Do I need a data protection officer and the benefits of outsourcing the role

Many organisations are unsure as to whether they need a data protection officer and, if they do need one, aren’t sure whether they should appoint someone internally to do the role or outsource the role to an external company.  Here’s a few pointers that may help you if you are pondering these exact questions:

Do we need a data protection officer?

The GDPR stipulates that an organisation must appoint a statutory Data Protection

Officer (DPO) if any of the following apply:

  1. The organisation is a public authority or body;
  2. As part of its core activities the organisation monitors individuals regularly and in a systematic way on a large scale. For example, tracking and monitoring individual’s behaviour, such as on the internet or on CCTC; or
  3. As part of its core activities the organisation processes large volumes of special category data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation) or criminal conviction or offence data.

However, if an organisation does not meet the triggers for a statutory DPO, they may still decide to appoint a voluntary DPO. An appointment of a voluntary DPO helps an organisation improve its data protection compliance and provides a point of contact for data subjects and regulators for any data protection matters.

It is worth noting that if an organisation decides to voluntarily appoint a DPO, the statutory requirements set out in the GDPR will apply to the voluntary DPO in the same way as if a mandatory DPO appointment was triggered.

This includes the requirement for the DPO to act independently, to fulfil the duties set out in the GDPR and to be provided with adequate resources to fulfil those duties.

What if we decide not to appoint a data protection officer?

Provided that you are not required to appoint a DPO, because you aren’t caught by any of the triggers set out in the GDPR, there is no problem with you deciding not to appoint one.  However, it is important that you are confident in your assessment as if a DPO is not appointed, when one is required, the organisation will be in breach of the GDPR, and at risk of an administrative fine of up to 2% of annual global turnover or about £8.5 million, whichever is greater and/or enforcement action.

What are the benefits of outsourcing the role?

Whilst the DPO can form part of an internal role it is important that the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.  Many internal DPOs that we speak to say that this can often be a challenge and they can feel conflicted between the statutory duties that they have as a DPO and the other elements of their role which can drive them towards a decision that is more in line with the commercial objectives that they know the business is trying to achieve. This is one of the main benefits of outsourcing the role, as it enables the organisation to maintain the independent status of a DPO, and to remove any questions around whether the DPO has been subject to a conflict of interests when making decisions in relation to the processing of personal data by the organisation.

Another major benefit of outsourcing the role is that you can be confident that the outsourced DPO has a full understanding of the statutory obligations that must be complied with when undertaking the role and has adequate resources to fulfil those duties.  Again, this can often be a challenge to those individuals that perform the role of the DPO internally alongside other responsibilities, as they can find that they don’t have the bandwidth to carry out the DPO responsibilities to the level that they would like and can therefore find themselves being unable to properly assess the data protection risks that the organisation is carrying or to become a blocker in the process.

And finally, outsourcing the role can provide organisations with the opportunity to benchmark what they do against other organisations in a similar sector or of a similar size, as the outsourced DPO will often have experience of working with other organisations and with the ICO.  They will therefore be able to bring that perspective to the table and provide you with the confidence that you are handling a matter, for example a data breach, in the way that the ICO would expect.

If you would like help in determining whether you need a DPO or would like to chat to us about outsourcing your DPO role please get in touch here.


Don't just take our word for it