Outsourced DPO
Many companies are required by law to have a Data Protection Officer (‘DPO’), depending on the work they do and how they use personal data. Even if it is not required by law, a company may choose to appoint a DPO for customer confidence and credibility.
By appointing an external DPO to work for you on a freelance or contractual basis, you can ensure you meet your regulatory requirements while achieving several other benefits.
Cost Efficiencies
At a time when inhouse legal teams are being asked to do more with less resource, it can be hard to get buy-in for head count for this specific area. Even if budget can be secured, data protection officers are in demand and it can be difficult and/or expensive to recruit a good internal candidate. The nature of your business might not justify having a full-time DPO.
By appointing an experienced external DPO, you can appoint on a part time or hourly basis, thereby ensuring that you meet your regulatory requirement while minimising spend as far as possible.
We have recently been appointed by a tech company which is approaching an IPO, which knows it needs a DPO by law, but does not need a full time DPO. By appointing us as DPO, they meet their requirement and only pay for what they need.
External DPOs always meet the independence requirements
The GDPR makes clear that the DPO’s tasks and duties must not result in a conflict of interest, and so they cannot be in a position in which they determine how personal data should be used or for what purpose.
A company was fined €50,000 by the Belgian regulator in 2020 in a case where the DPO was also acting as the director responsible for audit, risk and compliance within the company.
Appointing an external DPO reduces any risk of conflict of interest with other tasks and duties.
Pay for output, not for training
Data protection and privacy is an increasingly complicated area of law, with a number of changes and developments each year, the British government making changes which diverge from the European implementation of the GDPR, and with new laws being implemented in countries around the world.
The GDPR requires that DPOs are provided with sufficient resources and experience to be able to perform their tasks and to maintain their expert knowledge. This means that a company which appoints an internal DPO must make a significant investment into their training and knowledge, and the internal DPO must invest time and effort in keeping their expertise up to date.
The benefit of having an external DPO is that they maintain their knowledge in their own time, and you only pay for the work they do for you. There’s no such thing as a free lunch of course, so the cost to the external DPO of keeping their own training up to date is likely built into their fees, but will still shared between a number of clients.
Our experience is that it is most efficient for the inhouse legal team to focus on the day job, closing commercial contracts and other work which will make a difference to the bottom line.
There is no substitute for experience
Companies benefit from having an experienced DPO who can oversee their compliance programs. A seasoned DPO can help a company to understand what to prioritise and where to invest time and attention to move the dial on a compliance program. Lack of experience and understanding can mean that time and budget is not allocated to the right areas.
One client often tells us that they are not looking to win a gold medal in privacy compliance, which always makes us smile. We know that they want us to focus on the key elements to prioritise, not on the bells and whistles. Fortunately, we know what is likely to lead to issues and which tasks should be prioritised.
Get a cross-industry view
External DPOs can give you an idea of industry practice and what other companies are doing. We have also seen what works well and what doesn’t for other companies, which means that you can take advantage of our experience and avoid problems and pitfalls in your own company. An internal candidate is unlikely to have this breadth of experience.
We recently worked with one multi-national who was selecting, appointing and training data protection stewards for different teams in the business. We shared tips and recommendations on this process (on a no-names basis) with another client, who was able to use this example of good practice from the other client to get buy in for a network of data protection stewards within their own business.
Confidence
Internal DPOs are subject to special protection against dismissal. Hiring an external DPO means that if the relationship does not work or the fit is not quite right, you can simply terminate the relationship.
Do you need a DPO?
Perhaps you are not sure whether you are required by law to appoint a DPO in the UK and/or Europe. For a fixed fee of £250+VAT, we will invite you to a DPO Decision session which will last up to an hour. We will send you a questionnaire which we will ask you to complete ahead of time, and we will discuss your responses during the call itself which will be online.
We will make a recommendation to you during the call as to whether or not you are required to appoint a DPO as a matter of law. For an additional cost of £150+VAT, we will set out our advice for you in a file note. Please email us at
Working Together: Is this a Good Fit?
A good data protection officer steers the privacy compliance activities of a company. You need to have confidence that your DPO is able to make sound commercial decisions and recommendations which will be accepted by the business, and that they will be able to work well with you and your colleagues. If you would like to spend 20 minutes meeting with us and getting to know us and our ways of working a little better, please use the calendar by clicking "book a call" below to select a good time to meet.