If you’re required by law to designate a Data Protection Officer, then I guarantee you’ve thought about whether to appoint internally or whether to outsource your DPO. Truth is, there are advantages and disadvantages to both.
We see if from both sides because we provide outsourced DPO services and also because we support in-house DPOs who often need a second opinion, extra resource or need help because they have another role as well.
In this post, I thought I’d set out some of the advantages of both options based on feedback we get from clients.
Insource your DPO
The first consideration when appointing someone from within your organisation is whether you have a suitable candidate. The regulation stipulates that the DPO:
- Must have expert knowledge of data protection law
- Must have the ability (and capacity) to fulfil all of the tasks required by the role
- Must perform their tasks and duties in an independent manner
- Must only fulfil other tasks and duties if these don’t result in a conflict of interests (determining the purposes and means of processing, managing competing objectives where business interests may take precedence over data protection)
If you don’t already employ somebody suitably educated, available, independent and able to prioritise data protection over your business interests (it really stipulates this), then your options are to hire a new employee or outsource the role to an external consultant. However, if you do have someone who meets the criteria then there are good reasons to keep the position in-house.
This individual will have a more intricate understanding of your organisation than an external specialist, and will therefore be able to balance (but prioritise) data protection risks against business objectives with increased levels of scrutiny and analysis, consequently resulting in decisions borne out of deeper consideration.
They will also be able to monitor compliance more closely, identifying risks at an earlier stage and subsequently introducing processes for mitigating those risks. A good example would be employee awareness training, where an in-house DPO would be afforded a far more accurate picture of potential shortcomings emanating within the workforce than an external consultant would.
The DPO also needs to report to the highest level of management within your organisation, so appointing an employee will likely cement the structure more effectively into your organisational chart, ensuring that data protection remains an ongoing consideration at board level.
Outsource your DPO
The hyperbole around GDPR back in May 2018 led to many fly-by-night experts riding the fear and consumption wave into becoming trusted advisers at unsuspecting businesses, so it’s important to caveat this section by making clear that any reference to external consultants will only include reputable firms (of which there are many).
When using one of these consultancy firms, you can be confident that you’ve got direct access to the ‘expert knowledge of data protection law’ required by the GDPR. In fact, the more credible firms will most likely have lawyers on their team as well operational specialists. This helps guarantee access to adequately knowledgeable subject matter experts that understand the complexities of not just the GDPR, but also the UK Data Protection Act 18, PECR, CCPA, and how Brexit is going to impact businesses when it comes to privacy.
The role also requires some relatively comprehensive technical understanding, particularly when considering compliance with the GDPR’s security principle, as well as the Article 32 requirements around implementing and testing appropriate technical and organisational measures to secure your data. A competent consultancy firm will be well positioned to advise on both your data protection and broader information security obligations in the context of GDPR’s risk based approach.
An external consultant will also offer the flexibility of an ongoing monthly retainer ensuring that you always have access to suitable expertise during times of ‘feast or famine’, which is often the way that data protection demands are required. This is in addition to being able to guarantee the mandated independence and negate any possible conflicts of interests.
Another significant advantage afforded by working with an external consultant is their exposure to trends, emanating threats, effective strategies, and other valuable industry insight generated from working with many different organisations and verticals.
The final and possibly most important consideration at the moment (owing to the economic impact from COVID-19) is pricing. The cost of an employee doesn’t stop at their salary, you may also need to factor in recruitment costs, NI, benefits, training, hardware/software, coverage in times of absence (sickness and annual leave). None of this is a concern when appointing an external consultant, who you’d secure for a fraction of the cost.
There are clear advantages to both options and the decision, ultimately, requires taking a risk-based approach and balancing this against internal expertise, business objectives and budget, before committing either way.
If you do plan to outsource your DPO or you’d like to broaden internal discussions to include some independent and transparent advice, then feel free to contact Evalian; we can guarantee a friendly and informal chat about the best option for your organisation with no ‘hard sell’.