In-house Resource vs Virtual DPO
So, let’s start by considering the requirement for a DPO. Under Article 37 of the General Data Protection Regulation (GDPR), certain organisations are required to appoint a DPO, i.e. if you are a public authority or body or if you carry out certain types of processing activities. Whilst your organisation may not be obliged to appoint a DPO, there is still a requirement for you to ensure that your organisation has sufficient staff, independence and resources to discharge your obligations under the GDPR. This aside, there is also the obvious benefit that a DPO can have in strengthening your organisation’s data protection governance and reducing the risk of non compliance with regulation, and potential reputational harm.
With this in mind, the six million dollar question is ‘how do you go about resourcing this specialist role?’. In essence, it can be argued that you have 2 options open to you; the in-house route (recruit somebody or utilise an existing internal resource) or the outsourcing route (engage an external specialist individual, or company, to act as your virtual DPO).
In this blog, we will explore the pros and cons of both options and help you to consider which option is the best fit for your organisation.
Convenience of exclusive and ‘on-tap’ resource
Having an internal DPO has obvious appeal. There’s a lot to be said for having someone who is exclusively yours and permanently ‘on tap’ and has a good understanding of the personal data you process, how, where and why as well as your systems and processes. There’s also the obvious advantage of an individual who has a good knowledge of your industry or sector. In addition, you have someone who understands your culture and can help to work with staff raising awareness and delivering training.
Challenging role to fill
The challenge for many organisations, however, is that the role of the DPO is not a particularly easy one to fill. This is partly due to the current scarcity of suitable high calibre candidates and partly to the stringent requirements that the GDPR places on the appointment of the DPO. Let’s look at some of the criteria which need to be met:
● First and foremost, the DPO needs to have experience and expert knowledge of data protection law. The DPO’s credentials also need to be proportionate to the type of personal data processing, e.g. the more complex or risky your processing is, the more proficient your DPO needs to be.
● The GDPR places strict guidelines around the ‘independence’ of the DPO. Your DPO can be assigned other tasks and duties, but only as long as they don’t result in a conflict of interest with their primary tasks. In other words, the DPO cannot hold a position within your organisation that leads them to determine the purposes and the means of the processing of personal data. At the same time, your DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests. This ‘independent’ requirement can be quite restrictive for organisations and this advisory/facilitative role may be difficult for some organisations to accommodate.
● The DPO role is also, typically, a senior one or at the very least one which has direct access into the highest management level of your organisation, i.e. board level. In URM’s experience, ‘boards’ often apply more credence to receiving advice from an external specialist than an internal resource.
● On a more practical level, having quick access to a specialist DPO on the premises is great, but can sometimes lead to over-reliance on an individual who can become a ‘single point of failure’, e.g. what happens if there is a time-critical need to access your DPO and they are on annual or sick leave?
Virtual DPO resource
Expertise and range of experiences/skills
Subject, naturally, to selecting the appropriate individual/organisation, a virtual DPO can bring some significant advantages, not least their expertise and a wide range of experiences. Obviously, you would expect a virtual DPO to be able to satisfy the basic GDPR requirement for an individual who has ‘expert knowledge of data protection law’. However, it is the range of experiences which an external DPO can bring to the party which potentially offers you the biggest benefits.
These include the recurring type activities, such as conducting data protection impact assessments (DPIAs) and dealing with data subject access requests (SARs) and other data subject right requests, as well as experience of the (hopefully!) rarer events, such as dealing with data breaches and liaising with the supervisory authority (i.e. the ICO). Having a wider experience of developing and implementing processes appropriately can be invaluable in terms of saving you time and money. The former can be particularly critical when you have the tight deadlines (imposed by the GDPR and the ICO) to meet.
The benefit of having exposure to similar projects and the cross-fertilisation of processes/ideas cannot, in URM’s opinion, be overstated.
Easier to deliver independence
It can be argued that the requirement for ‘independence’ imposed by the GDPR lends itself best to a virtual DPO type service, where there is absolutely no conflict of interest in terms of carrying out other tasks or business activities within the organisation. Don’t forget that the DPO role is ostensibly advisory and facilitative and can often be best met by an external resource supporting your internal resources.
Resilience/ team cover
The benefit of resilience is obviously dependent on the type of virtual DPO service you have, i.e. with a company or an individual. If it is the former, you can potentially gain access to not just your designated DPO, but to a wider support team available when you need them. This support team can bring an even broader exposure to other data protection management systems, additional subject matter expertise, e.g. risk management and information security, as well as timely support as and when required. Practically, a support team can also provide cover should the designated DPO individual be on leave or be indisposed.
Variation in skills and experience.
Naturally with any recruitment/selection process, great care needs to be taken to ensure that your virtual DPO possesses subject matter technical knowledge, along with appropriate soft skills. We have come across numerous data protection practitioners with great detailed knowledge of the GDPR, but who unfortunately fall short on the communication and knowledge transfer front and particularly in their ability to gain the confidence and trust of the board.
To be honest, this can be both a ‘pro’ or a ‘con’. Pricing arrangements can vary enormously, so for some organisations a virtual DPO service can prove to be an expensive alternative, whilst for others it can be highly cost effective. A virtual resource can be upscaled and downscaled to fit your requirements. You have the flexibility to utilise the resource only when needed. By its nature, the DPO should sit as an independent authority for data protection: another benefit of having an external party covering this role is to provide oversight and guidance and ensure you are doing the right things to maintain compliance. Typically, a DPO is most cost effective when your processing requirements are such that you require that independent oversight, advice, guidance and knowledge, but can’t justify a full time in-house role.
Or is a hybrid the best solution?
When we started this blog, we presented you with a choice of 2 basic options; internal vs external. In URM’s experience, however, this binary choice is bit too simplistic and a hybrid solution can often be the most effective. A model which URM has found to work exceptionally well on all levels is where you have an external virtual DPO (meeting all the GDPR requirements for expert legal knowledge, independence, monitoring compliance, acting as a primary point of contact, providing effective oversight etc. etc.) working closely with, and mentoring, one or more internal DP champions. The virtual DPO can help build up the knowledge of local champions and develop their skills, e.g. conducting DPIAs, delivering training/awareness sessions, dealing with SARs etc. In the process, skills can be cascaded throughout your organisation.
Although for many organisations there is not a regulatory requirement to have a full time DPO, it can be strongly argued that the benefits of having one clearly outweigh not having one in place. For many organisations, it can also be argued that having this role, covered on a virtual basis, represents the most efficient and effective use of resources. As we have discussed in this blog, the requirements for a DPO stipulated by the GDPR naturally suits an external role, i.e. independent, knowledgeable resource advising the board and providing effective oversight. Combining this role with a mentoring one where the DPO can bring their wide experiences supporting local champions and maximising knowledge transfer, can be a very powerful and cost-effective solution.
It’s one thing however, deciding to go down the virtual DPO route, it’s another thing coming up with the type of virtual DPO service that suits your organisation. In our next blog, we are going to address this head on and provide you with a checklist of some of the key things you should consider and some of the pitfalls you need to avoid!
URM’s fully qualified team of consultants has a deep knowledge of data protection legislation, not just of the legalities and the security principle via our ISO 27001 services, but around all of the GDPR’s principles, gained through working with our clients on practical business implementation over the last 15 years.