Outsourcing a Data Protection Officer DPO or Services
As with any area of expertise data protection can be developed in house or outsourced to a trusted third party. This paper examines the data protection outsourcing options and analyses the risks to an organisation.
When does it make sense to outsource?
Data protection is an evolving piece of legislation that requires a continued commitment to be up to date with the latest information. Unlike other processes in organisations, data protection requires a high level of effort in the initial set up stages and a lower level of effort for maintenance.
Organisations typically outsource for one or more of the following six reasons;
- Expertise – the necessity to develop a subject matter expert in house is negated. A trusted third party will have this knowledge base together with diverse experience.
- Support for in-house functions – supporting and developing appointed in-house roles.
- Resource – resource is available as it is needed; high level of effort for the initial phases and expert support to manage ongoing activity and critical events.
- Representation to regulatory authorities or EU representation for an non EU company – front line representation with the regulatory authorities on your behalf.
- Implementation of process – will benefit from practical experience and knowledge of best practice.
- Cost – It is often a less expensive option than the appointment of a suitably experienced internal person.
- Outsourcing is often a more effective way to access the appropriate skills and a positive way to minimise data protection related risk to the organisation.
What data protection processes can an organisation outsource?
Almost all data protection processes can be outsourced. This is not to be confused with the outsourcing of responsibility. The Controller is always responsible for data protection. A well written outsource agreement can mitigate against liability, however, this cannot transfer the responsibility for data protection from the Controller.
Do I need a DPO?
Organisations often jump to appoint a DPO where there is not necessarily an obligation to do so in law. Under GDPR the title of DPO is a statutory position with considerable powers and obligations. An ill-advised appointment may expose the organisation to unnecessary liabilities.
Where a DPO is not specifically necessary, obligations can often be satisfied by the appointment of a Data Protection Representative DPR (an internal or outsourced appointment that can overlap with other responsibilities) and can be supported by an outsourced expert support service. This may result in a more measured solution for many organisations. Determining this requirement is an important discussion to be had with your service provider.
Types of outsourcing arrangements
There are a number of ways in which data protection processes can be outsourced. The most typical arrangements are;
Outsourced Data Protection Officer (DPO)
In the instance that an organisation requires a DPO this entire role may be outsourced.
Outsourced Data Protection Representative (DPR)
Where an organisation does not require a DPO it is necessary to appoint a Data Protection Representative (DPR).
This may be for the delivery of specific services (elements of implementing a Data Protection Compliance Plan; policies, processes, contract updatres, DPIA), or to provide support to an in-house DPO or DPR. Typically assisting with special events such as breaches, access requests, supplier contracts, international transfer or training.
EU Representation (for non-EU companies)
There is an obligation for all non EU companies that process personal data in the EU to appoint an EU Representative.
Avoiding an over-engineered data protection solution
The early rush to data protection compliance has resulted in many organisations committing to over engineered solutions. When it comes to outsourcing, care should be taken to engage with third party experts who can guide you through a balanced approach in managing your statutory obligations. New or updated processed should reasonably match the scale and nature of the organisation. Effective data protection management will avoid unnecessary disruption to the good functioning of an operation. – let’s not over complicate things.
The key risks to outsourcing
While outsourcing of data protection operations can provide a cost effective route for an organisation it is in not without risk. Actions to consider to de-risk the appointment are;
- Agree upon a risk assessed plan – This should fulfill your obligations without over engineering the processes and avoiding unnecessary and often expensive changes.
- Select an individual or service provider with care; a background in senior management is often more beneficial than a legal or IT background. Those with a rounded commercial experience are likely to deliver a more measured response.
- Don’t be lulled into a sense of security. The business is ultimately responsible for data protection and there should be an internal individual with clear responsibility for these obligations.
- Ensure that there is a detailed contract in place to govern this agreement.
EU Representation (for non EU companies)
We have analysed the considerations for the appointment of an EU Representative here
Identifying the right External Support
Top four tips to find the right person and an overview of the commonly available data protection qualifications. Please see here
Getting professional support
If you could benefit from advice or support relating to the outsourcing of ‘Data Protection Officer’ or ‘Representation’ functions in your organisation please contact First Compliance for a confidential consultation.