50% of Government DPOs report a more than doubling in Data Protection Requests since the introduction of GDPR
50% of Government DPOs report a more than doubling in Data Protection Requests since the introduction of GDPR
The results of a new comprehensive study, published today, by eCase - The Impact of GDPR in Central Government – find that half of central government’s Data Protection Officers (DPOs) have seen more than 100% increases in Data Protection Requests (DPRs) since the introduction of GDPR and that, even now, two years after it became law, 7% are still concerned about their own compliance with it.
This newly released report is the outcome of a research survey of DPOs in central government departments, agencies and associated public bodies. The study investigated the effect that GDPR has had on DPOs, their organisations and operations, including the challenges that they have encountered. Its key findings are that:
- 70% have seen significant increases in their workloads
- 40% have not been given any extra team resources to deal with the workload increases
- 7% are still concerned about their own compliance with GDPR
- 83% have experienced an increase in senior level support & recognition
- 33% are still managing their DPRs manually, supported by spreadsheets
- 33% of those using in-house custom-built tools to manage their DPRs are ‘Unconfident’ that they can fulfil them within the ICO’s time limits
- 100% of those using purpose-built commercial tools are ‘Mostly’ or ‘Completely’ confident that they can fulfil DPRs within the ICO’s time limits
- The most common task that DPO’s would benefit from improving, when fulfilling DPRs, is gathering information in time (74%), whilst the second was redacting the information once sourced (57%)
As a result of uncovering these findings, the eCase study proposes that central government bodies adopt the following recommendations:
- Data protection teams’ sizes should be increased in line with workload increases, otherwise organisations risk future non-compliance as workloads continue to grow.
- It is critical that organisations continue to provide both senior and peer level support to DPOs and their teams. Without support at both levels, data protection practices won’t become ingrained into routine activities. Organisations will then be left vulnerable to GDPR non-compliance and the significant liabilities introduced under it.
- Extensive and ongoing data protection training and education should be conducted with stakeholders. This will help reduce both the volumes of internal advice requests and the risk of non-compliance.
- With a significant increase in requests, specialist purpose-built commercial tools should be provided to Data Protection teams. This will help them to efficiently and effectively keep up with their ever-increasing workloads
Speaking on behalf of eCase, Richard Clarke, Director, said, “I’m delighted that we are publishing ‘The Impact of GDPR in Central Government’ report today. Through our work, we recognise that GDPR has presented unique challenges for DPOs across central government, so we wanted to provide a mechanism for them to share common challenges and provide insights into how they can better and more effectively manage their compliance. In the course of our research, we discovered that few are using purpose-built commercial tools. This lack of efficient tooling may not only be affecting their ability to confidently manage their current workloads, but also their ability to fulfil future requests, which will become even more pronounced as their workloads continue to increase.“
Clarke continued “I believe that the insights and recommendations in this report will provide central government, and the wider public sector, with a clear roadmap for improvement. Given the current pandemic situation, where we know that many teams have been depleted and the focus on the role of data in managing this crisis has sharpened, the risk of Data Protection teams being overwhelmed is greater than ever. I urge all DPOs in Government to read this report and act upon its recommendations, before this happens.”
Commenting on the report, Jon Baines, Data Protection Advisor at Mishcon de Reya LLP and Chair of the National Association of Data Protection and Freedom of Information Officers (NADPO), said “I welcome this report as its findings should help inform not just decisions made in government and the public sector, but also across the wider spectrum of private organisations.”