The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, ‘IMY’) in January this year published a report ‘Data protection in practice. A study of data protection in organisations required to have a data protection officer‘.

IMY’s press release:

Data protection officers point to problems applying GDPR
Published: 31 January 2023

A survey by the Swedish Authority for Privacy Protection (IMY) notes that less than half of responding data protection officers assess that their own organisation works continually and systematically with data protection.

IMY has now published the report Data protection in practice, which is based on a survey of data protection officers in over 800 organisations. The report provides an indication of the conditions under which data protection is applied in organisations required to have data protection officers.

Less than 4 in 10 of data protection officers judge that their own organisation works continually and systematically with data protection. Only half feel that they are able to explain the importance of data protection issues to management.

“This is concerning. Systematic and continual data protection requires both knowledge of GDPR and commitment from the organisation’s management,” says Andrea Amft, an analyst at IMY.

The survey shows also that half of the officers are not included in a timely manner. Every fourth lacks allocated time for data protection and only every other feels that the allocated time they do have is sufficient.

“It is important that data protection officers are provided the necessary conditions and both sufficient and appropriate resources to allow them to fulfil their assignment within their organisations. This includes providing officers enough time for their tasks and access to necessary information,” says Amft.

From the summary:

Data protection in practice is largely carried out by the data protection officers found throughout the country. These data protection officers (DPO) need sufficient time to fulfil their assignment, something that, according to our survey, many still lack. It is also concerning that less than half of the DPO believe that their own organisation works continually and systematically with data protection. (…)

Effective data protection requires good organisation
Systematic and continual privacy and data protection require both knowledge of GDPR and interest among the organisation’s management in privacy and data protection. For this reason, it is concerning that less than half of DPO responded that their own organisation works continually and systematically with data protection.

Some important findings:

• Four of 10 feel that their own organisation works continually and systematic with data protection issues.
• Half can convince management and personal data controllers of the importance of personal data issues.
• Half feel that they are not included well in advance.
• Full-time DPO feel the assignment is more clear than those working part-time in the role.

The biggest challenges: Create practical procedures and coordinate the data protection rules with the organisation
Data protection in practice seems to have entered a new phase compared with 2019. There seems to be a clear decrease in the initial difficulties in understanding and implementing GDPR – at least in the organisations included in the survey. Instead, DPO argue that a big challenge is now that the regulations are seen as an obstacle to the organisation and that GDPR makes the work of the organisation more difficult.

Some important findings:

• The two biggest challenges are achieving functioning procedures and processes and ensuring the data protection rules do not inhibit or obstruct the organisation.
• More and more data protection officers feel that the biggest problem is a lack of commitment and knowledge by management.
• Fewer and fewer DPO see the interpretation of the regulations as a major challenge.

More information:

• Press release IMY on the report: Data protection officers point to problems applying GDPR, 31 January 2023.
• IMY report.
• IMY site.