Outsourcing your Data Protection Officer (DPO)

The DPO is a crucial role to data protection compliance in Europe. To fulfill the DPO requirements, many organizations are outsourcing the DPO role, though it can be unclear whether that is the best option for you or not. In this article, we discuss what should be considered in making that decision.

GDPR logo, showing outsourcing the DPO

The first question to consider is whether a DPO is needed at all. For the private sector, A DPO is mandatory when:

  1. the core activities of the organization include processing which involves regular and systematic monitoring of data subjects on a large scale; or
  2. the core activities of the organization include processing on a large scale of sensitive personal data.

Even where the above do not apply, many organizations engage a DPO voluntarily, as it is best practice and ensures the quality of the organization’s data protection program. There are many reasons why the presence of a DPO can look good to potential business partners and any potential data subject.

The GDPR requires that many organizations must, by law, appoint a Data Protection Officer, more commonly known as a DPO. Further, the GDPR mandates minimum requirements for the DPO, requiring “expert knowledge of data protection law and practices”. The DPO must report to the highest level of management, which in many organizations is the Board. This means it is not a position fit for junior employees.

The reality is that this necessary expertise and seniority costs… It is hard to put an exact figure on the price of hiring a DPO, because there are many factors that influence the salary, such as location, nature of the business and quality of candidate sought.

To make things even more difficult, the DPO must be independent. In other words, the DPO should not be actually completing the data protection compliance tasks. Rather, they should be an extra person that acts as an independent advisor. This means the DPO is literally an extra cost.

You might have come across the term “DPO as a Service”. Whatever you call it, there are several reasons why outsourcing the DPO is a smart idea.

First, it is cheaper. A full time employee with the DPO’s experience could cost 100,000$//£ (in some cases, it will need to be much more). Outsourcing the DPO role would normally cost something like 10,000 per year, and that also negates the need for other costs such as pensions, onboarding, physical office equipment etc.

Secondly, this means the DPO is independent, as is required.

Thirdly, the outsourcing will be to a DPO with years of experience in data protection laws. They are experts in data protection. Often this individual has seen many circumstances of working with various organizations, more than what a hired in-house employee will come across in their role working with a single organization.

Fourthly, if you are located outside of the EU, this person will be located in Europe, having worked with local regulators. They will be on the ground where it counts.

It is useful to remember that the DPO is legally bound by secrecy. The fact the duty of confidentiality is embodied into the GDPR itself means that there is greater guarantee that an outsourced DPO will maintain the business’ information in complete confidentiality.

No. In some organizations, the DPO role will need to be a full time role, which is best fulfilled by hiring the right individual. These will be organizations that have very intense data processing or organizations that derive decent proportions of their income from the data processing. For example, very large insurance companies that use artificial intelligence to process sensitive personal data of their thousands of customers would be best suited to employ the appropriately-skilled individual.

Yes!! Outsourcing the DPO is easy. We have extensive expertise in European data protection laws and acting in the DPO role. We have experience in many industries, so most likely we have extensive experience in your sector. We will try to reduce your costs as much as possible and provide the highest level of expertise. One meeting with us and you will be convinced.

We are also happy to discuss with you whether an outsourced DPO is the right option for you.