When it comes to an internal versus external data protection officer (DPO), there are a few differences worth noting in terms of the position itself and the costs. Companies who are legally required to appoint a DPO should consider the pros and cons of these two models seriously before deciding which model to adopt.
What you need to know in a nutshell
- A data protection officer is someone who is responsible for managing everything around privacy and data protection.
- Either an internal employee or an outsourced expert can be appointed as a data protection officer.
- Regardless of going with an internal or external solution, it is required to show expertise in the field of data protection.
- An internal solution may still have to acquire this (certified) expertise, whereas an external data protection officer is already specialised in this field and has a lot of experience.
- The most important factors to consider when selecting a solution are position, costs, expert knowledge, acceptance, liability and availability.
In this article
- An internal or external data protection officer?
- Internal data protection officer (DPO) = Company employee
- External data protection officer (DPO) = Independent expert
- What are the differences between an internal and an external DPO?
An internal or external data protection officer?
Should you appoint an internal employee as your data protection officer or outsource the job to an external expert? This is a question that both companies that are legally required to appoint a data protection officer (DPO) and those that freely elect to do so need to consider. Before you make a choice one way or the other, it is advisable to consider the background of either option.
In this article we’ll guide you through the differences between an internal and an external data protection officer as it relates to the following topics: Company position, costs, expert knowledge, acceptance, and liability.
Internal data protection officer (DPO) = Company employee
If you decide to go with an internal data protection officer, you’ll need to appoint one of your employees. But be careful: not everyone can undertake the role. Members of the board and any employee for whom a conflict of interest might arise between their regular position in the company and the role of DPO may not hold the office. Examples of parties whose conflict of interest exclude them from assuming the role include IT managers, personnel managers and heads of marketing. An employee may only be appointed internal DPO if they have expert knowledge in the field of data protection law and are up to this high-responsibility job.
External data protection officer (DPO) = Independent expert
At external data protection officer, also known as an outsourced data protection officer is a certified data protection expert who is not employed at your company, but instead works for you as an external service provider. Having gone through the necessary training, an external DPO has a high degree of expert knowledge in the field of data protection law. As an independent expert, an external service provider can perform the full range of tasks required of a DPO.
Read more about the job of an external data protection officer in this article.
What are the differences between an internal and an external DPO?
While the activities are ultimately the same, there are meaningful differences between an internal and an external DPO.
An internal data protection officer is a company employee, one who will enjoy extensive protection against dismissal after being appointed DPO. In contrast, an external DPO works in accordance with the service agreement your company concludes with them; the notice period is up for negotiation.
In addition to paying the regular salary, employing an internal DPO will incur additional costs for training, employee downtime and technical literature. It is hard to calculate the total sum of these costs in advance. An external data protection expert on the other hand is remunerated according to a transparent pricing model. Their fees are specified in the service agreement with your company.
You can find more about the salary and costs of a DPO in this article.
Internal data protection officers must first obtain the necessary data privacy knowledge through time-consuming and costly training courses.Even then, they will have to learn the ropes before they can fully assume the responsibilities of the role. In comparison, external DPOs are certified data protection experts who possess the necessary qualifications from day one – even when they (unlike an internal DPO) first must become familiar with your operational processes.
Experience shows that internal data protection officers are often accepted less within their companies than their external counterpart. This can affect cooperation among employees as demonstrated by hesitation or even refusal to answer questions asked by the internal DPO. This is particularly true when it comes to obtaining information from managers, or if the data protection officers try to communicate specific privacy concerns about certain processing methods. In this case, an external data protection officer is at an advantage as an external, independent expert.
If an internal DPO makes a mistake when performing privacy-related tasks, the executive board bears full responsibility for any infringements against the GDPR, so the company itself retains the full risk of liability. An external DPO assumes a portion of the liability and is insured accordingly. This means that they can pay for losses caused by fines or warning letters if they are the result of insufficient advice.
An internal data protection officer may not always be available to work – be it due to sickness, holiday leave or pressing business matters. Very few companies have an alternative representative for such cases. This could cause problems, especially when there are deadlines to be met. For instance, data breaches must be reported to the competent authority within 72 hours – whether it’s the weekend or during the holidays. With the entire team of DataGuard experts acting as an external DPO, your company will always have a point of contact – when you urgently need one.
When data protection is implemented properly it can enable your business with a huge competitive advantage. Therefore, you should always make it a priority and decide wisely who your business will appoint as the official data protection officer. This expert can either be an internal solution, but also a designated external solution.
DataGuard is offering a first consultation on data protection free of charge. If you're interested in outsourcing your DPO position or if your internal DPO needs consultancy on specific topics, our experts are happy to help. Just feel free to reach out to us and schedule an appointment with one of our experts.