Appointing a DPO – in-house, external or DPO support. What is best for your organisation?

Share on linkedin
LinkedIn
Share on twitter
Twitter

The GDPR requires certain organisations to appoint a Data Protection Officer (DPO). This includes public bodies, organisations that conduct regular, large-scale and systematic monitoring of individuals and those that process special categories of personal data on a large scale.

While the role of a modern DPO is multi-dimensional, their core responsibility is to help an organisation demonstrate compliance with the GDPR and other data protection laws. Even in instances where an organisation is not legally required to appoint a DPO, it can be advantageous to do so. Appointing a DPO is an excellent way for organisations to ensure that the GDPR principle of accountability is met and is crucial in building trust among your data subjects, potential investors and other stakeholders.

That being said, finding a suitably qualified and experienced DPO can prove challenging in today’s marketplace, where the pool of adequately skilled and experienced DPO candidates can be limited.

Ideally, you want a DPO candidate who has experience and expert knowledge of data protection law that is commensurate with the type of data processing you carry out, as well as the level of complexity and risk involved. It would also be beneficial for a DPO to have a good knowledge of your industry or sector, as well as the data protection needs and processing activities that are unique to your organisation. The DPO must report to the highest level of management in the organisation and so must be sufficiently experienced at reporting and presenting at a senior level.

Simultaneously, your DPO should be an easily accessible point of contact for employees, supervisory authorities and the people whose personal data is being processed (including customers and employees). Your DPO should therefore not be burdened with other tasks that result in their DPO duties being neglected, due to limited capacity. Furthermore, the DPO cannot have a conflict of interest in carrying out their duties and they must be independent. This means that many senior employees will be excluded from being considered for the DPO role.

Given the DPO requirements highlighted above, it is no surprise that organisations are finding it difficult to fill their DPO roles with sufficiently experienced candidates. As a result, we are seeing organisations seeking to partner with an expert consultancy who can provide DPO services on an outsourced basis.

Why outsource?

It’s cost-effective:
Outsourcing the DPO role is often a cost-effective way for your company to be confident that you’re fully GDPR compliant. You have access to the expertise of a professional DPO, as and when this is needed, without the cost and effort of employing a full-time member of staff, particularly given the difficult marketplace at the moment.

Focus your resources on core business:
With an outsourced DPO, you can get the expert advice and guidance you need, without diverting any time or skills away from your key business activities.

Avoid potential conflicts of interest:
By law, your DPO must perform their tasks with a sufficient degree of autonomy, in an independent manner. Outsourcing allows you to avoid possible conflict of interests between the duties of your DPO and other activities within your organisation.

You have access to high-level expertise:
You can draw on the expertise and experience of an entire panel of data protection consultants – all while freeing up internal resources.

How to choose the right outsource partner

Ideally, you should look to partner with an organisation that can offer you a blend of data protection expertise with a practical, personalised, hands-on approach. You should also be able to choose whether your outsourced DPO works on-site, remotely or both.

As part of our Outsourced DPO Services, Pembroke Privacy can:

  • Help build your privacy framework.
  • Advise on data processing agreements, contracts, privacy notices etc.
  • Conduct risk assessments on the whole organisation, including gap assessments and maturity analyses to identify areas of risk and recommend how to minimise the risks; or carry out risk assessments of specific projects (e.g., DPIAs).
  • Advise on managing data subject rights.
  • Provide data protection training. ​
  • Help update your data protection policies, procedures and standards.
  • Deal with day-to-day data protection queries from all areas of your organisation.
  • Help manage data security breaches.

Why partner with Pembroke Privacy?

  • All Pembroke Privacy’s outsourced DPOs are qualified lawyers and hold certifications from the IAPP (Certified Information Privacy Professional (CIPP) / Certified Information Privacy Managers (CIPM)). All have significant expertise in European and Irish data protection legislation and an in-depth knowledge of the GDPR.
  • Partner with Pembroke Privacy and your outsourced DPO will be supported by a panel of Pembroke Privacy data protection consultants with access to Pembroke Privacy’s toolkit of data protection know-how, technologies and processes. These include our gap assessment / compliance review process, our Data Protection Impact Assessment process, and our e-learning products – all ensuring you can fulfil your data protection compliance obligations efficiently and cost effectively.

Find more information on Pembroke Privacy’s outsourced DPO services and DPO support services here.

Get in Touch

Have a Question?

Ask below: