In many German companies, data protection is no longer a standalone area of responsibility., but is also carried out in addition to other activities. According to the press release, this not only leads to a high workload but also to potential conflicts of interest. A survey by Dury Consult among 500 data protection officers in companies with at least 500 employees shows that in many places there is a lack of time, personnel resources and the necessary support from management. At the same time, legal requirements are continuously increasing, which further intensifies the pressure to act.
Key Facts on the Status Quo of Data Protection
- Data protection is usually just an additional task: Only 16 percent of respondents are exclusively concerned with data protection. For the vast majority, the topic is merely one of several areas of responsibility.
- Conflicts of interest due to dual roles: According to Dury Consult, in 17 per cent of companies, managing directors or board members are themselves responsible for data protection. The combination of IT management and data protection is also particularly problematic, as those responsible would have to oversee their own processes.
- Time is becoming a bottleneck: Almost a quarter of data protection officers state that they do not have enough time to fulfil their duties.
- Requirements continue to increase: 37 percent of respondents find the legal requirements increasingly complex, while 30 percent report a steadily growing workload.
- Data protection often comes into play too late: Around 17 percent say they are not involved at all, or only very late, in important company decisions.
- Responsibility lies with management: Companies are obliged to provide adequate personnel and financial resources for data protection. Otherwise, in addition to high GDPR fines, management may also face personal liability risks.
Data protection is often an afterthought.
According to Dury Consult, data protection is still not adequately anchored organisationally in many companies. Most data protection officers also take on additional tasks in areas such as IT, information security, quality management, compliance, or HR. In 17 percent of the companies, managing directors or executive board members themselves are responsible for data protection. According to the press release, such dual roles can be problematic as they lead to a loss of the necessary independence of the data protection officers. The combination of IT responsibility and data protection is considered particularly critical, as it would require individuals to audit their own processes.
More tasks, but often too little support
According to the survey, many data protection officers are increasingly reaching their limits. Almost a quarter of respondents complain that they do not have enough time for their tasks. At the same time, many feel they are involved too late in important decisions or do not receive enough support from company management. Furthermore, statutory requirements are becoming increasingly extensive and complex. According to Sandra Dury, it is therefore not enough to simply „let data protection run alongside“ existing processes; instead, the topic must be firmly anchored organisationally within the company and provided with sufficient resources.
Businesses and management have a duty.
According to Sandra Dury, management boards and managing directors are responsible for ensuring a functioning data protection organisation. The press release states that insufficient staffing or financial resources can not only lead to high fines but, in serious cases, can also result in personal liability for management. Dury therefore recommends that companies, Data protection to strategically strengthen and provide the necessary resources early on to avoid legal and financial risks.