There has been a lot of buzz around the subject of Data Protection Officer recently, which is why we decided to put together a Data Protection Officer guideline. The GDPR gives organisations the choice on how to staff the Data Protection Officer (DPO) role. DPO can be a staff member of the controller or processor. The GDPR also allows for the use of external service providers. The role of a DPO can therefore be fulfilled based on a service contract.
In practice this often means that an organisation that has decided to appoint a DPO has three options:
So which option is a suitable one for your organisation? In this Data Protection Officer guideline, we have drawn up a list of important factors that should be considered when deciding on how to organise the role of a DPO.
When considering options to organise DPO’s role, remember to take these five aspects into consideration:
First thing you want to consider is whether the DPO has the fitting background and abilities to perform DPO tasks. DPO should preferably be an experienced data protection professional. A qualified DPO enables your organisation to avoid major risks and unlock added value of data protection, e.g. building trust and increasing operational efficiency.
Interpretations on DPO’s role in organisations vary a lot. The GDPR highlights the role of a neutral observer that focuses on monitoring that data processing activities don’t cause unnecessary risks to data subjects. Therefore, a DPO wouldn’t engage in driving compliance and leading operative actions. However, often the situation in reality is quite the opposite. DPO frequently coordinates data protection procedures and drives compliance, while at the same time controlling and managing for risky data processing activities. Despite of this controversy, it is vital to minimise DPO’s conflict of interest.
DPO can be closely involved in organisation’s daily operations. You should aim to acquire a DPO that is familiar with special requirements set by the business environment. At very least, this means being aware of industry-specific legislation. Your DPO will have a far better chance of succeeding when there’s a sufficient understanding of organisational characteristics.
DPO can enable structured coordination of data protection activities. Hence, a DPO is in a key role when implementing data protection practices through-out the organisation. Only when these practices become a daily routine in each function can we start reaping the added value of data protection.
Whether you decide to hire a DPO, train one or acquire an external service provider for the purpose, some costs are to be expected. You should consider the benefits this yields when picking the best option for your organisation. Acquiring an experienced service provider can produce some significant cost savings in comparison to hiring a new person for the role.
In the end your organisation should have a some-what clear picture whether you need a DPO or not before anything else. To learn more about this, see our article about appointing a DPO here. Once deciding on your DPO need, you should have a comprehensive picture of what you want to achieve with the DPO. Only then can you rationally weigh the pros and cons of different options of organising the role of a DPO.
Outsourcing the DPO is an effective way to organise and manage data protection issues, which benefits the organisation in a variety of ways. Privaon’s service portfolio includes a fully outsourced DPO (DPO as a Service), whereby the data protection resources can be flexibly dimensioned to meet unique organisational needs and data protection risks. If your organisation has already appointed a DPO, Privaon can offer additional external resources (DPO Support) for the internal DPO by providing expertise whenever necessary.
The Privaon DPO service:
To learn more about Privaon’s DPO-services, visit DPO as a Service page.
Hopefully you found this Data Protection Officer guideline useful. If you would like to learn more, please contact us!
Ville Silvola, Marketing Specialist