With the General Data Protection Regulation only some days away, it’s not just companies upgrading their privacy management systems – also the Data Protection Authorities are preparing to meet their increased obligations under the new law.
More than a year ago, Prof. Dr. Alexander Roßnagel prepared an expert opinion on the additional workload caused by the GDPR for the German state DPAs (in German): http://suche.transparenz.hamburg.de/dataset/gutachten-zum-zusaetzlichen-arbeitsaufwand-fuer-die-aufsichtsbehoerden-der-laender-durch-d-2017. (in German)
He estimated that each DPA would need in addition to its current staff 12-19 lawyers, 4-5 IT experts, 2 educational and 6 administrative roles. – At the beginning fo 2017, the planned staff increase fell far short of this (49 for the federal DPA, 8 and below for the different states were planned as new positions for 2017). It’s also interesting that he didn’t list separate categories for “privacy managers” or “auditors”. http://www.heise.de/newsticker/meldung/Datenschutzgrundverordnung-bringt-Datenschutzaufsicht-an-Belastungsgrenze-3633498.html
The mechanisms for mutual cooperation between the European DPAs are new and quite complex (Art. 60 – 62), especially as communcations might take place in a variety of languages. Also the consistency mechanism (Art. 63 – 66) might turn out to be quite demanding. – In situations in which the One-Stop-Shop (OSS) approach cannot be applied, the DPAs will first have to jointly determine their respective responsibilities. It will be very interesting to see how these mechanisms will work out.