According to the CBI, “recent job advertisements typically show that a qualified DPO in the South-East of England could earn anything between £30,000 and £75,000 per annum.” That’s a pretty large spread. And I happen to know a number of people who are earning well in excess of that upper figure.
This amount is important because the Ministry of Justice has recently been working out what additional costs might be incurred on British businesses if all enterprises that employed more than 250 employees had to have one. The results of this research were published in its “Summary of Responses on the Call for Evidence on the Proposed EU Data Protection Legislative Framework,” published on 28 June 2012.
First off, then, how many large companies are there? No one is precisely sure, as statistics aren’t kept centrally. What is known is that in 2010/11, around 5,900 data controllers notified the ICO as large organisations (i.e. over 250 employees and have a turnover of over £25.9m employees).
But what do we really know about the number of people who currently are data protection officers? If the ICO’s applications to attend its annual conference indicate anything, there at least 1,000 who are sufficiently keen to travel to Manchester every year for some free continuing professional education. But are there really significantly more than that?
The best guess of the MoJ, ticked away in paragraph 39 of Annex A of the document, is that some 50% of organisations already have someone undertaking the role of a DPO, even though their job title may not accurately reflect that. So, even if this guess is correct (and personally I think it’s a bit optimistic) there must be a need for quite a few more, and pretty soon, if the European Commission’s proposal to mandate a DPO goes ahead. On the basis that the cost of employing a data protection officer is £50,000 a year, the MoJ calculates that the additional cost will be £147m per year. These costs are far higher than the Commission’s estimated costs to businesses of around €320m per year across all Member States.
The MoJ also suggests that “the costs are likely to be greater for small public bodies (such as arms-length bodies) and small firms who undertake large amounts of data processing, such as hi-tech start-ups and medical research organisations, where the annual cost of £50,000 would be a considerable burden.”
This is one of the reasons why the MoJ is not supporting the Commission’s proposal. But, lots more companies are likely to be sufficiently concerned at their current state of data protection compliance to want to invest in additional help, once its clear where this help might be coming from.
My advice to current Data Protection Officers is not to retire just yet. Instead, be prepared to accept a portfolio of data protection responsibilities – and be glad that you’ve got the formal qualifications that will push your CV to the top of the pile when worried HR Directorates sift through the piles of papers from experienced professionals who want to carry on working until they drop dead with exhaustion.
Source:
The CBI's statistic appears in paragraph 41 of Annex A.
.