implementation of its laws), the need for DPO and for DPO to continually maintain the relevance and upgrade of their skill will be inevitable.
The challenges faced by DPOs in Singapore are many fold – from not taking on multiple roles to the lack of experience. The findings indicate that the challenge of holding on to multiple roles is also inhibiting the DPOs in managing the data protection programme effectively.
Further factors that reduce the effectiveness of the DPO is the lack of support from having a data protection committee (as outlined in Part I) and the lack of experience.
The findings also indicate that DPOs who are untrained are significantly more likely to experience a breach, exposing the organisation to greater risk.
With the proliferation of online transactions, work and learning and expansion of data protection enforcement, it is impending that the data protection industry will see an increase in demand for data protection training, consultancy and outsourced data protection service.
Written by Leong Wai Chong, CIPM, GRCP
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.