The General Data Protection Regulation (GDPR) prescribes that a Data Protection Officer (DPO) must be appointed in the following situations:
- in case of a public authority, or
- in case of regular or systematic monitoring of data subjects on a large scale, or
- if large-scale processing of special categories or criminal convication and offences takes place
Internal or external
In art. 37, paragraph 6, it is said that the DPO “may be a staff member (…) or fulfil the tasks on the basis of a service contract”. In other words, you can appoint your own staff member as DPO or outsource it. It is expected that especially smaller organizations will opt for an external DPO. The following considerations might play a role:
- Required expertise: knowledge of relevant legislation, understanding of the processing, knowledge of IT and data security, knowledge of the organization and the sector, ability to stimulate a ‘data protection culture’ in the organization, see (1).
- Better assurance of continuity. If your own DPO leaves, all knowledge will be lost (and the investments in the training).
- A professional FG will be better informed than an internal DPO who has other responsibilities, (certainly in smaller organizations).
When choosing whether or not to opt for an external DPO, a number of arguments and considerations are relevant.
- First, hiring an external DPO doesn’t mean GDPR compliance. If an organization has the idea that hiring a DPO means outsourcing the responsibility for GDPR compliance, then that is a misconception. And a good DPO will never accept that.
- Because the DPO must be able to take an independent position and report directly to the senior management, it may be difficult for a smaller organization to find someone in their own organization that meets the qualifications and yet has no line responsibility that could create a conflict of interest.
- At the same time, an external DPO is not part of the organization and therefore has fewer opportunities to assess the functioning of data protection in daily practice and to identify possible violations. Promoting a ‘data protection culture’ is more difficult for an external DPO than for an internal DPO.
- Based on the responsibility of the DPO for monitoring compliance and advising on data protection impact assessments, the external DPO will have to be informed at all times about changes in the organization’s context, processes and applied technologies. A DPO therefore will have to be present at the organization very regularly and must test both the formal policy and the practical implementation against the GDPR requirements. Then it also helps if the DPO knows the industry and knows what’s going on in the sector.
In short, an external FG has advantages but also disadvantages. And the organization that hired an external DPO will have to realize that GDPR compliance can not be outsourced but requires commitment of the entire organization.
Finally, with the phenomenon of external DPO, there are of course many commercial parties and independent professionals who position themselves as DPO. The current shortage probably protects against the provision of these services at (too) low rates. But if the supply of DPOs increases, a ‘race-to-the-bottom’ could arise. That would be detrimental to the level of involvement needed by the organizations in question. And with that DPOs “cut themselves in the fingers”.
In short, if the organization needs to decide on an internal DPO or to seek an external DPO, they should take into account the above considerations. Smart constructions are also possible, such as sharing a DPO with affiliated organizations, or with organizations at the same location.
I am very curious about the experiences of organizations when appointing an internal DPO or hiring an external DPO. Comments and additions are welcome!