The main task of the Data Protection Officer (DPO) is to ensure that an organisation processes its personal data in accordance with applicable data protection laws and provisions. The DPO therefore helps to reduce the risk of non-compliant processing, to which your company may be exposed without your knowledge. In this way, having a DPO ensures that your company has a high level of data protection compliance, that appropriate security measures are implemented and, most importantly, that your privacy risk – and therefore business risk – are properly managed.
You might be hesitating between nominating one of your employees as a DPO or designating an external one. There are several risks associated with appointing one of your employees and several advantages to choosing an external DPO. We have listed a few of them:
- Many companies do not have employees qualified in data protection and information security systems inhouse. By calling on CRANIUM, you can ensure that your DPO has the expertise, the skills and tools necessary to fulfil this role. Indeed, all our consultants are trained as DPOs in data protection and security, equipped with the necessary tools by Cranium and many have IAPP certifications (such as CIPPE, CIPM, CIPT, etc.) to carry out their mission. In addition, a good DPO must have excellent communication skills, a quality shared by all our consultants.
- Appointing an external DPO also ensures that there is no conflict of interest and that the DPO is fully independent (Article 38.6 of the GDPR). The Belgian Data Protection Authority is strict on this matter, recently imposing a EUR 50,000 fine on a Telecoms Operator that appointed its Director of Compliance as DPO. In the context of his compliance and audit functions, the Director had significant operational responsibility, which meant that he was able to determine the purposes and means of processing personal data. This is incompatible with the function of DPO, who must be able to perform his or her tasks independently. This means anyone with decision-making power over a company or department’s activities (eg Heads of Departments, Directors, C-Suite) cannot also take on the role of DPO in relation to those activities, without undermining the independence of the DPO role and creating a conflict of interest.
- Hiring someone internally also means giving them a double hat. A person with two functions in a company will have more difficulties detecting the risks related to the protection of personal data than someone who has an external view on an organisation. Moreover, it may be difficult for an employee to provide a frank and independent analysis for fear of offending his management. An external DPO will better reassure your partners, shareholders and customers that you responsibly protect your data, and customer trust is priceless!
- The appointment of an external DPO can also lead to considerable savings. The cost of an external DPO will be lower than the cost of hiring a full-time person to fulfil this function internally. Indeed, an external DPO is flexible and works for you only when you need him. For example, an external DPO can work full-time at the beginning during the implementation, and reduce his working time in your company later, when only follow-up (“maintain and sustain”) is needed. This allows you to streamline costs depending on the size of your company and on your needs. Moreover, the risks of non-compliance and unlawful processing of personal data can have significant financial consequences. Several fines have been imposed by the Supervisory Authorities to sanction companies that have unlawfully processed data at their disposal. Be cautious and call upon a professional DPO to ensure the lawfulness of your data processing!
- Finally, the use of an external DPO makes it possible to establish a transparent contract with clear, precise and various tasks. Depending on the needs of your company, the DPO can take care of your GDPR compliance but can also cover other tasks. For example, DPOs can provide advice and recommendations about the interpretation or application of data protection rules, inform employees of their obligations under data protection law, handle queries or complaints, alert the organisation’s to any failure to comply with the applicable data protection rules, advise on data protection by design, provide input to DPIAs, draft and maintain Records of Processing Activities etc. A DPO can also play an awareness-raising role within the company and train employees to carry out their duties in compliance with personal data protection rules.