This blog takes a look at data protection officers (DPOs) and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.
Let’s start by considering the requirement for a DPO. Under Article 37 of the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint a DPO, i.e., if you are a public authority or body, or if you carry out certain types of processing activities. Whilst your organisation may not be obliged to appoint a DPO, there is still a requirement for you to ensure that your organisation has sufficient staff, independence and resources to discharge your obligations under the GDPR. This aside, there are also the obvious benefits that a DPO’s expertise will bring - strengthening your organisation’s data protection governance, reducing the risk of noncompliance and reputational/financial damage, as well as the ability to deliver training.
With this in mind, the six-million-dollar question is ‘how do you go about resourcing this specialist role?’ In essence, it can be argued that you have 2 options open to you; the in-house route (recruit somebody or utilise an existing internal resource) or the outsourcing route (engage an external specialist individual, or company, to act as your virtual DPO).
Here, we’ll explore the pros and cons of both options and help you to consider which option is the best fit for your organisation.
Convenience of exclusive and ‘on-tap’ resource
Having an internal DPO has obvious appeal. There’s a lot to be said for having someone who is exclusively yours and permanently ‘on tap’, and has a good understanding of the personal data you process (how, where and why), as well as your systems and processes. There’s also the obvious advantage of an individual who has a good knowledge of your industry or sector. In addition, you have someone who understands your culture and can help to work with staff raising awareness and delivering training.
Challenging role to fill
The challenge for many organisations, however, is that the role of the DPO is not a particularly easy one to fill. This is partly due to the scarcity of suitable, high-calibre candidates and partly to the stringent requirements that the UK GDPR places on the appointment of the DPO. Let’s look at some of the criteria which need to be met:
- First and foremost, the DPO needs to have experience and expert knowledge of data protection law. The DPO’s credentials also need to be proportionate to the type of personal data processing, e.g., the more complex or risky your processing is, the more proficient your DPO needs to be.
- The GDPR places strict guidelines around the ‘independence’ of the DPO. Your DPO can be assigned other tasks and duties, but only as long as they don’t result in a conflict of interest with their primary tasks. In other words, the DPO cannot hold a position within your organisation that leads them to determine the purposes and the means of the processing of personal data. At the same time, your DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests. This ‘independent’ requirement can be quite restrictive for organisations and this advisory/facilitative role may be difficult for some organisations to accommodate.
- The DPO role is also, typically, a senior one or at the very least one which has direct access into the highest management level of your organisation, i.e., board level. In URM’s experience, boards often apply more credence to receiving advice from an external specialist than an internal resource.
- On a more practical level, having quick access to a specialist DPO on the premises is great, but can sometimes lead to over-reliance on an individual who can become a ‘single point of failure’, e.g., what happens if there is a time-critical need to access your DPO and they are on annual or sick leave?
Virtual DPO Resource
Expertise and range of experiences/skills
Subject, naturally, to selecting the appropriate individual/organisation, a virtual DPO can bring some significant advantages, not least their expertise and a wide range of experiences. Obviously, you would expect a virtual DPO to be able to satisfy the basic UK GDPR requirement for an individual who has ‘expert knowledge of data protection law’. However, it is the range of experiences which an external DPO can bring to the party which potentially offers you the biggest benefits.
These include the recurring type of activities, such as conducting data protection impact assessments (DPIAs) and dealing with data subject access requests (DSARs), as well as experience of the (hopefully!) rarer events, such as dealing with data breaches and liaising with the supervisory authority (i.e., the ICO). Having a wider experience of developing and implementing processes appropriately can be invaluable in terms of saving you time and money. The former can be particularly critical when you have the tight deadlines (imposed by the UK GDPR and the ICO) to meet.
The benefit of having exposure to similar projects and the cross-fertilisation of processes/ideas cannot, in URM’s opinion, be overstated.
Easier to deliver independence
It can be argued that the requirement for ‘independence’ imposed by the UK GDPR lends itself best to a virtual DPO service, where there is absolutely no conflict of interest in terms of carrying out other tasks or business activities within the organisation. Don’t forget that the DPO role is ostensibly advisory and facilitative and can often be best met by an external resource supporting your internal resources.
Resilience/ team cover
The benefit of resilience is obviously dependent on the type of virtual DPO service you have, i.e., with a company or an individual. If it is the former, you can potentially gain access to not just your designated DPO, but to a wider support team available when you need them. This support team can bring an even broader exposure to other data protection management systems, additional subject matter expertise, e.g., risk management and information security, as well as timely support as and when required. Practically, a support team can also provide cover should the designated DPO individual be on leave or be indisposed.
Variation in skills and experience
Naturally, with any recruitment/selection process, great care needs to be taken to ensure that your virtual DPO possesses subject matter technical knowledge, along with appropriate soft skills. We have come across numerous data protection practitioners with great detailed knowledge of the UK GDPR, but who unfortunately fall short in communication and knowledge transfer skills, and particularly in their ability to gain the confidence and trust of the board.
To be honest, this can be both a ‘pro’ or a ‘con’. Pricing arrangements can vary enormously, so for some organisations a virtual DPO service can prove to be an expensive alternative, whilst for others it can be highly cost effective. A virtual resource can be upscaled and downscaled to fit your requirements. You have the flexibility to utilise the resource only when needed. By its nature, the DPO should sit as an independent authority for data protection and another benefit of having an external party covering this role is to provide oversight, guidance and ensure you are doing the right things to maintain compliance. Typically, a DPO is most cost effective when your processing requirements are such that you require that independent oversight, advice, guidance and knowledge, but can’t justify a full-time, in-house role.
Or is a hybrid the best solution?
When we started this blog, we presented you with 2 basic options; internal vs external. In URM’s experience, however, this binary choice is bit too simplistic and a hybrid solution can often be the most effective. A model which URM has found to work exceptionally well on all levels is where you have an external virtual DPO (meeting all the UK GDPR requirements for expert legal knowledge, independence, monitoring compliance, acting as a primary point of contact, providing effective oversight etc.) working closely with, and mentoring, one or more internal DP champions. The virtual DPO can help build up the knowledge of local data champions and develop their skills, e.g., conducting DPIAs, delivering training/awareness sessions, dealing with DSARs etc. In the process, skills can be cascaded throughout your organisation.
Although for many organisations there is not a regulatory requirement to have a full time DPO, it can be strongly argued that the benefits of having one clearly outweigh not having one in place. For many organisations, it can also be argued that having this role, covered on a virtual basis, represents the most efficient and effective use of resources. As we have discussed, the requirements for a DPO stipulated by the UK GDPR naturally suits an external role, i.e., an independent, knowledgeable resource advising the board and providing effective oversight. Combining this role with a mentoring one, where the DPO can bring their wide experiences supporting local data champions and maximising knowledge transfer, can be a very powerful and cost-effective solution.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs ROPAs, privacy notices, data retention schedules and training programmes etc.
Is there a catch-all international standard that effectively proves external verification of data protection compliance?
Why can it still be challenging to gain traction on your GDPR compliance project?
This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.