The role of a Data Protection Officer is very specialist. Many of the businesses who are required by UK GDPR to appoint a DPO struggle to fulfil the requirements of the role internally. As a result, it is common for these businesses to contract out the role of DPO externally.
If a business fails to meet its obligations under UK GDPR, it could face significant financial penalties from The Information Commissioner’s Office (ICO), along with reputational damage.
Here we discuss the challenges of the DPO role, the benefits of outsourcing and the considerations when selecting an external DPO service provider.
What is Data Protection Officer as-a-Service (DPOaaS)?
Data Protection Officer as-a-Service (DPOaaS) is an outsourced solution for businesses to fulfil the responsibilities of a DPO under the UK GDPR.
This service is instant and cost effective for businesses that lack essential know-how to fulfil their DPO responsibilities under data protection legislation. You get hands on access to an experienced specialist to fulfil the duties of a DPO.
Whether you must appoint a data protection officer (DPO) or not, you still need to comply with data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018). So, it’s essential to have support to hand that has a level of independence and expertise in the subject and a DPO is a good way of bringing this expertise to your business.
we've created a handy guide if you’re unsure whether your business is required to appoint a DPO.
Why outsource your DPO?
This can take away the burden from your organisation. You will have a committed hands-on expert who will act as your official regulatory point of contact for compliance with UK data privacy laws, leaving your organisation to focus on day-to-day business.
No conflict of interest – It’s apparent, in many organisations, there’s always a risk of conflict of interest. Often the DPO can wear other hats, which can at times conflict with business needs. An outsourced DPO does not have a personal interest vested in the business, which makes them impartial and independent, as well as separate from internal politics.
Cost efficient - An outsourced DPO will save you money in the long run. It can be costly and time consuming in finding a suitable DPO. It’s very hard to find one that ticks all of the boxes. You may find a lawyer, but do they have cyber security knowledge, or you may find a tech person but how well do they understand data protection laws. Alternatively, your organisation could consider an internal hire, however, training could be expensive as it would need to be continuous in order for the internal hire to be able to do their job properly. A newly trained internal DPO may find it difficult in providing a practical approach, when dealing with a data protection conundrum.
Skillset - You will have access to industry knowledge experts that are able to give you no-nonsense advice. You will always have on hand, technical expertise. Outsourced DPOs have the knowledge of cyber security and data protection laws to be able to provide your organisation with relevant advice as and when you need it. Data protection is an industry that is always evolving, there is continuous guidance on how to approach data protection laws, for example, most recently, the case of Schrems II which has substantial implications for the transfer of personal data outside of the European Economic Area. Outsourced DPOs would be able to inform and advise you on how to deal with continuous developments in the data protection industry.
Some challenges faced by a DPO
A DPO has an extremely broad reach; from data mapping, to training and awareness, through to dealing with breaches, or data subject access requests, or conducting data protection impact assessments (DPIAs). Even with a team and support, the DPO has the role to project manage all of the organisation’s privacy matters.
Data Mapping - Imagine trying to find out what personal data you hold about each employee, client or business partner at your organisation, where it’s stored, within which systems, or where this is backed up. Furthermore, whether this is shared with anyone, with whom, why and who else has access. Every organisation collects information, and personal data in different ways, and there isn’t usually a governance system in doing so. This is an enormous task and one that has to be conducted accurately. The DPO would also need to engage with other functions to be able to understand how they process data and why.
Are we applying the principles? - Once the data mapping exercise is complete, the DPO would need to review what’s being collected and whether the principles of the UK GDPR are being applied and met. For example, data minimisation means you should not collect more data than you need, to fulfil your processing needs. Careful review and consideration will be required.
Training - This is an ongoing and expensive requirement. It is necessary to keep updated with data privacy laws that are applicable to your organisation, that are always evolving. There are many tools out there that can assist the DPO, however, these tools are often bought off the shelf and can at times be dated and not applicable to your line of industry, making a training course impractical.
Speak up - The DPO's job is to ensure the highest level of management is informed if the organisation is not complying with data protection laws, and explain the implications. This can be difficult due to conflicting relationships with functions.
No resources - Despite the high number of financial penalties for non-compliance, organisations still do not hire a full capacity privacy team. A DPO has an ongoing operational function and without any support staff, there’s usually a struggle to keep up.
Working in isolation - The DPO role is always independent and detached, and at times, considered separate to the team. The DPO should never have to work alone, but often due to their impartiality, they find themselves working in silo to the rest of the team to ensure fairness.
Insufficient tools - It’s far cheaper to use manual tools, such as excel spreadsheets or word documents; both of which are risky and often not practical to use.
What are the requirements of the DPO role?
The DPO would report into the highest level of management in the organisation.
Article 39 of the GDPR defines the minimum responsibilities that a DPO should have, although the role can be much wider. Typically you can expect the role to cover the following:
- Training and awareness on UK GDPR compliance
- Conducting data protection impact assessments
- Monitor UK GDPR compliance and conduct audits
- Be the point of contact with the relevant supervisory authority (ICO)
- Maintain records of data processing activities
- Respond to data subject access requests
- Provide advice to the organisation
- Respond to internal data protection questions
- Assist in privacy by design and privacy by default when new initiatives are being considered
Who provides outsourced DPO services?
Data protection laws will continue to be a hot topic. Naturally, there are many companies striking whilst the iron is hot, and are providing DPO services. The type of companies providing these services are; law firms, cyber risk management companies, and IT companies, all of which consist of privacy professionals.
How to choose a DPOaaS provider
Here are our top tips to consider when looking for an outsourced DPO solution. The goal is to find a reliable way to fulfil your obligations that’s practical to your situation and future needs.
- Price vs what’s included – Many providers offer a tiered solution so you can choose a suitable tier based on the size of your team and resource available to implement work. And as always, it’s worth checking the small print to ensure everything you need is covered. For example, many providers don’t include things like undertaking a DSAR.
- When will the DPO be available? Most services are available between standard work hours, but some may be restricted. Also, if the DPO is unavailable, what other support can be provided?
- How will you pay for the service? Services can often be provided on a day rate, or a monthly subscription. If it’s a subscription, how long is the term before renewal and what options do you have to terminate the agreement if situations change?
- What happens if you need additional support? Data protection often overlaps with other areas of law such as commercial or employment contracts. If the need arises, could your provider support you in these areas too? This doesn’t have to be limited to just data protection