Q2. What is the prominent case-in-point in the US?
Countries are frequently criticised for only passing laws to protect privacy without also creating implementation machinery that gives the law force through the institutional machinery by means of which compliance, good practice, and other requisites can be encouraged or required; the US is the most prominent case-in-point.
Q3. What is the popular method of acquiring knowledge?
Formal training was also among the popular options, and the respondents mentioned a range of other methods as well; for example:• individual self-development, such as reading professional literature or taking courses; • learning while doing, i.e., acquiring the necessary knowledge on the job; • organising in-house informal training sessions; • asking or accepting assistance from the business or the academic community; • exchange of experience and expertise with other DPAs; • participation in research projects at the intersection of data protection and technology.
Q4. What was the common opinion among DPAs?
The survey found that the predominant opinion among DPAs was in favour of developing the necessary information technology expertise in the framework of their organisations and only a few DPAs thought that relying on the expertise of external ICT professionals was a better solution (Fig. 6).
Q5. How many DPAs evaluated the proportion of their staff as satisfactory?
In the 11-25% category about the same number of organisations evaluated this proportion as satisfactory and unsatisfactory, evenly distributed on the scale of the DPAs’ size.
Q6. What was the percentage of DPAs that preferred in-house development of expertise?
Among those that preferred in-house developing of expertise and explained their choice, the following reasons deserve noting:• in the field of privacy and data protection, IT professionals need special knowledge, not only in legal terms but also in the technologies of processing personal data, and such a knowledge can be developed to the required level within DPAs and more easily in the course of practical audits of data controllers;• ICT expertise has to be continuously available in-house, not only when a specific case makes it necessary; • DPAs have to be proactive, conducting preliminary audits and evaluating privacy and data protection impact assessments of new data controlling operations, and since such operations are based almost entirely on new data processing technologies, these investigations also need the participation of ICT experts (one organisation noted that independence and impartiality can only be ensured if the experts represent the DPA itself;(1) frequently, (2) sometimes, (3) almost never, the majority of the audience voted for option 2.
Q7. What was the purpose of the survey?
The survey was organised to coincide with a public panel discussion on DPAs’ understanding of ICT that was chaired and moderated by the authors in the Computers, Privacy and Data Protection (CPDP) conference4 held in Brussels in January 2016.5
Q8. Why did two of the panellists think they were better placed than the others?
In the opinion of two of the panellists, this was due to a psychological characteristics of the institutions: they see themselves in a better position than that of ‘the others’.