External data protection officers: An overview

What you need to know, in a nutshell 

• The term “external data protection officer” covers various service models, which can vary significantly in their service ranges and costs.
• For the most part, companies will benefit from deciding to use an external data protection officer instead of an internal one – especially when it comes to the financial benefits.
• The benefits of an external DPO mean more specialist expertise, neutrality and better acceptance within the company, as well as no protection against dismissal, more favourable liability regulations, and full availability.
• When selecting an external DPO, consider factors other than just legal qualifications. A truly competent DPO will stand out with qualities such as (industry) experience and a respectable price-performance ratio, as well as software support and an interdisciplinary team.
• The everyday duties of a data protection officer include giving advice as well as the coordination and monitoring of processes in which data is processed. They will also train staff, work with the data protection authorities, and put together various documents.
• If you decide to stop working with them, this is much easier than having an internal data protection officer, who would be extensively protected against dismissal. All you must do is terminate the service contract on time or wait for it to expire. 

In this article

• What you should know about external data protection officers
• Why do companies need a data protection officer in the first place?
• Which companies are external data protection officers suited to?
• What requirements does an external data protection officer need to fulfil?
• List Snippet: What benefits does an external data protection officer provide?
• How does a company work with an external partner?
• Conclusion

What you should know about external data protection officers

An external data protection officer is an external service provider who takes responsibility for operational data privacy within a company. Unlike internal data protection officers, they are not in-house employees who are trained accordingly and receive additional qualifications. Instead, they work as external partners. 

At this point, it is important for you to know that the umbrella term “external data protection officer” covers various service models, with varying service levels:

• Law firms and IT experts with the relevant additional qualifications often operate merely as data privacy advisors who provide you with comprehensive advice and support but will charge you handsome hourly rates.
• Most basic software-as-a-service (SaaS) providers meet only the minimum legal requirements for the formal appointment of a DPO. They hardly ever provide further advice or support, but they do charge proportionately cheaper monthly flat fees. 
• Hybrid service providers such as DataGuard combine both approaches. We will ensure that you are supported in person and via software by a data privacy expert. There are generally different service packages for different data privacy requirements to choose from, with according monthly flat rates. 

Why do companies need a data protection officer in the first place? 

Article 37 of the General Data Protection Regulation (GDPR) and the UK GDPR state that certain companies are legally obliged to appoint a data protection officer.

This includes companies that fall into one of the following two criteria: 

1. Your core activities require large scale, regular and systematic monitoring of individuals. 
2. The company processes a large scale of sensitive personal data However, it is not just companies who are obliged to appoint a data protection officer who will benefit from doing so. Almost all companies process personal data in some form. If this data is not handled lawfully, the company could face large fines, which a good data protection officer may help prevent

For which companies is an external data protection officer a good idea?

Generally speaking, companies should always look for an external partner if they feel overwhelmed with the task of training and appointing one of their own members of staff. This happens mainly to small companies, joint practices and authorities. 

However, it is also worth it for most other companies to choose an external DPO – especially when it comes to finances. The training, qualification and salary costs of an internal data protection officer is usually significantly higher than the costs of an external DPO.

If a company or corporation is already using an internal DPO, or even a whole team of DPOs and data privacy coordinators, an external service provider can be useful to answer very specific technical questions and provide any relevant knowledge that may be needed.

Learn about the costs associated with outsourced DPO services in our blog article Data Protection Officer salary: costs for an external or internal DPO

What requirements does an external data protection officer need to fulfil? 

The GDPR and the UK GDPR do not state specifically what qualifications a data protection officer requires, however Article 37 (5) states the following: 

“The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” 

A DPO can demonstrate this ability with a specialist qualification. We will explain below in more detail what their specific tasks are. 

However, in general you should not settle for these basic legal requirements. A truly good data protection officer has significantly more to offer, as we will go into in the section about the qualities of an external DPO. 

What benefits does an external data protection officer provide? 

1. No protection against dismissal 
2. Conservation of internal staff resources 
3. Acceptance 
4. Neutrality 
5. Expert knowledge 
6. Availability 
7. Lower costs 
8. Liability 

No protection against dismissal 

Internal data protection officers are vital for autonomous data privacy and as such, they enjoy extensive protection against dismissal. Removing them from their post is only possible in the event of serious breaches of duty, and termination after that is generally complicated due to the legal protection they possess. 

An external data protection officer does not have any such special termination right. You can dismiss them in accordance with the notice period in the service contract, or you can simply wait for the contract to expire. 

Conservation of internal staff resources 

Small companies in particular have to hire every member of staff completely on a project-by-project basis. Often, they cannot afford to lose an employee for several hours a week so that they can perform their duties as a data protection officer. However, an external data protection officer will not put a strain on your internal staff resources. 

Acceptance 

Experience shows that internal data protection officers are often accepted less within their companies, and they are not necessarily taken seriously in their new roles. This is particularly true when it comes to obtaining information from managers, or if the data protection officers try to communicate specific concerns about certain processing methods. A lack of willingness to cooperate could then be reflected in hesitation or even refusal to answer questions asked by the DPO. 

In this case, external data protection officers generally enjoy more trust and respect as external, independent experts. 

Neutrality 

When performing their duties, data protection officers are not allowed to have conflicts of interest. For this reason, a managing director, for instance, cannot be a DPO at the same time. However, when an internal data protection officer is appointed, there is generally a risk of bias when they don’t want to become unpopular amongst their colleagues, or if they fear reprisal. 

On the other hand, external data protection officers are a neutral party whose sole task is to guarantee complete, legally compliant data privacy, which means that conflicts of interest are excluded. 

Expert knowledge 

Internal data protection officers first must obtain the necessary data privacy knowledge by means of time-consuming and costly training courses, and even then, they will start with a lack of practical experience and routine. In comparison, external DPOs are certified experts and directly apply the relevant specialist knowledge – even when they (unlike an internal DPO) first must become familiar with your operational processes. 

Availability 

An internal data protection officer may not come into work sometimes – be it due to sickness, holiday leave or urgent business requirements. Only very few companies have a representative for such cases who is just as extensively trained. This could cause problems, especially when certain deadlines must be met (e.g., reporting a data breach within 72 hours). 

In contrast, an external data protection officer ideally has a whole team behind them, meaning that a colleague can stand in as a point of contact at any time. 

How much does an external DPO cost? 

External hybrid service providers such as DataGuard offer packages starting at around 150 GBP per month. 

However, as different service providers are included in the umbrella term “external data protection officer”, the standard monthly costs can vary considerably. Factors such as the number of staff and the industry in which the company operates also influence the price. What matters is not only that you always keep an eye on the total costs, but also compare the detailed services that external partners offer for their prices. 

Internal data protection officers almost always end up being more expensive, because training costs are incurred, and they expect a higher salary at the same time. A data protection officer who devotes 20 percent of his or her working hours to data privacy easily results in five-figure costs each year. 

When is an external DPO liable? 

An external data protection officer is liable to the extent specified in the service contract. External DPOs thus accept a portion of the liability and are insured accordingly. This means that they can pay for loss caused by fines or warning letters, if they are a result of insufficient advice. 

GDPR fines 

With the GDPR and the UK GDPR the applicable fines have increased. If a company does not comply with its obligation to appoint a data protection officer, it will be punished with a fine of up to approximately 8.8 million GBP or two percent of its annual revenue. In the case of serious data breaches, companies could even be faced with fines of double that amount. 

How expensive is a data breach for your company?

You cannot put a reliable figure on that. The loss of confidence amongst customers alone is enough to bankrupt a company. Investment in data privacy is therefore a must and certainly pays dividends. If a data breach does happen, our GDPR fine calculator will provide you with an initial guide. 

At DataGuard your business can also benefit from the advatages of our hybrid approach that not only provides a easy to use platform but also personal consultation when ever you need it. Not sure what this exactly means? Our expert will help you with any questions.

How does a company work with an external partner? 

Below, we will guide you step by step through the process – from the search for a partner and everyday collaboration to their dismissal. 

The search: How does an external data protection officer demonstrate their ability? 

(Industry) experience, verifiable qualifications and a respectable price-performance ratio are what make a good external data protection officer stand out. They should also have an automated software tool that enables the efficient handling of processes. Finally, an interdisciplinary team in the background is vital to guarantee constant and expert advice. 

As soon as you start your (online) search for an external DPO, you will be bombarded with various offers. In order to select the best partner for you, you should therefore consider not only the legally required qualifications, but also the other qualities described – the ones that distinguish the best data privacy partner. 

At DataGuard, over 100 generalists and experts (including legal professionals, IT specialists, engineers and economists) work fervently to look after your data privacy. At monthly prices starting from £150, not only will you have an external DPO by your side at all times, but you will also receive comprehensive advice about all data privacy matters, and an online platform with which we digitalise and automate all processes.

The contract:  How do I appoint an external DPO? 

You would also enter into a service agreement with the external DPO, specifying the details of your business relationship. This agreement will also determine the duration and notice period of the service, as well as the agreed price, the DPO’s specific scope of responsibility, and the requirements for their dismissal and reappointment. You can also contractually agree the intervals at which the DPO will inform the executive management about the course of their work and propose amendments. 

Once you have found the right service provider, you must appoint them. This is a task for the executive management. You will have to communicate the appointment of your external DPO to the Information Commissioner's Office so they may record their details as your DPO.

Collaboration: How does an external advisor guarantee optimal data privacy? 

The tasks of a data protection officer are specified in Article 39 GDPR and UK GDPR: 

• They train and advise the management and staff who are entrusted with data processing on their duties which result from GDPR and UK GDPR. 
• They also coordinate all data privacy activities, generally using a data privacy management system. 
• They monitor strategies (and their success) to comply with all data privacy regulations. This includes the allocation of responsibility as well as raising awareness and training those who process data. 
• Upon request, they advise the management in relation to the data protection impact assessment and its implementation. 
• They work with the supervisory authorities and act as their point of contact for matters to do with data processing. 

An external data protection officer starts its work with an initial inspection of the company and an audit of the existing relevant data processing methods. The DPO will also regularly compile various documents: 

• An executive summary for decision makers within the company 
• An action plan that specifies the implementation of the data privacy regulations 
• An annual activity report 
• Various models to help simplify everyday data processing 

Ending the collaboration: How do I dismiss an external data protection advisor? 

If you want to fill the position of data protection officer with somebody new, you first must dismiss the current DPO. If you are using an internal data protection officer, that is only straightforward if there are serious grounds to do so. However, even if it is possible to remove that employee from their post, they will still have protection against dismissal and will have to be employed somewhere else in the company. 

It is a considerably easier process when using an external data protection officer. You can dismiss them in accordance with the notice period in the service contract, or you can simply wait for the contract to expire. 

Conclusion 

Regardless of whether you are legally obliged to appoint a data protection officer, in most cases it is a good choice to work with an external data privacy expert. Extensive expertise, neutrality, liability acceptance and the cost factor all speak in favour of this solution. 

When searching for a DPO, don’t just concentrate on meeting the minimum legal standards. You should also value practical experience, transparent pricing, an interdisciplinary background team, and a helpful software tool which the external DPO should personally have available. 

You are also completely flexible in how you work together: An external DPO can be appointed and dismissed quickly, as you do not have to consider any protection against dismissal in this case. 

There are still some questions that you would like to get answered? Feel free to reach out to one of our experts.