DPO Survey has been saved
First national benchmark shows how different Belgian organisations are handling the GDPR requirements
Brussels, 10 October 2022
Deloitte Belgium and Beltug are issuing a report on how Belgian organisations have dealt with the requirements that are mandated by the General Data Protection Regulation (GDPR) of 2018 and how the role of data protection officers is being fulfilled in practice.
The General Data Protection Regulation (GDPR) aims to drastically improve the privacy of European citizens. All organisations need to take privacy seriously and appoint a data protection officer (DPO). With this research, Deloitte Belgium and Beltug want to offer midsized and large companies and their DPOs a benchmark to compare their own approach with that of other organisations.
The DPO plays an important role in privacy governance. This is a young profession, and companies are looking for information on how other organisations are dealing with their privacy challenges. DPOs are in a special position, as they work within the company to guide the privacy approach, yet need to stay independent. It is up to the business divisions to take the decisions and implement the privacy measures.
The role and position of the DPO varies in each organisation
The survey highlighted a big difference in how organisations employ DPOs. It was found that a bit more than half of the organisations leverage a full-time DPO and external staff to help support privacy-related issues. However, some organisations have only employed a part-time DPO, with no external support. Of course, the privacy challenges of a B2C company differ from those of an industrial factory.
Furthermore, DPOs are employed in different business units: the DPOs of 23% of the respondent organisations work in the legal department, 23% in compliance, 9% in the IT & Security department, and 45% in other departments.
“These differences demonstrate that there is not one particular, preferred DPO model that is currently being used. The survey also shows that the yearly budget that is spent on data protection compliance varies greatly between companies. Most of the respondents state that their resources have remained stable since 2018. Meanwhile, with the increasingly rapid evolution of global (digital) data protection regulations, we predict that organisations that fail to accurately determine how to deploy the DPO role and allocate appropriate resources will be at risk of falling seriously behind with their data protection obligations,” says Alexandra Jaspar, Director & Privacy lead Data Protection and Privacy at Deloitte. “Additional challenges are coming, with the increasing digitisation leading to a fast-growing use of personal data.”
Areas of compliance that avoid financial or reputational harm are prioritised
The results from the survey show that the most mature areas of compliance are data subject requests and data breach management. The maturity of these compliance areas further supports the notion that organisations have chosen to prioritise those privacy compliance obligations that have a clear ‘external’ component.
Danielle Jacobs, CEO Beltug: “According to the DPOs in the survey, a decisive factor influencing an organisation’s priorities is legal certainty. When there are clear-cut rules applying to a certain area of compliance, it is easier for an organisation to make choices. When rules are subject to interpretation, organisations tend to be reluctant, postpone taking action and potentially challenge their DPO’s advice.”
The survey also found that there are significant variations in terms of maturity levels between the different data protection initiatives within each organisation. At the same time, the data protection regulatory landscape is continuously changing through new regulations, court opinions and regulatory guidance. Due to these factors, the so-called ‘baseline’ compliance expectations are shifting. This will require organisations to start focusing more on less mature data protection initiatives such as third-party data transfers, document retention, privacy by design, and so on.
Culture and change management processes are key challenges for data protection compliance
When DPOs were asked what they see as the most important challenges today, they listed cross-border data transfers, allocating (enforcing) appropriate accountability at business level, and finding where data are within the organisation.
The survey highlights how DPOs largely believe that the governance regarding personal data and information security can be improved, and consider these areas to be more paramount in the operational landscape of their organisation. There are three central areas where there is a lack of governance: lack of awareness and support at the top management level, no clear assignment of privacy accountability or policy enforcement, and lack of workable policies and procedures.
Erik Luysterborg, Data Privacy and Data Protection partner at Deloitte: “Working with a DPO and ensuring the right level of data protection is a question of culture and change management, because in order to achieve compliance, data protection must be effectively embedded within the entire organisation’s processes, internal rules and way of working. The DPO should not and cannot make this happen alone.”
About this research
A qualitative survey of 44 targeted questions was carried out with about 30 members of the Beltug Privacy Council, who cover the major industry sectors such as finance, banking and insurance, healthcare and pharmaceuticals, and the public sector. The respondents comprise full-time and part-time DPOs appointed from large and midsized Belgian organisations.
To discover the complete report, please visit: https://www2.deloitte.com/be/en/pages/governance-risk-and-compliance/solutions/dpo-benchmark.html
About Beltug and the Privacy Council
With over 2000 members from 490+ organisations, Beltug is the largest Belgian association of CIOs & Digital Technology leaders. Via its Privacy Council, it provides a multi-disciplinary platform of DPO/privacy experts for exchanging experiences and best practices.
Beltug defends the interests of the business ICT users and supports knowledge exchanges between organisations. Beltug also represents the business ICT users at the European and international levels, in close cooperation with organisations in other countries.
Deloitte in Belgium
A leading audit and consulting practice in Belgium, Deloitte offers value added services in audit, accounting, tax and legal, consulting, financial advisory services, and risk advisory services.
In Belgium, Deloitte has more than 5,100 employees in 11 locations across the country, serving national and international companies, from small and middle-sized enterprises, to public sector and non-profit organisations. The turnover reached 635 million euros in the financial year 2021.
Deloitte Belgium BV is the Belgian affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited. Deloitte is focused on client service through a global strategy executed locally in more than 150 countries. With access to the deep intellectual capital in the region of 345,000 people worldwide, our member firms (including their affiliates) deliver services in various professional areas covering audit, tax, consulting, and financial advisory services. Our member firms serve over one-half of the world’s largest companies, as well as large national enterprises, public institutions, and successful, fast-growing global companies. In 2021, DTTL's turnover reached over $50.2 billion.
Deloitte refers to a Deloitte member firm, one or more of its related entities, or Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms.