Knowledge Hub
for Growth


Data Protection Officer as a Service: Outsourcing the role of DPO

The role of a Data Protection Officer is very specialist. Many of the businesses who are required by UK GDPR to appoint a DPO struggle to fulfil the requirements of the role internally. As a result, it is common for these businesses to contract out the role of DPO externally.

If a business fails to meet its obligations under UK GDPR, it could face significant financial penalties from The Information Commissioner’s Office (ICO), along with reputational damage.

Here we discuss the challenges of the DPO role, the benefits of outsourcing and the considerations when selecting an external DPO service provider.

What is Data Protection Officer as-a-Service (DPOaaS)?

Data Protection Officer as-a-Service (DPOaaS) is an outsourced solution for businesses to fulfil the responsibilities of a DPO under the UK GDPR.

This service is instant and cost effective for businesses that lack essential know-how to fulfil their DPO responsibilities under data protection legislation. You get hands on access to an experienced specialist to fulfil the duties of a DPO.

Whether you must appoint a data protection officer (DPO) or not, you still need to comply with data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018). So, it’s essential to have support to hand that has a level of independence and expertise in the subject and a DPO is a good way of bringing this expertise to your business.

we've created a handy guide if you’re unsure whether your business is required to appoint a DPO.

Why outsource your DPO?

This can take away the burden from your organisation. You will have a committed hands-on expert who will act as your official regulatory point of contact for compliance with UK data privacy laws, leaving your organisation to focus on day-to-day business.

No conflict of interest – It’s apparent, in many organisations, there’s always a risk of conflict of interest. Often the DPO can wear other hats, which can at times conflict with business needs.  An outsourced DPO does not have a personal interest vested in the business, which makes them impartial and independent, as well as separate from internal politics.

Cost efficient - An outsourced DPO will save you money in the long run. It can be costly and time consuming in finding a suitable DPO. It’s very hard to find one that ticks all of the boxes. You may find a lawyer, but do they have cyber security knowledge, or you may find a tech person but how well do they understand data protection laws. Alternatively, your organisation could consider an internal hire, however, training could be expensive as it would need to be continuous in order for the internal hire to be able to do their job properly. A newly trained internal DPO may find it difficult in providing a practical approach, when dealing with a data protection conundrum.   

Skillset - You will have access to industry knowledge experts that are able to give you no-nonsense advice. You will always have on hand, technical expertise. Outsourced DPOs have the knowledge of cyber security and data protection laws to be able to provide your organisation with relevant advice as and when you need it. Data protection is an industry that is always evolving, there is continuous guidance on how to approach data protection laws, for example, most recently, the case of Schrems II which has substantial implications for the transfer of personal data outside of the European Economic Area. Outsourced DPOs would be able to inform and advise you on how to deal with continuous developments in the data protection industry.

Some challenges faced by a DPO

A DPO has an extremely broad reach; from data mapping, to training and awareness, through to dealing with breaches, or data subject access requests, or conducting data protection impact assessments (DPIAs). Even with a team and support, the DPO has the role to project manage all of the organisation’s privacy matters.

Data Mapping - Imagine trying to find out what personal data you hold about each employee, client or business partner at your organisation, where it’s stored, within which systems, or where this is backed up. Furthermore, whether this is shared with anyone, with whom, why and who else has access.  Every organisation collects information, and personal data in different ways, and there isn’t usually a governance system in doing so. This is an enormous task and one that has to be conducted accurately. The DPO would also need to engage with other functions to be able to understand how they process data and why.

Are we applying the principles? - Once the data mapping exercise is complete, the DPO would need to review what’s being collected and whether the principles of the UK GDPR are being applied and met. For example, data minimisation means you should not collect more data than you need, to fulfil your processing needs.  Careful review and consideration will be required.

Training - This is an ongoing and expensive requirement. It is necessary to keep updated with data privacy laws that are applicable to your organisation, that are always evolving.  There are many tools out there that can assist the DPO, however, these tools are often bought off the shelf and can at times be dated and not applicable to your line of industry, making a training course impractical.

Speak up - The DPO's job is to ensure the highest level of management is informed if the organisation is not complying with data protection laws, and explain the implications. This can be difficult due to conflicting relationships with functions.

No resources - Despite the high number of financial penalties for non-compliance, organisations still do not hire a full capacity privacy team. A DPO has an ongoing operational function and without any support staff, there’s usually a struggle to keep up.

Working in isolation - The DPO role is always independent and detached, and at times, considered separate to the team. The DPO should never have to work alone, but often due to their impartiality, they find themselves working in silo to the rest of the team to ensure fairness.

Insufficient tools - It’s far cheaper to use manual tools, such as excel spreadsheets or word documents; both of which are risky and often not practical to use. 

What are the requirements of the DPO role?

The DPO would report into the highest level of management in the organisation.

Article 39 of the GDPR defines the minimum responsibilities that a DPO should have, although the role can be much wider. Typically you can expect the role to cover the following:

  • Training and awareness on UK GDPR compliance
  • Conducting data protection impact assessments 
  • Monitor UK GDPR compliance and conduct audits
  • Be the point of contact with the relevant supervisory authority (ICO)
  • Maintain records of data processing activities
  • Respond to data subject access requests
  • Provide advice to the organisation
  • Respond to internal data protection questions
  • Assist in privacy by design and privacy by default when new initiatives are being considered

Who provides outsourced DPO services?

Data protection laws will continue to be a hot topic. Naturally, there are many companies striking whilst the iron is hot, and are providing DPO services. The type of companies providing these services are; law firms, cyber risk management companies, and IT companies, all of which consist of privacy professionals.

How to choose a DPOaaS provider

Here are our top tips to consider when looking for an outsourced DPO solution. The goal is to find a reliable way to fulfil your obligations that’s practical to your situation and future needs.

  1. Price vs what’s included – Many providers offer a tiered solution so you can choose a suitable tier based on the size of your team and resource available to implement work. And as always, it’s worth checking the small print to ensure everything you need is covered. For example, many providers don’t include things like undertaking a DSAR.
  2. When will the DPO be available? Most services are available between standard work hours, but some may be restricted. Also, if the DPO is unavailable, what other support can be provided?
  3. How will you pay for the service? Services can often be provided on a day rate, or a monthly subscription. If it’s a subscription, how long is the term before renewal and what options do you have to terminate the agreement if situations change?
  4. What happens if you need additional support? Data protection often overlaps with other areas of law such as commercial or employment contracts. If the need arises, could your provider support you in these areas too?  This doesn’t have to be limited to just data protection

About our expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is a highly experienced Data Protection and Privacy Solicitor. Prior to joining Harper James Lillian previously worked in private practice and in-house (litigation and non-litigation) in the City of London, advising on the legal and commercial dilemmas faced by organisations - from start-ups, high-growth companies to big household names in sectors from fintech, technology, hospitality to the health sector. 


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no obligation to instruct us. We aim to respond to all messages received within 24 hours.

  • This field is for validation purposes and should be left unchanged.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £125 per hour arrange your free no-obligation initial consultation to discuss your business requirements.

Make an enquiry