Situating capabilities and practices of DPOs for data protection on the ground

Research output: Unpublished contribution to conferenceUnpublished paper


The European Union's General Data Protection Regulation (GDPR) affects data processing practices of organizations in the European information society and the world over, while ‘on the ground’ implementation is still an unexplored terrain for many. An International Association of Privacy Professionals (IAPP) study in 2016 estimated that by the GDPR enforcement date of 25 May 2018, some 75,000 new Data Protection Officers (DPOs) would be sought by private and public organizations around the globe. To meet this demand, suddenly ubiquitous DPO courses started training legal and IT professionals to quickly fill in the specific legal and security skills needed for DPO duties.

Often overlooked in fast-track DPO courses are the considerable soft skills required from DPOs. These soft skills pertain to: acting as points of contact for data subjects, functioning as key intermediaries in complex situations of shared responsibilities, and interacting with data protection authorities, civil society, media, and other external stakeholders. In addition, DPOs need to raise privacy awareness internally within their organizations, while interacting closely with the colleagues that are doing the actual work of technical and legal implementation, and execution of data protection. The latter is crucial as ethnographic research in US organizations has demonstrated how Chief Privacy Officers (CPOs) alone cannot embed robust data protection norms into the corporate ethos, practice, and routine. For the latter to happen, data privacy must also become a priority among those organization members effectively doing the work of design on the ground, i.e. the technologists and company lawyers (Waldman, 2018), as well as the staff who are actually handling the data: HR specialists, nurses, marketeers, researchers, to name but a few.

New DPOs also need excellent planning skills as they face uncertainty regarding time and resource allocation: often the first in their positions, how will they know how much time to allocate to properly function as an organization’s DPO? Which tasks will demand most of their time? What are the main resources they need? They may be confronted with uncharted issues and dilemmas, like open data, smart city environments, bring-your-own-device strategies, responsible research and innovation (RRI) requirements, ‘black boxed’ algorithms or automated decision-making, peculiar sector-specific demands (e.g. in finance) and complex data value networks. In larger organizations, DPOs will be supported by teams of support staff, who may or may not report directly to the DPO, which also brings up specific management and resource-related challenges.

To sum up, the question is: Which challenges do newly hired data protection officers expect to struggle with most in their new positions and do they have the interdisciplinary skills to meet them?

This study will start from a scan of leading DPO training courses in Belgium, the results of which are compared to a survey of newly minted Belgian DPOs’ needs. To address their most urgent professional needs, knowing which top challenges DPOs themselves identify within their first year will be an important insight. Data on envisioned challenges are collected from DPOs who have started in Belgian public and private organizations in 2017-2018. The scan and the survey results are complemented with qualitative research.

A data protection strategy is not something that DPOs have, but something that they do. The qualitative part of the study will therefore consist of in-depth interviews with DPOs, based on the strategy-as-practice framework (Jarzabkowski et al, 2007) with a focus on the practitioners. How do they frame data protection issues within the organization, how do they interact with stakeholders, how do they set priorities and influence agendas?

The results of this study will provide insight into the top challenges envisioned by newly enlisted DPOs in Belgian companies, and possible (mis)matches with current training curricula. Apart from feedback on skills training efficiency, our research will also shed light on an important societal effect of consequential European regulation with a short implementation timeline: a possibly sizable deficiency in immediately available skilled staff. The results from this study can be used as a benchmark for future research into DPOs’ effectiveness in Europe and beyond.
Original languageEnglish
Publication statusPublished - 6 Oct 2018

Bibliographical note

Session II ‘Data protection on the ground’ in Track 4 ‘The regulation of the information society’


Dive into the research topics of 'Situating capabilities and practices of DPOs for data protection on the ground'. Together they form a unique fingerprint.

Cite this