Should you outsource the DPO role?

One question many businesses will face as they consider GDPR compliance is whether or not to outsource the Data Protection Officer (DPO) role.

The first question to address is whether or not you need a DPO. You may be legally required to appoint one, or you may decide to voluntarily appoint a DPO in order to keep on top of compliance. We discuss this further in our article Data Protection Officers – who needs them?

If you decide (or are required) to appoint a DPO, the three main options available to you are:

  • Appoint an existing staff member to fulfil the DPO role part-time alongside their other duties;
  • Recruit a dedicated DPO (whether externally or internally); or
  • Outsource the DPO role to an external third-party service provider (this could be an individual consultant or a company).

Each of these options are discussed in more detail below – click into the headings to see more.

DPO as a secondary role

For some businesses, it may be feasible to appoint an existing staff member as DPO as a secondary role alongside their main day-to-day duties.

The obvious benefits of this option are that it does not necessarily mean incurring any additional costs; and having inside knowledge and experience of your business’ practices and operations may mean that your new DPO can hit the ground running. However, there are a few areas of concern that need to be considered if you opt for this route.

  • Expertise. A DPO must be an expert in data protection law and practice. You will need to ensure that the person you choose has a sufficient level of knowledge and practical experience with the GDPR to adequately monitor and implement data protection compliance across the business. Clearly, there is a significant difference between someone who has attended a few day courses on GDPR compliance and someone who has worked in the field for several years, so you should consider the qualifications and experience of your candidates carefully.
  • Capacity. For a small business whose practices are low-risk and which receives very few (if any) requests or complaints from data subjects, undertaking the tasks of the DPO as a secondary role may be sufficient for a while. However, as the business grows, so does the scope of the DPO role – more customers means, for example:
  • an increased likelihood of complaints and requests;
  • greater public awareness and scrutiny;
  • more pressure (from customers and suppliers) to demonstrate good practice; and
  • the need to scale IT systems and staff numbers, leading to greater complexity and risk of human error:

If you decide to take this approach, you must ensure that the DPO has the time and resources that they need to fulfil the role, and that there is good communication at the management/executive level to make sure this approach is reassessed before your candidate ends up overburdened and neglecting one or other of their roles

  • Independence and conflicts. A DPO needs a level of independence within the business – it is a legal requirement that the business does not instruct the DPO on how they fulfil their statutory tasks. The DPO role is designed to independently monitor compliance and advise the business on its obligations, albeit this does not grant them decision-making powers; the business is free to accept or reject the DPO’s advice (for better or worse).

You must therefore ensure that the nature of the candidate’s other role does not prevent them from exercising that independence, and some existing roles may inherently conflict with the duties of the DPO. Guidance from the European Commission’s Data Protection Working Party indicates that senior management level roles (such as CEO, COO, CFO, head of marketing, head of HR and head of IT) are likely to result in a conflict, albeit this would need to be assessed on a case-by-case basis.

Recruiting a dedicated DPO

This is an option that many businesses opt for in order to ensure that the candidate they appoint has the requisite level of knowledge and experience. It is common for suitable candidates to include lawyers or professionals with significant experience working in the field.

Bringing an expert into your business can pay dividends for those who have the resources to do so, but the main drawbacks of this option tend to be:

  • Cost and availability. The nature of the DPO role requires expertise and experience – two E’s that tend to come with a price tag. For an established business, DPO salaries are likely to be at least in the £50-80k range – higher in the bigger cities, and significantly higher in London.

For many candidates, you may be competing against inflated city centre law firm or in-house counsel salaries. Data protection law is still a fairly niche area and, whilst many commercial lawyers may have some experience, the demand for GDPR experts is high which means availability is limited and salaries need to be competitive in order to attract suitable candidates.

  • Workload and cost effectiveness. For all businesses, there will undoubtedly be times when your DPO is busy. You might be working on implementing a compliance project to improve the business’ overall risk profile, or you might receive a sudden flurry of complaints or requests that need to be handled in a short space of time, and having a dedicated DPO will seem worthwhile when this happens.

However, this will not always be the case. Particularly for smaller or lower-risk businesses, there may be significant periods of time where you simply don’t need a full-time employee filling the DPO role and a few days a month might suffice. Whilst it is of course possible, finding a suitable expert that is willing to take a part-time or even as-needed role may be particularly difficult.

Appointing a DPO externally

The final option is to appoint an external consultant or company as your DPO. Some businesses are rightly cautious about this approach and one of the main downsides is that, inevitably, an external DPO will be less engrained in your business than a full-time employee. This means that the quality of service you might receive from an external provider can vary greatly.

The main advantage is that this approach can provide a solution to the disadvantages of the other options:

  • The provider that you engage should (we say with an air of optimism) have the required level of knowledge and expertise – this is their day job, after all. It goes without saying, however, that you should research (or ask them about) the qualifications and experience of the individuals who will be providing your support in practice.
  • As long as the provider offers and maintains flexibility (you should always check this with them), appointing an external DPO means that you can pay for additional support during busy times to ensure that compliance doesn’t take a backseat to operational tasks, and decrease the level of support when appropriate so that you’re not paying through the nose when you don’t need to. When it is suitable, this approach may prove to be significantly more cost-effective than recruiting a dedicated DPO.
  • As an external party, independence is much easier to achieve. There is no benefit for an external DPO to give a biased view and they will not face the same pressures as an internal staff member to say what they think the business wants to hear.
  • As your business grows, you can utilise your own staff to support the functions of the DPO, reducing the cost by delegating day-to-day tasks to your team whilst relying on the expertise and supervision of the provider to ensure that you remain on the right track.

Which option is right for you?

This will depend on the size and nature of your business.

If you have a suitable employee in mind and can address the concerns around granting the DPO role to an existing staff member as a secondary role, then this may well be a worthwhile cost-saver for you (at least for the time being, for a growing business).

On the other hand, if you are a larger business and you know that your DPO is likely to be busy all year round, you may well find that recruiting a dedicated DPO (or even a compliance team) could be the most cost-effective option for you – experts might be expensive, but a salaried employee is unlikely to set you back as much as paying consultant rates for a full-time role.

However, many businesses will not fall into those categories and, if this is you, then finding an external partner to support your business with data protection compliance is likely to be the way to go.

How we can help

If you’re having difficulty deciding on the approach that you should take, get in touch to arrange a no-obligation consultation with us so that we can learn a bit about your business and talk you through the available options.

Now, as a company offering a Remote DPO service, clearly, we have a stake in this. However, at the end of the day what we want most is happy customers, so we will let you know if we don’t think our Remote DPO service is right for you – if so, chances are there might be better ways that we consider we can support you.

Our Remote DPO service is designed to provide a cost-effective solution for businesses that don’t fit the profile for the other options to be worthwhile, and we will work with you to tailor your service and find a level of ongoing support that meets your requirements. This service can also be provided as a non-statutory “Privacy Lead” role, if you wish to obtain the level of support that a DPO offers without formally appointing a statutory DPO.

You can find more information about our Remote DPO service here, or get in touch with us below to ask any questions or arrange a no-obligation consultation.

Share this article
Will Eggleston
Will Eggleston