Do I need a data protection officer and the benefits of outsourcing the role

Many organisations are unsure as to whether they need a data protection officer and, if they do need one, aren’t sure whether they should appoint someone internally to do the role or outsource the role to an external company.  Here’s a few pointers that may help you if you are pondering these exact questions:

Do we need a data protection officer?

The GDPR stipulates that an organisation must appoint a statutory Data Protection

Officer (DPO) if any of the following apply:

  1. The organisation is a public authority or body;
  2. As part of its core activities the organisation monitors individuals regularly and in a systematic way on a large scale. For example, tracking and monitoring individual’s behaviour, such as on the internet or on CCTC; or
  3. As part of its core activities the organisation processes large volumes of special category data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation) or criminal conviction or offence data.

However, if an organisation does not meet the triggers for a statutory DPO, they may still decide to appoint a voluntary DPO. An appointment of a voluntary DPO helps an organisation improve its data protection compliance and provides a point of contact for data subjects and regulators for any data protection matters.

It is worth noting that if an organisation decides to voluntarily appoint a DPO, the statutory requirements set out in the GDPR will apply to the voluntary DPO in the same way as if a mandatory DPO appointment was triggered.

This includes the requirement for the DPO to act independently, to fulfil the duties set out in the GDPR and to be provided with adequate resources to fulfil those duties.

What if we decide not to appoint a data protection officer?

Provided that you are not required to appoint a DPO, because you aren’t caught by any of the triggers set out in the GDPR, there is no problem with you deciding not to appoint one.  However, it is important that you are confident in your assessment as if a DPO is not appointed, when one is required, the organisation will be in breach of the GDPR, and at risk of an administrative fine of up to 2% of annual global turnover or about £8.5 million, whichever is greater and/or enforcement action.

What are the benefits of outsourcing the role?

Whilst the DPO can form part of an internal role it is important that the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.  Many internal DPOs that we speak to say that this can often be a challenge and they can feel conflicted between the statutory duties that they have as a DPO and the other elements of their role which can drive them towards a decision that is more in line with the commercial objectives that they know the business is trying to achieve. This is one of the main benefits of outsourcing the role, as it enables the organisation to maintain the independent status of a DPO, and to remove any questions around whether the DPO has been subject to a conflict of interests when making decisions in relation to the processing of personal data by the organisation.

Another major benefit of outsourcing the role is that you can be confident that the outsourced DPO has a full understanding of the statutory obligations that must be complied with when undertaking the role and has adequate resources to fulfil those duties.  Again, this can often be a challenge to those individuals that perform the role of the DPO internally alongside other responsibilities, as they can find that they don’t have the bandwidth to carry out the DPO responsibilities to the level that they would like and can therefore find themselves being unable to properly assess the data protection risks that the organisation is carrying or to become a blocker in the process.

And finally, outsourcing the role can provide organisations with the opportunity to benchmark what they do against other organisations in a similar sector or of a similar size, as the outsourced DPO will often have experience of working with other organisations and with the ICO.  They will therefore be able to bring that perspective to the table and provide you with the confidence that you are handling a matter, for example a data breach, in the way that the ICO would expect.

If you would like help in determining whether you need a DPO or would like to chat to us about outsourcing your DPO role please get in touch here.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

HelloDPO

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified