Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

DPO: Internal vs. external data protection officer

When it comes to an internal versus external data protection officer (DPO), there are a few differences worth noting in terms of the position itself and the costs. Companies who are legally required to appoint a DPO should consider the pros and cons of these two models seriously before deciding which model to adopt.

What you need to know in a nutshell

  • A data protection officer is someone who is responsible for managing everything around privacy and data protection. 
  • Either an internal employee or an outsourced expert can be appointed as a data protection officer.
  • Regardless of going with an internal or external solution, it is required to show expertise in the field of data protection.
  • An internal solution may still have to acquire this (certified) expertise, whereas an external data protection officer is already specialised in this field and has a lot of experience. 
  • The most important factors to consider when selecting a solution are position, costs, expert knowledge, acceptance, liability and availability.

In this article

An internal or external data protection officer?

Should you appoint an internal employee as your data protection officer or outsource the job to an external expert? This is a question that both companies that are legally required to appoint a data protection officer (DPO) and those that freely elect to do so need to consider. Before you make a choice one way or the other, it is advisable to consider the background of either option.

In this article we’ll guide you through the differences between an internal and an external data protection officer as it relates to the following topics: Company position, costs, expert knowledge, acceptance, and liability.

Internal data protection officer (DPO) = Company employee

If you decide to go with an internal data protection officer, you’ll need to appoint one of your employees. But be careful: not everyone can undertake the role. Members of the board and any employee for whom a conflict of interest might arise between their regular position in the company and the role of DPO may not hold the office. Examples of parties whose conflict of interest exclude them from assuming the role include IT managers, personnel managers and heads of marketing. An employee may only be appointed internal DPO if they have expert knowledge in the field of data protection law and are up to this high-responsibility job.

External data protection officer (DPO) = Independent expert

At external data protection officer, also known as an outsourced data protection officer is a certified data protection expert who is not employed at your company, but instead works for you as an external service provider. Having gone through the necessary training, an external DPO has a high degree of expert knowledge in the field of data protection law. As an independent expert, an external service provider can perform the full range of tasks required of a DPO.

Read more about the job of an external data protection officer in this article

What are the differences between an internal and an external DPO?

While the activities are ultimately the same, there are meaningful differences between an internal and an external DPO.


An internal data protection officer is a company employee, one who will enjoy extensive protection against dismissal after being appointed DPO. In contrast, an external DPO works in accordance with the service agreement your company concludes with them; the notice period is up for negotiation.


In addition to paying the regular salary, employing an internal DPO will incur additional costs for training, employee downtime and technical literature. It is hard to calculate the total sum of these costs in advance. An external data protection expert on the other hand is remunerated according to a transparent pricing model. Their fees are specified in the service agreement with your company.

You can find more about the salary and costs of a DPO in this article

Expert knowledge

Internal data protection officers must first obtain the necessary data privacy knowledge through time-consuming and costly training courses.Even then, they will have to learn the ropes before they can fully assume the responsibilities of the role. In comparison, external DPOs are certified data protection experts who possess the necessary qualifications from day one – even when they (unlike an internal DPO) first must become familiar with your operational processes.


Experience shows that internal data protection officers are often accepted less within their companies than their external counterpart. This can affect cooperation among employees as demonstrated by hesitation or even refusal to answer questions asked by the internal DPO. This is particularly true when it comes to obtaining information from managers, or if the data protection officers try to communicate specific privacy concerns about certain processing methods. In this case, an external data protection officer is at an advantage as an external, independent expert.


If an internal DPO makes a mistake when performing privacy-related tasks, the executive board bears full responsibility for any infringements against the GDPR, so the company itself retains the full risk of liability. An external DPO assumes a portion of the liability and is insured accordingly. This means that they can pay for losses caused by fines or warning letters if they are the result of insufficient advice.


An internal data protection officer may not always be available to work – be it due to sickness, holiday leave or pressing business matters. Very few companies have an alternative representative for such cases. This could cause problems, especially when there are deadlines to be met. For instance, data breaches must be reported to the competent authority within 72 hours – whether it’s the weekend or during the holidays. With the entire team of DataGuard experts acting as an external DPO, your company will always have a point of contact – when you urgently need one.


When data protection is implemented properly it can enable your business with a huge competitive advantage. Therefore, you should always make it a priority and decide wisely who your business will appoint as the official data protection officer. This expert can either be an internal solution, but also a designated external solution. 



Image CTA Expert Male 2

DataGuard is offering a first consultation on data protection free of charge.

If you're interested in outsourcing your DPO position or if your internal DPO needs consultancy on specific topics, our experts are happy to help. Just feel free to reach out to us.

About the author

Ren Watson

As a results-focussed analyst, Ren has worked in many industries including finance, charity and start-ups and became interested in data protection as a focus over the last decade. Using her analyst skills alongside her data protection expertise, she has consulted with charity, media and energy companies to understand their data protection requirements and has provided guidance and support for implementation of multiple privacy programmes. Today, she provides multi-functional support and awareness within DataGuard and to clients to promote privacy beyond compliance.

Explore more articles