Unlike other departmental roles, a DPO does not fit neatly within an organisation’s structure, often further complicating an already challenging role.
We have worked within the cyber security industry for 18 years and have seen how data protection has developed, witnessing how these problems have affected the DPOs we work with. Working with our partner Varonis, we have created a list of the top 5 challenges we see Data Protection Officers face in 2022.
1) The Siloed Approach to Departments
We use the term ‘cyber security void’ when referring to the siloed approach in organisations and data protection unfortunately falls within this void. Because of how organisations are structured, each department usually have their own responsibilities, expectations and goals. Crucial aspects that are lacking within this void are wasted investment opportunities, visibility and assurance in security protocols. Instead, complacency and risks are highly prevalent, leading to gaps and windows of opportunity for data breaches. To overcome the silo effect, a comprehensive level of communication between departments and an overall strategy, agreed by all, is needed.
2) A Broad Remit
Causing further issues with the siloed approach, a data protection officer’s role covers tasks affecting multiple departments. This can often lead to strained relationships with other leadership members as their policies and procedures may be insufficient causing further disruption to their role.
DPOs must deal with internal matters (e.g., awareness training) but also external factors like regulations compliancy and access requests. The role is often under resourced and most DPOs work without their own team. With limited resources, it is often hard for DPOs to know where to prioritise their time. The number one reported incident to the ICO is misdirected emails by employees. Some make the mistake of believing that external factors should be the number one priority. As this statistic suggests, this is not always the case and depends on the organisation.
3) Lack of Visibility and Accountability
The DPOs we work with talked about how they used to struggle with the limited tools available to them. Without the right tools, it is hard to enforce new policies and have full visibility over your organisation’s data. This affected the level of control they had in their role. One element that is important for DPOs to remember is that IT managers do not always know where all data is stored. They know exactly where data should be, but gaps can be found in technology and procedures. Without overall visibility, it is hard to detect and to resolve these issues.
4) Shared Responsibility
Since the pandemic, home working has meant the parameter of a network has extended, which in itself has brought many challenges to DPOs. On average, a company has access to 187 cloud applications and it’s possible for some form of sensitive data to be stored on each one. Another worrying statistic found by Varonis is how 44% of cloud user privileges are misconfigured, heightening the risk of a data breach.
Shared responsibility is difficult when it comes to cloud services and the following areas are still an organisation’s responsibility: customer data, access management, network configurations etc. With the number of supply chain attacks that have taken place over the last few years, it is key to have measures in place to control these services.
5) Beyond Compliance
Just because an organisation is compliant, it does not mean it’s secure. We are starting to see a shift in attitude and focus regarding this issue, but there is still a lot that needs to be improved within this area. To move towards securing all your organisation’s data, the 4 challenges above must be successfully implemented first.
If you are interested in learning more about the challenges we see DPOs face and how to overcome them, click here to watch ‘The Key to Overcoming Challenging Data Protection Pitfalls’ webinar we hosted with Varonis. Our partner, Varonis, is an industry leader in data protection, helping organisations classify and monitor all data within a business, whether on-prem or in the cloud.
If you have any further questions regarding data protection, please get in contact through our live chat or by calling 01423 425 498.