Post-GDPR survey of data protection officers in research and non-research institutions in Croatia: a cross-sectional study

Introduction: General Data Protection Regulation (GDPR) focuses on important elements of data ethics, including protecting people's privacy, accountability and transparency. According to the GDPR, certain public institutions are obliged to appoint a Data Protection Officer (DPO). However, there is little publicly available data from national EU surveys on DPOs. This study aimed to examine the scope of work, type of work, and education of DPOs in institutions in Croatia. Materials and methods: During 2020-2021, this cross-sectional study surveyed DPOs appointed in Croatia. The survey had 35 items. The questions referred to their appointment, work methods, number and type of cases handled by DPOs, the sources of information they use, their experience and education, level of work independence, contacts with ethics committees, problems experienced, knowledge, suggestions for improvement of their work, changes caused by the GDPR, and sociodemographic information. Results: Out of 5671 invited DPOs, 732 (13%) participated in the study. The majority (91%) indicated that they could perform their job independently; they did not have prior experience in data protection before being appointed as DPOs (54%) and that they need additional education in data protection (82%). Conclusions: Most DPOs indicated that they had none or minimal prior experience in data protection when they were appointed as DPO, that they would benefit from further education on data protection, and exhibited insufficient knowledge on basic concepts of personal data protection. Requirements for DPO appointments should be clarified; mandatory education and certification of DPOs could be introduced and DPOs encouraged to engage in continuous education.