The May 2018 deadline for full GDPR compliance will be upon us all before we know it. The GDPR will affect all organizations—regardless of their location—that handle personal data coming out of the EU. Article 37 of the GDPR requires organizations to retain a data protection officer (DPO) if, among other reasons, the organization’s core activities require “regular and systematic monitoring” of personal data on a “large scale.”
Article 39 of the GDPR requires a DPO to monitor an organization’s compliance with the GDPR and its own internal policies to ensure the proper care and use of personal data. To do so, DPOs must remain current regarding data protection laws and practices, conduct internal privacy assessments, and ensure that an organization’s data compliance matters are up-to-date.
Given the number of positions that need to be filled and a global skills shortage, time is starting to run short. According to the International Association of Privacy Professionals (IAPP):
“…once the GDPR takes effect, at least 28,000 DPOs will be needed in Europe and the United States alone. Applying a similar methodology, we now estimate that as many as 75,000 DPO positions will be created in response to the GDPR around the globe.”
All-encompassing DPO Responsibilities
A typical DPO will need to be able to address the following areas of data privacy and data security:
- Data retention
- Data anonymization and pseudonymization
- Security risk assessment of current business practices involving personal data
- Privacy impact assessment of new products, platform, services or processes, vendor assessments and audits
- IoT and breach management
The same IAPP article says:
“A single DPO may represent a group of undertakings or multiple public authorities or bodies. The GDPR requires a DPO to be ‘designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices’ and the ability to fulfill the tasks designated under Article 39. These tasks involve regulatory compliance, training staff on proper data handling, and coordinating with the supervisory authority, with an ability to understand and balance data processing risks.”
Misleading Number of Advertised Positions
Being curious about this enforceable GDPR requirement, Imperva conducted a cursory survey of IT security professionals at the recent Infosecurity Europe event. Of the 310 respondents, 79% acknowledged that their organization is already preparing to meet the GDPR, and 67% already had a DPO on staff.
But what about the 21% of organizations that aren’t presently working toward GDPR compliance, and the 22% that haven’t yet hired a DPO? It was eye-opening to learn that 52% weren’t planning on hiring a DPO until the second half of 2018 or beyond—after GDPR enforcement commences.
Research into GDPR Job Listings
That surprising data aside, Imperva decided to investigate online job listings as organizations worldwide seek to name a designated DPO. We learned that DPOs aren’t the only GDPR-related position that organizations are looking to fill.
Here are some key findings from our research:
- There will be a growing demand to fill DPO openings, especially contract positions.
- In our analysis of a prefiltered subset of over 18K Indeed.com job postings from 32 countries, nearly 5.8K matched the search terms GDPR, DPO, data protection or data privacy.
- In second place behind the UK, the US has the most job listings—ahead of all European countries.
- DPO recruitment will likely accelerate later this year and on into next as the enforcement deadline fast approaches.
- Being especially true for big data positions, there is a growing expectation of IT and business staff to take on increased data privacy and protection responsibilities. For example, one European data scientist at Amgen—whose primary responsibility is clinical studies—is also expected to be “assessing, developing and executing data privacy compliance programs.”
- With the focus on hiring information security, compliance and IT staff to support the GDPR regulation, technology capabilities—such as data and records management, process automation and impact assessment tools—become essential to achieving compliance.
- Our survey revealed that 55% of respondents expect AI or machine learning solutions to bolster DPO efforts, although they don’t foresee this happening until three to five years from now.
GDPR Salaries and Demand Growth
Due to the impending regulatory enforcement, there will be high demand and corresponding salaries associated with GDPR jobs. For example, the UK IT Jobs watch list (Figure 1) shows percentile ranges coupled with salaries that can approach £100K (nearly $130K USD). A related IAPP survey shows a global annual median salary of $106,500.
Figure 1: GDPR-related salaries in the UK
Figure 2 shows GDPR-related job demand growth in the UK has grown from zero in 2015 to over 300 this year, while Figure 3 shows the rise in GDPR-related job listings as a percentage of all advertised IT positions. Organizations are quickly looking to fill their requirement with contract jobs/consultants, with UK salaries on the rise.
Figure 2: GDPR-related job vacancies in the UK
Figure 3: Postings citing GDPR as a percentage of all advertised IT positions (permanent and contract)
The following map shows where the GDPR-specific job openings are located. (The locations in light blue had data privacy or data protection as an ancillary requirement; they didn’t specifically cite DPO or GDPR.)
Interactive, GDPR-specific job openings map. 
The UK leads the list of countries posting GDPR-specific jobs. At roughly 1/4th of those listings, it’s followed by the US with the second-most listings (Figure 4).
Figure 4: Top countries posting GDPR-specific jobs (breakdown of 455 job postings, purple dots on the map above).
Roles, Descriptions and Certifications
Of the nearly 5.8K Indeed.com openings we analyzed, fewer than 300 cited DPO as the primary role. All others can be termed supporting positions—for example a legal counsel or IT pro who will be responsible for data privacy and GDPR, in addition to other duties (Figure 5).
Figure 5: Job roles distribution
We then used text analytics to get an overall perspective of the 455 GDPR-specific jobs. Shown in Figure 6, high-ranking counts of word groupings (n) let us create the following bigrams and trigrams (n-grams for n=2 and n=3, respectively). Both aided is in our statistical analysis as we examined keywords used in the job postings.
Figure 6: Word count analysis.  (Click to enlarge image.)
Our study then looked at certifications cited in the Indeed.com postings (Figure 7). Here, relevant certifications are issued by (ISC)2, ISACA, and the IAPP. But while the latter is the largest international privacy organization, there is no official GDPR or DPO certification. This could make it difficult for hiring companies and job seekers to target the “right” or “best” certification to target in relation to filling a DPO position.
Figure 7: Specified certifications in job listings
Desired Skill Sets
Next, we looked at specified tools, database knowledge and programming languages. Somewhat surprisingly, Microsoft Excel topped the list (Figure 8). In relation to databases and programming languages Hadoop and Scala are cited, clearly the domain of big data and data science pros.
Figure 8: Specified skill sets
One UK ManpowerGroup report points to GDPR as driving big data jobs. Our analysis suggests that such skill set demand is coming from a privacy by design objective, with responsibilities including GDPR compliance support.
What GDPR Compliance Means to You
Where does your organization stand with respect to GDPR compliance? Whether you’re on the inside, looking to hire a DPO, or are on the outside seeking a DPO position, this job analysis should provide you with good insights about factors and timing in addressing the GDPR challenge.
While it’s expensive to hire GDPR and DPO professionals, organizations need to budget accordingly for it. In addition, certain technologies can help you address the GDPR business need—delivering benefits in relation to data security, process efficiencies, records management and risk assessment.
 We created the interactive, GDPR-specific job openings map using the open source Leaflet for R package that uses the public OpenStreetMap GIS initiative.
 In our study we used the R™ text mining package to create a text corpus and a document-term matrix. From counts of the high ranking words, we were able to derive the bigrams and trigrams.