If you’ve been keeping up with the news over the last few months, you have likely heard the terms ‘recession’, ‘energy crisis’ and ‘cost of living increase’, so it is quite possible that we may be heading for an economic downturn. With a bleak winter ahead, companies need to understand the potential impact and reduce costs to ensure they survive the economic uncertainty.
Data protection and customers’ privacy should always be at the forefront of your organisation’s priorities, even in an economic slowdown. Paragraph 6 of Article 37 of the GDPR states that an organisation can appoint a staff member to be their designated Data Protection Officer (DPO), or they can outsource the role. This then poses the question, is outsourcing the right option for your business?
In this blog we summarise a few key considerations when deciding to outsource or not.
Outsourcing allows for greater flexibility, certainly for organisations that do not require a fulltime DPO and perhaps require only a few days of support per month, which is almost impossible to recruit for. Most outsourcing arrangements enable you to invest the exact level of resource you require, allowing you to focus your internal resource elsewhere. It also offers the flexibility to increase or decrease support to align with your budget and business requirements.
Article 38 of the GDPR, sets out that DPOs must act in an independent manner. Business owners cannot instruct the DPO how to perform their role, or penalise them for performing their tasks, even when it may be to the detriment of the business.
The independence of the DPO is extremely important when complying with your data protection obligations. The advice they provide may conflict with the commercial objectives of the business, such as electronic marketing considerations, notifying the regulator of a personal data breachAn incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. or appropriately responding to a Data Subject Access RequestA verbal or written request made by a data subject to: access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR). It is therefore vital that the DPO’s view remains independent and balances the requirements of the law with the needs and rights of data subjects (i.e. your customers, suppliers and employees etc). Therefore, an independent voice is essential for ensuring that the proper checks and balances remain in place.
The implication of this means that executives who make key decisions within a business (i.e. the CEO, COO, Head of Marketing, Head of IT etc.), or other individuals who determine key processing activities, cannot be appointed as the in-house DPO, as their role requires that they act in the best interests of the organisation, and therefore not necessarily the best interests of the data subjectAn individual who can be identified or is identifiable from data..
Equally, an organisation’s legal counsel may also be conflicted in situations where they are acting on your organisation’s behalf in a matter involving a data subject.
Unlike other professions, there is, as yet, no official qualification that certifies someone to fulfil the role of DPO. The GDPR states that an organisation’s choice of appointment into the role should be based on “professional qualities and, in particular, expert knowledge of data protection law. In many cases, outsourcing the role of the DPO to a specialist organisation will give you greater insight and access to a wider pool of knowledge than a single DPO.
The knowledge and technical know-how required to accurately apply the varied, and often competing requirements of multiple jurisdictions’ data protection laws, coupled with sector-specific expertise, is hard to find in a single DPO. Outsourcing, however, means that you don’t have to rely on one person knowing it all. By outsourcing to a team of data protection specialists, you benefit not only from your designated DPO’s expertise, but also the pool of knowledge and experience from their wider team. This means that whatever data protection related quandary you may face, the ability to draw upon the knowledge base of this team means you are likely to receive a more considered and rounded response, regardless of sector or jurisdiction. Though of course, the larger the team, the more likely they are to possess the requisite knowledge.
As we all know, during a downturn, money can become tight and it can become harder to make ends meet. If revenue is impacted, a reduction in overheads is a key benefit in an outsourcing decision. Outsourcing your DPO service can be highly cost-effective. Whilst the cost per day of an outsourced DPO is higher than you would expect to pay an employee per day, you avoid all the additional costs and distractions that come with recruiting and onboarding an employee, senior management time to manage, monitor and motivate them, no cost of training, benefits packages, absences, holidays or sick leave. What’s more, if your provider’s team is of a sufficient size, continuity of service can be guaranteed, as an alternative member of the team can step in, should your current DPO ever be unavailable or move on.
In an ever-changing economy, aside from the benefits outlaid above, outsourcing can create financial flexibility and maximise a business’s efficiency, output and return on investment. Recessions and times of uncertainty require organisations to think differently and implement effective change. By outsourcing your data protection services to the right team, you will benefit from the knowledge and shared best practice of a large team of data protection professionals, whilst also saving the time and overheads associated with in-house employment.
To find out more about our outsourced DPO service, click here.
Fill in your details below and we’ll get back to you as soon as possible