DPOs chllenged by volume of work

UK government DPOs challenged by volume of GDPR work

Data protection officers (DPOs) working in central government departments, agencies and associated public bodies across the UK say they have seen a doubling in volume of data protection requests (DPRs) since the introduction of the General Data Protection Regulation (GDPR) in 2018, but are not being adequately resourced when it comes to dealing with the workload.

This is according to The impact of GDPR in central government, a newly published study conducted by eCase, a supplier of correspondence case management systems which works extensively with Westminster, including at the Department for Work and Pensions (DWP), Defra, HMRC, the Ministry of Defence (MoD) and the Treasury.

Its survey of central government DPOs found that 70% had seen significant upticks in their workload since GDPR became law, while 40% had received no extra team resources to manage this and 33% were still managing DPRs manually or with support from basic spreadsheet software.

An 83% majority said they had, however, experienced an increase in “support and recognition” from their superiors.

“Through our work, we recognise that GDPR has presented unique challenges for DPOs across central government, so we wanted to provide a mechanism for them to share common challenges and provide insights into how they can better and more effectively manage their compliance,” said eCase director Richard Clarke.

“In the course of our research, we discovered that few are using purpose-built commercial tools,” he said. “This lack of efficient tooling may not only be affecting their ability to confidently manage their current workloads, but also their ability to fulfil future requests, which will become even more pronounced as their workloads continue to increase.”

Indeed, many of those who said they were using custom-built DPR-management tools said they fretted about being able to fulfil their obligations in the time limits laid down by the Information Commissioner’s Office. All of those using purpose-built tools said they were mostly or completely confident they could do so.

In light of this, eCase has called on the government to increase the size of departmental data protection teams, provide more concrete support to these teams to help them engrain best data protection practice into their work, and offer more extensive and, crucially, continuous data protection training and education.

“I believe that the insights and recommendations in this report will provide central government, and the wider public sector, with a clear roadmap for improvement,” said Clarke.

“Given the current pandemic situation, where we know that many teams have been depleted and the focus on the role of data in managing this crisis has sharpened, the risk of data protection teams being overwhelmed is greater than ever. I urge all DPOs in government to read this report and act upon its recommendations before this happens.”

Jon Baines, chair of the National Association of Data Protection and Freedom of Information Officers (NADPO) and a data protection advisor at law firm Mishcon de Reya, added: “I welcome this report as its findings should help inform not just decisions made in government and the public sector, but also across the wider spectrum of private organisations.”

Source: CW

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data