DPO-as-a-Service
Matt Meinel
A Compliant and Cost-Effective Way to Protect Your Company’s Personal Data
Businesses have a data-privacy compliance challenge.
More privacy laws mean increasingly complicated and costly regulatory risks for companies that collect, use, or store personal data. As a result, businesses need privacy professionals to mitigate these risks. And some laws, including the EU General Data Protection Regulation (GDPR), require the appointment of a Data Protection Officer (DPO) to oversee compliance and liaise with regulatory authorities.
This creates a staffing challenge. Fully qualified privacy professionals are hard to find, and existing internal resources may not have the expertise or independence to satisfy the GDPR’s strict DPO requirements.
But there’s a solution.
The GDPR and other data protection laws allow companies to contract with an external resource to serve as the DPO in what is known as a DPO-as-a-service model (“DPOaaS” or an “External DPO”). The External DPO solution allows businesses to appoint a team of true privacy experts as their DPO without straining overwhelmed and potentially underqualified internal resources.
How should a company decide whether to outsource its DPO?
This is a multifactor decision, with the various requirements and considerations falling into three groups: (1) expertise and qualifications; (2) independence and conflicts of interest; and (3) cost.
1) Expertise and qualifications
DPOs must have a wide range of cross-functional knowledge and skills, such as:
Expertise in data privacy/protection law
Knowledge of business strategy
Experience with training and cultural awareness campaigns
Ability to represent the company to the public and regulators
Few individuals embody all these requirements, and those that do are likely high-level managers with many oversight responsibilities and insufficient capacity to implement and manage an additional compliance initiative.
But contracting with a DPOaaS provider guarantees the cross-functional support your company needs to have an effective privacy program.
External DPOs are full-time privacy experts who have and maintain privacy-specific certifications and recognitions, such as the prestigious Fellow of Information Privacy (FIP) designation.
An external DPO has experience creating and running privacy programs and benefits from best practices learned by advising multiple clients.
DPOaaS contracts include a full support team made up of attorneys, corporate trainers, forensics examiners, or other privacy professionals who provide the broad expertise required for success.
2) Independence and conflicts of interest
Per the GDPR, the DPO must operate in an “independent manner,” “free from conflicts of interest.”
EU regulators take this independence requirement seriously and can construe it narrowly. For example, one regulator determined that a company demonstrated a “high degree of negligence” by appointing its “head of compliance, audit, and risk” as DPO because that employee was not sufficiently independent.
Let that sink in: The regulator said the head of internal audit was not independent enough to be DPO.
External DPOs are clearly independent and free of conflicts of interest internal to the company because they are objective third parties, akin to auditors, outside counsel, or business consultants.
“Let that sink in: The regulator said the head of internal audit was not independent enough to be DPO.”
3) Cost
Internal DPOs are expensive due to basic supply and demand. There is a limited number of qualified DPOs, but to date, over 500,000 companies have registered DPOs with European regulators.
The average DPO salary is $100,000. But to calculate the full cost of having a DPO, a business must consider not only salary but also its obligations to support the DPO by expensing continuing training and providing adequate support staff. This creates fixed long-term costs for the company.
An External DPO’s service contract can be customized to meet the business need and thereby save money.
For example, the service contract may provide for a few fixed hours of service per month but still allow for additional hours for significant projects.
DPOaaS providers can reduce costs and improve deliverable quality through delegation and specialization of the team members.
Conclusion: Consider DPO outsourcing to meet compliance obligations and minimize overall spend.
Some companies have the capacity, resources, and need to hire a well-qualified DPO. For many companies, however, the internal privacy-staffing options would result only in an underqualified, understaffed DPO or exceeding company budgets to hire a fully compliant privacy department.
Fortunately, DPOaaS provides a cost-efficient method for staffing a privacy program with experts in their fields.