Whilst the role of the Data Protection Officer (DPO) has been around since the 1990s, the GDPR represents the first time that appointing a DPO has been mandated by law. As a result, reports written at the time of the GDPR’s introduction indicated that around 75,000 DPOs would be required worldwide, 28,000 of those in the US, to service all of the organisations that now required a DPO to comply with the GDPR. In 2019, it was estimated that 500,000 organisations in the EU had a registered DPO, that number is likely to have increased significantly since then as more organisations work towards compliance.
Under Article 37 GDPR, organisations are required to appoint a DPO if:
However, many organisations that are not strictly required by law to appoint a DPO often do so anyway, to build and monitor their compliance frameworkA series of policies, procedures, actions plans etc. detailing an organisation's compliance with any relevant laws, Codes of Practice etc. and aid compliance with their data protection obligations.
Interestingly, paragraph 6 of Article 37 states that an organisation can appoint a staff member to be their designated DPO, or it can contract out the position. This leads to the question: outsource or in-house – which is best?
Our answer? Outsource, and here’s why.
Pool of expertise
Whilst, unlike other similar professions, there is no one qualification that all DPOs must have, the GDPR states that an organisation’s choice of appointment into the role should be based on “professional qualities and, in particular, expert knowledge of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data..”
Data protection law is complex, and it is almost impossible for one individual to have expert knowledge on everything from data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. to international data transfers, to the application of appropriate technical and organisational security measures. Moreover, there are significant sector nuances (derived both from the GDPR itself and the range of other sector-specific rules and regulations out there) that mean a “data protection expert” will not always be an expert in your sector. In addition, the global nature of business and data flows means that organisations are often having to comply with, and therefore their DPO must understand, multiple jurisdictions’ data protection regulations.
In summary, the knowledge and technical know-how required to accurately apply the varied, and often competing, requirements of multiple jurisdictions’ data protection laws, coupled with Sector-specific expertise, is hard to find in one DPO. Outsourcing, however, means that you don’t have to rely on one person knowing it all. By outsourcing to a provider for which data protection is their “thing”, you are benefitting not only from your designated DPO and their expertise but also a pool of other DPOs’ knowledge and experience. This means that whatever data protection related quandary you face, by being able to draw upon the knowledge base of a whole team of DPOs, you are likely to be able to find an answer, regardless of sector or jurisdiction. Though of course, the larger the team, the more likely to possess the requisite knowledge.
Conflicts of Interest
A key requirement of the GDPR, set out in Article 38, is that DPOs must act in an independent manner. Controllers cannot tell them how to do their job, or otherwise penalise them for performing their tasks, even when it may be to the detriment of the controller.
The independence of the DPO is extremely important as complying with your data protection obligations will often conflict with other commercial objectives, having to gain consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for B2C marketing being a prime example. Therefore, an independent voice is essential for ensuring that the proper checks and balances are in place.
The Article 29 Data Protection Working Party (now called the EDPB) stated that “DPOs cannot hold a position within the organisation that leads him/her to determine the purposes and means of the processing of personal dataInformation which relates to an identified or identifiable natural person..” This means that those who make key decisions within a business – senior management (for example, the CEO, COO, Head of Marketing, Head of IT etc.), or other individuals who determine key processing activities, cannot be appointed as the in-house DPO.
Another key point to consider is that an organisation’s legal counsel in many cases will be deemed to have a conflict of interest and so, therefore, should not be appointed as DPO. Whilst an individual with legal experience is the ideal DPO candidate, if they are acting on your behalf, representing your interests, as your legal counsel, they cannot be considered independent.
Outsourcing your DPO removes this issue, and makes it extremely easy to demonstrate to both the public, other organisations and Regulators alike that you are fulfilling your Article 38 obligations.
Cost-effectiveness
A final point to note is that outsourcing your DPO is extremely cost-effective. By outsourcing the role, you avoid all the additional costs and hassle that comes with recruiting and then employing an employee, never needing to meet the cost of ongoing training, benefits packages, absence, holidays or sickness.
In addition, you only pay for the time you need. For many SMEs, the role of the DPO is often not a full time role, perhaps only requiring a few days a month of work which is almost impossible to hire in for. When outsourcing, you can invest in the exact level of resource you require and, crucially, if you need more (for example, because you experience a breach that requires significant mitigation or receive a complex Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted.) you simply pay for more – problem solved.
Conclusion
In summary, there are several benefits to outsourcing your DPO compared to hiring in-house. By outsourcing your DPO, you benefit from the knowledge and shared best practice of a whole team of data protection professionals, whilst also saving the time and money associated with in-house employment.
Why should you outsource to The DPO Centre?
Our Data Protection Services provides you with a highly experienced Data Protection Officer (DPO) from our large team who works onsite or remotely as an integral member of your team.
You will benefit from knowledgeable, hands-on data protection professionals who undertakes the DPO’s responsibilities in an extremely cost-effective way, and backed by the support, shared best practice and model documentation developed from The DPO Centre’s experience of working with over 500 organisations.
To find out more about our outsourced DPO service, click here.
Fill in your details below and we’ll get back to you as soon as possible