We should, but we also need to have the people as the GDPR requires. The people who are in the position to do the PIAs, the privacy officers, must be independent within the organization and speak directly to the highest level of executive in that organization.
Now they are underlings. Even when they are lawyers who do the privacy work, a lot of our members who are the access and privacy people in the organization have to report to a very lengthy chain of command within the organization very often, and they don't have much say. They have very little authority. That has to be changed.