The main task of the Data Protection Officer (DPO) is to ensure that an organisation processes its personal data in accordance with applicable data protection laws and provisions. The DPO therefore helps to reduce the risk of non-compliant processing, to which your company may be exposed without your knowledge. In this way, having a DPO ensures that your company has a high level of data protection compliance, that appropriate security measures are implemented and, most importantly, that your privacy risk – and therefore business risk – are properly managed.
So… why choose an external Data Protection Officer?
You might be hesitating between nominating one of your employees as a DPO or designating an external Data Protection Officer. There are several risks associated with appointing one of your employees and several advantages to choosing an external Data Protection Officer. We have listed a few of them:
Necessary expertise, skills, tools & time
Many companies do not have employees qualified in data protection and information security systems in-house. By calling on an external partner, you can ensure that your DPO has the expertise, the skills and tools necessary to fulfil this role.
Indeed, consultants are often well trained DPOs with certifications (for instance IAPP certifications such as CIPPE, CIPM, CIPT etc.), and are equipped with the necessary tools. In addition, a good DPO must have excellent communication skills, a quality typically shared by consultants.
An external DPO has no conflict of interest
Appointing an external DPO also ensures that there is no conflict of interest and that the DPO is fully independent (Article 38.6 of the GDPR). The Belgian Data Protection Authority is strict on this matter, recently imposing a EUR 50,000 fine on a Telecoms Operator that appointed its Director of Compliance as DPO. In the context of his compliance and audit functions, the Director had significant operational responsibility, which meant that he was able to determine the purposes and means of processing personal data. This is incompatible with the function of DPO, who must be able to perform their tasks independently.
Anyone with decision-making power over a company or department’s activities (eg Heads of Departments, Directors, C-Suite) cannot also take on the role of DPO in relation to those other activities, without undermining the independence of the DPO role and creating a conflict of interest.
Wearing a double hat
Hiring someone internally also means giving them a double hat. A person with two functions in a company will have more difficulties detecting the risks related to the protection of personal data than someone who has an external view on an organisation.
Moreover, it may be difficult for an employee to provide a frank and independent analysis for fear of offending his management. An external DPO will better reassure your partners, shareholders and customers that you responsibly protect your data, and customer trust is priceless!
An external DPO can be cost-reducing
The appointment of an external DPO can also lead to considerable savings. The cost of an external DPO will be lower than the cost of hiring a full-time person to fulfil this function internally.
Moreover, an external DPO is flexible and works for you only when you need him. For example, an external DPO can work full-time at the beginning during the implementation, and reduce his working time in your company later, when only follow-up (“maintain and sustain”) is needed. This allows you to streamline costs depending on the size of your company and on your needs.
On top of that, the risks of non-compliance and unlawful processing of personal data can have significant financial consequences. Several fines have been imposed by the Supervisory Authorities to sanction companies that have unlawfully processed data at their disposal. Be cautious and call upon a professional DPO to ensure the lawfulness of your data processing!
More than just a Data Protection Officer
Finally, the use of an external DPO makes it possible to establish a transparent contract with clear, precise and various tasks. Depending on the needs of your company, the DPO can take care of your GDPR compliance but can also cover other tasks. For example, DPOs can provide advice and recommendations about the interpretation or application of data protection rules, inform employees of their obligations under data protection law, handle queries or complaints, alert the organisation’s to any failure to comply with the applicable data protection rules, advise on data protection by design, provide input to DPIAs, draft and maintain Records of Processing Activities etc.
A DPO can also play an awareness-raising role within the company and train employees to carry out their duties in compliance with personal data protection rules.
If you are still hesitating to hire an external DPO, or if you have any questions, take a look at our DPO service or reach out below.
Hi! How can we help?
CRANIUM has already accompanied many clients in making their international data transfers compliant, including updating their SCCs. Our experienced consultants can help you take the necessary steps to be compliant too. For more information please contact us below.
For urgent matters, you can contact us via 02 310 39 63.