Should you outsource your Data Protection Officer (DPO)?

Appoint internally or outsource your DPO?

If you’re required by law to designate a Data Protection Officer, then we guarantee you’ve thought about whether to appoint internally or whether to outsource your DPO. The truth is, there are advantages and disadvantages to both.

As an outsourced DPO services provider, we see it from both sides. Many organisations come to us with a lack of resources and time to dedicate to their data protection obligations and seek outsourced services, particularly when it comes to small businesses or startups (read our 8 Tips on data protection for startups here). But we also support in-house DPOs who often need a second opinion, extra resources or need help because they have another role as well.

Marco Fiori, Managing Director of Bamboo PR experienced these challenges:

“It became apparent mid-way through the year that our efforts to comply with GDPR were becoming trickier to do in-house due to resources and time. GDPR is as overwhelming as it is complex to anyone who isn’t versed in that subject. I knew we needed assistance to ensure our team is supported in their efforts, and equally, to provide the best service for our clients.” You can read the full outsourced data protection officer case study for Bamboo PR here.

In this post, we set out some key advantages to both options, based on feedback we get from clients. Whether outsourced or in-sourced, a DPO can help to drive positive change within an organisation.

In-house data protection officer

The first consideration when appointing someone from within your organisation is whether you have a suitable candidate. The regulation stipulates that the DPO:

• Must have expert knowledge of data protection law – read the latest on the new code of practice for data sharing here.
• Must have the ability (and capacity) to fulfill all of the tasks required by the role
• Must perform their tasks and duties in an independent manner
• Must only fulfill other tasks and duties if these don’t result in a conflict of interests (determining the purposes and means of processing, managing competing objectives where business interests may take precedence over data protection)

If you don’t already employ somebody suitably educated, available, independent, and able to prioritise data protection over your business interests (it really stipulates this), then your options are to hire a new employee or outsource the role to an external consultant. However, if you do have someone who meets the criteria then there are good reasons to keep the position in-house.

This individual will have a more intricate understanding of your organisation than an external specialist, and will therefore be able to balance, but prioritise, data protection risks against business objectives with increased levels of scrutiny and analysis, consequently resulting in decisions borne out of deeper consideration.

They will also be able to monitor compliance more closely, identifying risks at an earlier stage and subsequently introducing processes for mitigating those risks. A good example would be employee GDPR awareness training, where an in-house DPO would be afforded a far more accurate picture of potential shortcomings emanating within the workforce than an external consultant would.

The DPO also needs to report to the highest level of management within your organisation, so appointing an employee will likely cement the structure more effectively into your organisational chart, ensuring that data protection remains an ongoing consideration at the board level. We have plenty of resources to support in-house DPO’s, so visit out our resources page to download some free content.

Outsource your DPO

The hyperbole around GDPR back in May 2018 led to many fly-by-night experts riding the fear and consumption wave into becoming trusted advisers at unsuspecting businesses, so it’s important to caveat this section by making clear that any reference to external consultants will only include reputable firms (of which there are many).

Expert knowledge & advice: When using one of these consultancy firms, you can be confident that you’ve got direct access to the ‘expert knowledge of data protection law’ required by the GDPR. In fact, the more credible firms will most likely have lawyers on their team as well operational specialists. This helps guarantee access to adequately knowledgeable subject matter experts that understand the complexities of not just the GDPR, but also the UK Data Protection Act 18, PECR, CCPA, and how Brexit impacted businesses in terms of data protection laws.

Technical cyber security expertise: The role also requires some relatively comprehensive technical understanding, particularly when considering compliance with the GDPR’s security principle, as well as the Article 32 requirements around implementing and testing appropriate technical and organisational measures to secure your data. A competent consultancy firm will be well-positioned to advise on both your data protection and broader information security obligations in the context of GDPR’s risk-based approach.

Flexible engagements: An external consultant will also offer the flexibility of an ongoing monthly retainer ensuring that you always have access to suitable expertise during times of ‘feast or famine’, which is often the way that data protection demands are required. This is in addition to being able to guarantee the mandated independence and negate any possible conflicts of interest.

On top of trends: Another significant advantage afforded by working with an external consultant is their exposure to trends, emanating threats, effective strategies, and other valuable industry GDPR insights generated from working with many different organisations and verticals. Our data protection officers write posts regularly on the latest data protection and GDPR news such as the current hot topic of AI compliance regulations and the reintroduction of the data protection and digital information bill.

Cost: The final and possibly most important consideration is pricing. The cost of an employee doesn’t stop at their salary, you may also need to factor in recruitment costs, NI, benefits, training, hardware/software, and coverage in times of absence (sickness and annual leave). None of this is a concern when appointing an external consultant, who you’d secure for a fraction of the cost. To see examples of what a good outsourced DPO service would include and get an idea of cost, visit our data protection packages page.

Bamboo PR benefited from outsourcing their data protection officer duties by using Evalian as an extended member of their team:

“Evalian® has supported us in implementing updated policies and procedures, which provide the structure to enable that mindset, which is extremely valuable. Not only do we have up-to-date documentation, but this has also improved how we run our business in different ways. We now have a solid awareness when it comes to compliance. We have a mindset from top to bottom which is far more “data protection-focused”. I think that data protection really does need to have buy-in from the top, and having my team see how invested I am has made the whole process much easier. ” 

View more Data Protection Officer case studies here.

Conclusion

There are clear advantages to both options and the decision, ultimately, requires taking a risk-based approach and balancing this against internal expertise, business objectives and budget, before committing either way. If you’d like more insight into GDPR accountability to support your current in-house DPO, then you can download our free guide by clicking the image below. Still unsure? Read our DPO Checklist.

Need advice on outsourcing DPO?

If you do plan to outsource your DPO or you’d like to broaden internal discussions to include some independent and transparent advice, then feel free to contact us; we can guarantee a friendly and informal chat about the best option for your organisation with no ‘hard sell’.