Pay for the position of the Data Protection Commissioner should be hiked to more than €185,000 per year, a review has found.
An external audit into the resource allocation at the DPC, which oversees European data compliance at some of the largest companies in the world, also found that staff within the organisation feel its model “may no longer be fit for purpose”.
It recommends a review of pay grades at the DPC, with the Commissioner to be paid at a level equivalent to the deputy secretary general of a Government department. The salary for this post is €187,578, compared to the existing grade paid out to the commissioner, which is equivalent to an assistant secretary, who is paid between €145,283 and €166,194.
The review, undertaken by consultancy firm Kosi, found that the salary grading structure for the DPC has been in place since the first data protection legislation was introduced in Ireland in 1988, over which period the scale and responsibilities of the body has expanded significantly.
“The changed remit of the DPC from a small domestic regulator to its current leading European role under the GDPR has not been reflected in the organisational structure of the DPC,” the audit which was published last Friday found.
It recommends a review of pay grades at the DPC, with the Commissioner to be paid at a level equivalent to the deputy secretary general of a Government department. The salary for this post is €176,435, compared to the existing grade paid out to the commissioner, which is equivalent to an assistant secretary, who is paid between €136,652 and €156,323.
Top-level employees
When compared with five other State bodies with broadly similar functions – including the C&AG and ComReg – it wound that top-level employees and the second tier of officials in the DPC were paid at the lowest level compared to the other bodies.
“Comparative evidence from other regulatory bodies in Ireland, the growth of the Commissioner role in DPC, the growth of DPC as an organisation and competency assessment indicates that the post of Commissioner should be at a level equivalent to at least Deputy Secretary General,” it found.
The review also flagged feedback from officials in the DPC who indicated a “strong sentiment within the organisation that the organisational model that has evolved has resulted in overload of senior posts that risk non-delivery” of its priorities, and that the “capacity for strategic management has been diminished”.
It also finds that the organisation itself is concerned about damage to its reputation associated with the time required to complete investigations, something which has been criticised by advocacy groups and campaigners around Europe.
The report raised a range of concerns about the organisational structures within the DPC, whose budget was increased to €22.23 million in Budget 2022.
Senior staff, it found, are carrying out duties which “are more appropriately carried out at a delegated level”. It found that the finance function within the DPC should be promoted, and a senior official be appointed to oversee it. Among the structural changes recommended were the filling of three new senior positions below the level of the DPC, and above the seven deputy commissioners currently employed.
It also flags that the DPC could pursue “alternative resourcing strategies” to drive down the number of open cases and to reduce waiting times, suggesting this could be done by outsourcing some areas.
Information rights and privacy campaigners said the audit "highlights critical problems" at the DPC. Antoin O Lachtnain, a spokesman for advocacy group Digital Rights Ireland (DRI) said it found problems with IT systems, management and a "failure to address the fundamental change in the Commission's role since 2016."
However, he said the solutions proposed were half hearted, including salary increases which he said “will not do anything to improve resource allocation”.
“The DPC needs new Commissioners, with international, legal and technical experience and expertise to fulfil its role as the leading European and global regulator of privacy and data protection,” he said.