Under the GDPR, there are certain circumstances where an organisation must employ the services of a data protection officer (DPO), but that does not necessarily mean taking on a full-time employee, outsourcing the role is possible. But is it worth it?
Article 37 states it clearly. It says that an organisation must designate a DPO when the processing of data is carried out by a public body or if the activities of the data controller or processor:
Require regular and systematic monitoring of data subjects on a large scale
Or processes data of special categories of data (pursuant to Article 9) or personal data relating to criminal convictions and offenses.
The Article does allow for ‘a group of undertakings’ to share a DPO providing they are easily accessible from each establishment. Furthermore, in the case of a public authority or body, there are circumstances when a single DPO could be appointed for several such bodies.
Outsource or in-house?
It is not simply about resources. The benefits of outsourcing a DPO, as an alternative to employing a full-time member of staff, with all the costs associated with it are obvious. It is also about specialisation: an organisation may require a DPO with very specific skills, and it may simply be more logical to outsource this function, maybe to a firm of privacy lawyers, for example.
It is also about the practical problems associated with finding a DPO with the necessary skill set. GDPR has brought with it a massive jump in the demand for DPOs with the necessary skills – inevitably this may mean that there is an insufficient number of DPOs with the appropriate skill set to work in-house for every company that requires one.
A DPO and more
The GDPR does permit an organisation to employ a DPO in other activities too, providing there is no conflict of interest. (Article 38:6).
But ‘no conflict of interest’ is a crucial point. The GDPR also requires the DPO to carry out its tasks and duties in an independent way. This is a crucial point. Some liken the role of a DPO under GDPR as being more like a police officer. Or maybe it is akin to a chartered accountant, auditing accounts, at arm’s length, providing objectivity.
The DPO, whether they are employed in-house or outsourced, cannot be easily dismissed, and cannot be dismissed for performing his or her tasks, and can not be given instructions by the data controller on the exercise of those tasks.
Outsource or not
The benefits are clear, but it is vital that the role of an outsourced DPO is clearly defined.
The risk in employing an outsourced DPO on an hourly rate is clear: costs can escalate: it is vital, therefore, that the tasks are outsourced and set-out in advance. Attendance at long meetings, of which data protection and privacy is a small part and may not be cost-effective, it may be better if those particular issues are dealt with separately in more focused meetings.
Some organisations that specialise in providing the services of an outsourced DPO clearly layout their responsibilities, tasks and agree costs upfront.
For example, they may:
- Agree to provide gap analysis reports,
- Or agree so many hours a year in providing virtual advice, as part of a contract,
- Review privacy policies at agreed intervals,
- Oversee the establishment and maintenance of the personal data processing register,
- Advice on data protection impact assessments (DPIA), whether they are necessary and monitoring of their performance,
- Provide advice on policy and procedures in the event of a data breach,
- Facilitate GDPR related training,
- Monitor compliance,
- Provide regular reports to the board.
Remember the tasks of the DPO, as laid down in the GDPR
Article 39 of the GDPR lays out the tasks of the data protection officer. Before the decision to outsource the DPO role is made, it is important to consider these tasks.
Article 39 states:
1: The data protection officer shall have at least the following tasks:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2: The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.
For more information on outsourcing a DPO, and to see if it is right for your business, visit Data Protection Professionals.