What keeps a DPO awake at night?

November 2022

A scary collection of Data Protection Officer nightmares

For DPOs the stuff of nightmares doesn’t involve monsters, falling off a cliff or being naked in a job interview. In fact, that’s small beer compared to their true nightmares; Data Transfer Impact Assessments and people in snazzy ICO enforcement jackets knocking on the office door.

No, being a DPO isn’t for the faint-hearted. It’s a perilous existence where hardy souls must navigate a hostile wilderness of data protection hazards.

It’s an ever-changing wilderness, too. Just when you’ve frightened away one data protection predator, another pops up from nowhere to take its place. And remember, this must be achieved in a ruthless economic climate where every penny counts.

So, what’s the really scary stuff? The scariest of the slithery data protection monsters hiding in the semi-opened cupboard? I asked a few friendly Data Protection Officers: ‘What keeps you awake at night?’

Seven chilling privacy nightmares

1. Fear of the unknown – DPO, education sector

Being worried about what staff in my organisation are doing with personal data that I know nothing about (which they know they probably shouldn’t be doing). Another big nightmare at the moment is trying to unravel the intricacies of IDTAs and SCCs for both the UK and EU whilst factoring in other international data protection regimes that my organisation is subject to by virtue of their extra territorial scope – I see you, China! And a general worry that I’m going to miss, and therefore not mitigate, a risk. The pressure of being seen as the person with all the answers and ultimately the one responsible (or who will be blamed) if anything goes wrong is not the stuff of dreams.

2. The recurring nightmare of data flowing overseas – Director of Privacy, financial sector

What keeps me awake at night? Mapping international data flows. What sends me to sleep… counting DTIAs!

3. Drowning in a sea of paperwork – DPO, publishing sector

Keeping track of changing processing activities in a large organisation without blocking progress by over-administration. Plus ensuring appropriate documentation of the growing share of online Data Processing Agreements concluded with large suppliers (like pre-signed downloadable SCCs from Google, Meta …)

4. Encircled by continually moving parts – DPO, charity sector

Facing our third legislative change in 5 years and the on/off nature of what that may be. The ability to keep on top of the “what, when, how, and why” of the technical changes – horizon scanning versus meeting current needs and the complexities of planning to implement uncertain changes with limited resources. All whilst maintaining consistency and expertise in the advice and guidance so staff make appropriate decisions in the here and now. A productive, pragmatic, commercially minded, problem solving attitude to data protection is enough to keep anyone awake at night, without factoring in constantly moving legislative goalposts.

5. Hounded by familiar, but angry faces – DPO, hospitality sector

Employee-related Data Subject Access Requests. We’re not a big business, we don’t get many DSARs, and we don’t have the fancy technology. But lay-offs this year has led to a persistent stream of DSARs. As soon as one is nearly cleared, another one drops (it’s as if they’re planning it!). Despite support from HR, the requests are ultimately my responsibility to handle. I don’t have a team to support me, nor on-tap internal legal support. Sometimes there is no assuaging people, and yes, we have heard from the ICO after someone complained to them about our response. I often press send, and lie awake praying we didn’t disclose something we shouldn’t have, or missed something we should.

Not all DPOs lie awake at night. In fact, some hit the hay and are out like a light. But what are their daytime nightmares made off?

6. Being held to ransom – Matthew Kay, DPO, Metro Bank

When I was first asked to write this my opening thought was, with being quite a deep sleeper, that it takes quite a lot to keep me awake! Quickly realising this wasn’t what DPN was after, I came to the conclusion that the data protection challenges I’m currently worrying about centre around two things. First is the enhanced threat resulting from the war in Ukraine, and ensuring appropriate technical measures are in place to see off any potential cyber-attacks, and second is closely monitoring the perceived increase of inside threat to organisations, resulting from the cost of living crisis.

7. Encircled by ICO enforcement jackets – Michael Bond, Group DPO, News UK

As a father of two young boys, not much keeps me up at night beyond about 8.30pm! But as I settle under the covers and wait for sleep, let me envisage my worst nightmare instead. It’s a quiet Friday afternoon and with one eye on the clock, a phone call comes in:

“Hello, it’s the ICO. Did you know that large volumes of personal data originating from your brands are now publicly available online for all to see?”

… a long pause. The case officer goes on:

“Yes, the data looks to be a mix of hundreds of thousands of customer profiles, as well as what appears to be employee personnel files”.

As a bead of cold sweat rolls down my neck, the ICO case officer asks me:

“Why haven’t you notified us about this incident? It’s very serious, as I am sure you’re aware and we’re going to have to take immediate action; enforcement officers are on their way…”

I wake, startled. Phew. Don’t worry, just a dream… *the phone rings – caller ID – Wilmslow*


I’ll leave you with one final, spine-chilling thought. A new type of cosmic privacy horror. I’ve heard rumours a social media platform, one with a controversial new proprietor, could have a potential vacancy for a new…

…Data Protection Officer.