GDPR boom time for 'data protection officers' - at least 75,000 required worldwide

Oh great, another jolly old skills crisis is looming

The European Union's forthcoming General Data Protection Regulation (GDPR) will require the recruitment of "at least" 75,000 data protection officers to enable organisations to keep on top of their new legal obligations.

The GDPR will come in on 25 May 2018, and there won't be any grandfathering of existing contracts - organisations will need to be 100 per cent compliant from day one, or risk fines up to four per cent of turnover.

But according to the International Association of Privacy Professionals (IAPP), the GDPR will require the widespread and large-scale recruitment of data protection officers - typically lawyers specialised in data protection law - in order to stay on top of the new EU law.

"Because the EU's 28 member states together represent the world's largest economy and the top trading partner for 80 countries, many companies around the globe buy and sell goods to EU citizens and are thus subject to the GDPR," claims the IAPP.

One of the requirements of the GDPR is that any organisation conducting large-scale processing of personal data must have a data protection officer who is independent from the organisation. Hence, companies across the world will now need to consider how to introduce such a role into their business, including the extent of their authority, to whom they will report and how the role will operate.

Earlier this year, the IAPP claimed that organisations in Europe and the US would require at least 28,000 data protection officers, and suggested that this was a conservative estimate.

Now, the IAPP, using the same methodology, believes that as many as 75,000 data protection officer roles will be created in response to the GDPR, not just in the EU and US, but across the world.

"The data protection officer requirement is borrowed from a similar programme Germany has had in place for a decade, and other economies, including France and Sweden, for example, have the concept of the data protection officer well established. Still, it's a new concept almost everywhere outside the EU and is bound to generate some confusion," suggested the IAPP.

The data protection officer requirement is covered under Article 37 of the GDPR, which states that such specialists will need to be "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices". Their tasks are designated under Article 39 of the GDPR.

Using a standardised methodology, the IAPP estimated the number of data protection officers that will need to be recruited among organisations in the EU's top 10 trading partners, as well as other major trading partners.

The US, according to the IAPP, will need to find 9,000 data protection officers with an understanding of data protection laws across the EU, while China will need to find 7,568, Switzerland 3,682 and Russia 3,068. "Where will these 75,000 DPOs come from? Many companies remain in a wait-and-see mode," admitted the IAPP.

The EU's Article 29 Working Party, the data protection umbrella group that includes the UK's Information Commissioner's Office (ICO), will release guidance regarding compliance with the data protection role in December.

It has been suggested that the bureaucratic burden of GDPR - not to mention a raft of other EU directives and regulations - will benefit the largest technology and internet companies, especially in the nascent cloud computing space.