Introduction
General Data Protection Regulation (GDPR) focuses on important elements of data ethics, including protecting people’s privacy, accountability and transparency. According to the GDPR, certain public institutions are obliged to appoint a Data Protection Officer (DPO). This applies to all public authorities, public bodies, and organizations whose main activity is the systematic and extensive monitoring of individuals or which process specific categories of personal data to a large extent, regardless of which data they process (1).
The DPO should take care of the protection of personal data. According to the GDPR, “The data protection officer shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39“ (2).
The GDPR has been in full force since 25 May 2018, but so far, there is little publicly available data from national EU surveys on DPOs in the post-GDPR period. For example, a survey conducted by Lopes and Oliveira between October and December 2017 found that of the four health clinics contacted, only one had appointed a DPO at the time (3). A study conducted on data submitted to the Croatian Personal Data Protection Agency (AZOP) showed that AZOP received only 37 opinion requests about personal data protection in research from academic and research institutions in Croatia from 2015 to 2019. For comparison, in 2018 alone, AZOP received 3464 opinion requests (4). A possible reason for such a small number of opinion requests related to research and personal data protection is the lack of knowledge and awareness about these issues. Another possible explanation is that researchers solve all such issues with their DPOs in their institutions. We could not find other research on this topic in the literature. The aim of this study was to examine the scope of work, type of work, and education of DPOs in institutions in Croatia.
Materials and methods
The study was cross-sectional, conducted via an online survey. The protocol of the study was approved by the director of AZOP and the Ethics Committee of the Catholic University of Croatia. Detailed information about the study and personal data protection were sent to the prospective participants.
Subjects
Eligible participants were all DPOs appointed in Croatia. At the time when the study began, the number of eligible participants (appointed DPOs) was 5671.
Methods
Croatian Personal Data Protection Agency contacted all DPOs in Croatian institutions by e-mail and invited them to participate in the anonymous study. AZOP contacted all data protection officers whose e-mail addresses they had on file. Due to the nature of their work, AZOP needs to have contacts of all DPOs appointed in the Republic of Croatia. According to the Personal Data Protection Act of Croatia, “The Personal Data Protection Agency shall keep a Register of Personal Data Protection Officials. “ Since the AZOP has the contacts, the AZOP contacted the targeted participants.
The survey was conducted through the EU Survey platform, which did not collect respondents’ IP addresses, so participation in the survey was anonymous. After the initial invitation, the participants received three more reminders to complete the survey. In addition, DPOs attending the official AZOP workshops on data protection during November 2020 and March 2021 were also reminded to fill the survey.
For the study, we created a new survey for DPOs (Supplementary material). The new survey was created because we were unable to find such a survey in the literature. Researchers participating in the creation of the survey included experts in data protection and a research methodologist.
The survey has 35 items. The questions referred to their appointment, work methods, number and type of cases handled by DPOs, the sources of information they use, their experience and education, level of work independence, contacts with ethics committees, problems experienced, knowledge, suggestions for improvement of their work, changes caused by the GDPR, and sociodemographic information.
There were two knowledge questions. The first knowledge question asked participants to describe what are pseudonymization and anonymization. Since the participants had to explain two terms, we considered the answer partially correct if participants correctly explained only one of the two terms. The second knowledge question included the list of 10 items that must be included in the privacy policy; thus, the correct answer to this question was to choose each of the 10 items. The participants were asked to choose which of the items must be included in the privacy policy. We reported the number of participants that answered the whole question correctly (chose all 10 items as part of the privacy policy), and we also reported how many participants chose each of the 10 items.
Before sending the surveys to the respondents, a pilot test of the survey was conducted on ten trial respondents, employees of AZOP, to obtain feedback on the survey comprehensibility. The results of the pilot test were incorporated into the final version of the survey.
The survey was administered in the Croatian language. For the purpose of this manuscript, the survey was translated into English (Supplementary material). The survey was conducted between November 2020 and March 2021.
Results
Out of 5671 invited DPOs, 732 (13%) participated in the study. The median age of the DPOs was 42 years (704 responses); total years of lifetime employment were 15 (706 responses); the number of months serving as a DPO was 18 (703 responses). The majority were women and had a Master’s degree. Most of the DPOs in our sample were affiliated with educational institutions and public bodies. The majority (92%) were already employed by their institutions when they were appointed as a DPO (Table 1). Most DPOs (59%) did not receive a single request for an opinion from citizens/respondents who wanted to exercise their rights under the GDPR since serving as a DPO. Likewise, 83% did not receive a single complaint regarding personal data processing (Table 2).
Table 1
Table 2
There were 42 (5.7%) DPOs that indicated they received research-related questions. When asked who sent them questions related to data protection in research (multiple answers were allowed), they indicated that those individuals were administrative personnel (N = 12, 29%), junior researchers (N = 10, 24%), senior researchers (N = 6, 14%), research ethics committee (N = 5, 12%), students (N = 1, 2.4%). The majority indicated that they are able to perform their job in an independent manner (Table 2).
When asked about obstacles they encountered, 56 (7.7%) participants responded. The most common answers included: lack of independence or collaboration with their superiors (N = 28; 50%), lack of education (N = 8; 14%), and lack of time/too many obligations (N = 10; 18%).
Education and information needs
When asked about prior experience in the field of data protection before being appointed as DPOs, 597 (82%) participants provided an answer. Among them, the majority (N = 324; 54%) did not have any prior experience; 147 (25%) indicated they had some, basic, general, or minimal experience, while 12 (1.6%) indicated they had advanced knowledge. There were 111 (19%) responses that were not possible to interpret; those participants provided responses such as “the same as now”, “positive”, “I am lawyer”, “medium”, “I worked with clients”, “I was a principal”.
Information about the formal and non-formal education that the respondents used to train/educate themselves for the position of a DPO were provided by 662 (90%) participants. The participants indicated they used: formal education (N = 210, 32%), informal education (176, 27%), education organized by AZOP (N = 87; 13%), seminars (N = 88; 13%), educations (N = 80; 12%), internet (N = 43; 6.5%), courses (N = 14; 2.1%). There were 42 (6.3%) participants that said they did not have any prior education at all. Most of the DPOs indicated that they need additional education in the field of data protection (Table 2). When participants have some issues or concerns about data protection, they indicated that they most frequently seek help or response from colleagues who are not DPOs, institutions’ legal department, and AZOP (Table 3).
Table 3
Knowledge questions
There were 613 participants that answered the question about the key difference between pseudonymization and anonymization; 60% answered correctly, and 13% partially correct (Table 4).
Table 4
When we asked participants to choose which of the 10 items must be included in the privacy policy, 162 (23%) of 692 who responded to that question chose all the 10 items. The most frequently chosen item was “The purposes for which personal data are collected and processed”, and the least frequently chosen item was “The existence of automated decision-making/development and meaningful information about the logic in question, as well as the importance and anticipated consequences of such processing for the respondent” (Table 4).
Compliance with legal regulations
Most of the DPOs did not analyse personal data processing activities in their organization to comply with the data protection legislation. When they did conduct such an analysis, most of them partially made a recommendation(s) to modify the business processes to comply with the provisions of the GDPR. The majority of DPOs keep records of processing activities or participate in keeping records of processing activities. The majority never conducted a data protection impact assessment or participated in a data protection impact assessment; neither conducted nor participated in conducting a proportionality (balance) test (Table 5).
Table 5
The majority proposed drafting and adoption of documents to adopt internal data protection policies. The respondents mostly indicated that they think that the employees in their organization are aware of the importance of personal data protection of individuals. The majority indicated that the biggest challenge for their organization in complying with the GDPR includes organizational measures for protecting personal data and technical data protection measures (Table 5). Among open-ended answers (N = 37), lack of personnel was the most common issue (N = 12; 32%). Most of the respondents indicated that they think that the GDPR has caused significant changes for data controllers/ processors (Table 5).
When asked to describe the changes induced by the GDPR, 267 (36%) responded. The most common answers were: additional work, tasks and administration (N = 142; 53%), changes regarding the rights of data subjects (N = 43; 16%), and changes regarding the data controllers (N = 26; 9.7%).
DPOs and ethics committees
Among our respondents, 36% indicated that their institution has an ethics committee. Among those DPOs, the majority was not involved in that committee’s work in any way (Table 6). Among those that were involved, 48/263 (18%) described the following types of involvement: a member of the committee (N = 17, 35%) and counselor/advisor (N = 16, 33%), while the rest provided vague responses, for example, “cooperation when needed”.
Table 6
Most of the DPOs were never contacted by ethics committees regarding personal data protection. The majority of DPOs had less than five such contacts since their appointment. The majority indicated that they did not know whether the Ethics Committee of their institution was competent enough to decide on issues related to personal data protection. The majority of DPOs did not know whether they were competent enough to be able to answer questions sent by an Ethics Committee (Table 6). Some of those who did not find themselves competent (N = 80, 11%) indicated that the following would help them and their institution be more effective in the tasks set before them, especially by the Ethics Committee: education (N = 38, 48%), decreasing their current workload (N = 10; 13%), and experience (N = 3, 3.7%).
Discussion
Based on our study, most DPOs in Croatia were independent in their work but indicated that their workload has increased after the introduction of GDPR. Most of the DPOs had minimal experience and knowledge of data protection, and they clearly articulated their need for further education in the field of data protection. The majority of DPOs did not fully understand their responsibilities, and they exhibited insufficient knowledge about basic concepts of data protection. DPOs had minimal interaction with ethics committees.
The introduction of GDPR appeared to be challenging for unprepared local municipalities (1, 5). The unique and sensitive position of DPO under the GDPR was clearly recognized (6-8). Even though there are some EU cross-country studies aiming to produce data protection officer’s guidance, to our best knowledge, there is a paucity of publications on the role of DPOs after the period of GDPR introduction, and we were unable to find any publications involving surveys of DPOs, which would enable comparison of our results with results coming from other EU countries (9, 10).
Our results indicate that the appointment of the majority of DPOs was associated with the enforcement of GDPR. Namely, the median number of months serving as DPO was 18. It is possible that many institutions have probably appointed a DPO only because they were legally obliged to do so. However, it is very concerning that the majority of surveyed DPOs claimed that they had none or minimal previous knowledge in personal data protection. According to the GDPR, Article 37 [quote]: “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” (11). Our survey clearly indicates that the participants did not report they had “expert knowledge” on data protection law and practices. The requirement to have “expert knowledge” is very vague, as there is no definition of the specific requirements proving such expert knowledge, such as specific prior education or years of experience in data protection. The ambiguity of this term allows institutions to appoint anyone to serve as a DPO simply to fulfil a legal obligation. This is also likely reflected in our finding that most of the DPOs were already working in their organization when they were appointed. For institutions, this must have been the easiest solution. By appointing someone within the organization to fulfil this legal request, they have fulfilled the formal requirement; however, our survey indicates that they may not have appointed the person with “expert knowledge”, or invested in the education of appointed DPOs, as most DPOs indicated they do not consider that they have sufficient knowledge in this area.
Our findings could imply that in Croatia, institutions did not efficiently use the available time from the April of 2016, when GDPR was officially announced, until the May of 2018, when GDPR came into force, to educate DPOs adequately (1).
Since they were appointed, most DPOs did not receive a single request for an opinion from citizens/respondents who wanted to exercise their rights under the GDPR or a single complaint regarding personal data processing. Few DPOs received research-related questions; however, participants who indicated that they work in research or educational institutions were a minority in our sample. Further studies are needed on DPOs appointed in institutions conducting research. However, even though our data were limited in this respect, they are in line with previously published data, indicating that significant aspects for data processing for scientific research purposes are not sufficiently recognized among research and academic institutions (4, 12, 13).
The majority of DPOs claimed that they were able to perform their DPO role independently. Furthermore, our survey indicated that most of the DPOs neither analysed personal data processing activities in their organization nor conducted or participated in a data protection impact assessment. To us, this indicates that most DPOs might not be fully aware of their responsibilities.
Our results also show DPO’s strong perception of workload increase, which came together with the introduction of GDPR. However, our survey did not go sufficiently into detail regarding this additional work. Since most participants indicated they did not conduct basic processes they were supposed to do, and the majority did not show basic knowledge about personal data protection, the additional workload may be associated with various aspects of their appointment.
While the participants recognized the need for additional education, this was also shown by their responses to our knowledge questions. Even though most DPOs correctly described differences between anonymization and pseudonymisation, there were still around forty percent of wrong and partially correct answers. When asked to select privacy policy items, just around twenty percent correctly chose all 10 items. That correlates with previously published assertions that DPOs positions are challenged with their insufficient knowledge of applying the GDPR (14).
Around one-third of DPOs responded that they have an ethics committee in their organization. Due to the anonymous nature of our study, we were unable to verify whether they indeed have or do not have such a committee in their institution. However, only a few among those DPOs received any request from their ethics committee, and the majority did not know whether they were sufficiently competent to answer potential questions of an ethics committee. A few DPOs were involved in institutional ethics committees, mostly as committee members or as administrative support. Since research usually involves many personal data protection issues, we can only hypothesize that researchers do not sufficiently recognize the importance of data protection, and this is why they seldom contact DPO or include a DPO in an ethics committee.
Our results clearly point to the need for continuous education of DPOs and a better definition of “expert knowledge” needed for a DPO appointment. We consider that our study indicates the need for some kind of standardization in DPO education. Some attempts in other EU countries to formally educate employees of public institutions were already reported (15).
In Croatia, as well as in the EU, many organizations offer courses for a “certified DPO”. Some of those organizations suggest that DPOs are obliged to get certification in relation to Article 42 of the GDPR. Such claims are false because the GDPR does not prescribe the certification of the DPOs nor individuals (16). The certification concept referred to in the Article 42 of the GDPR applies to services, products, and possibly to management systems, but not to individuals (17).
Some national data protection agencies (DPAs) have developed the certification schemes for DPOs. For example, French Data Protection Act provides French data protection authority (CNIL) the task of the certification for DPOs. The CNIL issued certification criteria including the list of 17 DPO skills and knowledge needed for certification, and accreditation criteria for certification bodies that would like to be accredited by the CNIL to certify skills and knowledge of DPOs in line with the criteria adopted by the CNIL (18). Another DPA which has developed certification scheme of DPOs is the Spanish data protection authority (19).
AZOP, the Croatian DPA, conducted online workshops for more than 1300 DPOs in the first four months of 2021, and the interest for this type of education increases continuously. Many of the questions DPOs ask during the workshops require basic knowledge of personal data protection, and one of the most frequently asked questions is how to certify for a DPO or does the DPO needs to be certified.
Although mandatory certification requirement for the appointment of DPOs is not prescribed by the GDPR, one option is the introduction of a voluntary certification procedure that will include standardized education by an institution such as AZOP. Our study showed that the DPOs recognize AZOP as one of the main information sources for questions related to data protection. Our study, thus, indicates that the DPOs are aware of the relevance of AZOP. Furthermore, once certified, DPOs need to be encouraged by their employers to engage in continuing education, as personal data protection issues keep evolving with the emergence of new technologies (20).
Personal data protection is considered an ethical issue (case in point: personal data protection is evaluated in European competitive research calls within the ethics evaluation); thus, we wanted to conduct the study in the Croatian setting that would be meaningful and would involve a large number of participants. That could be achieved only if we would target all DPOs registered in Croatia. In this study we did not focus exclusively on DPOs from research institutions or DPOs from biomedical research institutions because the number of public research institutions in the Republic of Croatia is relatively small, including just over 100 institutions. If we had targeted only research institutions with our anonymous survey, we would likely not have more than 20-30 persons in our survey, which would significantly diminish the value of our study. Furthermore, if we have decided to even further narrow down the sample and to include only those DPOs that work in the field of biomedicine, the impact of such research results would be negligible, as there are relatively few such institutions in Croatia. Due to a small number of such institutions, our survey should be considered a first step, that can help in designing future studies that will use different study design – for example qualitative studies, to gather more information on this topic from DPOs working in specific research fields.
The limitation of this study is a non-response bias, as 13% of the invited DPOs participated in the study. Furthermore, a potential limitation of the study is reliance on participants’ self-report and honesty. We had questions on knowledge, and it is possible that some of them searched for answers online or elsewhere.
In conclusion, most DPOs indicated that they had none or minimal prior experience in data protection when they were appointed as DPO, that they would benefit from further education on data protection, and exhibited insufficient knowledge on basic concepts of personal data protection. Voluntary certification of DPOS based on the standardized education, provided by the national data protection authorities, should be considered. Continuing education of DPOs needs to be encouraged. Reasons for minimal involvement of DPOs in the work of institutional ethics committees should be further explored in future studies.