DPO: Internal vs. external data protection officer

When it comes to an internal versus external data protection officer (DPO), there are a few differences worth noting in terms of the position itself and the costs. Companies who are legally required to appoint a DPO should consider the pros and cons of these two models seriously before deciding which model to adopt.

What you need to know in a nutshell

  • A data protection officer is someone who is responsible for managing everything around privacy and data protection. 
  • Either an internal employee or an outsourced expert can be appointed as a data protection officer.
  • Regardless of going with an internal or external solution, it is required to show expertise in the field of data protection.
  • An internal solution may still have to acquire this (certified) expertise, whereas an external data protection officer is already specialised in this field and has a lot of experience. 
  • The most important factors to consider when selecting a solution are position, costs, expert knowledge, acceptance, liability and availability.

In this article

An internal or external data protection officer?

Should you appoint an internal employee as your data protection officer or outsource the job to an external expert? This is a question that both companies that are legally required to appoint a data protection officer (DPO) and those that freely elect to do so need to consider. Before you make a choice one way or the other, it is advisable to consider the background of either option.

In this article we’ll guide you through the differences between an internal and an external data protection officer as it relates to the following topics: Company position, costs, expert knowledge, acceptance, and liability.

Internal data protection officer (DPO) = Company employee

If you decide to go with an internal data protection officer, you’ll need to appoint one of your employees. But be careful: not everyone can undertake the role. Members of the board and any employee for whom a conflict of interest might arise between their regular position in the company and the role of DPO may not hold the office. Examples of parties whose conflict of interest exclude them from assuming the role include IT managers, personnel managers and heads of marketing. An employee may only be appointed internal DPO if they have expert knowledge in the field of data protection law and are up to this high-responsibility job.

External data protection officer (DPO) = Independent expert

At external data protection officer, also known as an outsourced data protection officer is a certified data protection expert who is not employed at your company, but instead works for you as an external service provider. Having gone through the necessary training, an external DPO has a high degree of expert knowledge in the field of data protection law. As an independent expert, an external service provider can perform the full range of tasks required of a DPO.

Read more about the job of an external data protection officer in this article. 

What are the differences between an internal and an external DPO?

While the activities are ultimately the same, there are meaningful differences between an internal and an external DPO.

Position

An internal data protection officer is a company employee, one who will enjoy extensive protection against dismissal after being appointed DPO. In contrast, an external DPO works in accordance with the service agreement your company concludes with them; the notice period is up for negotiation.

Costs

In addition to paying the regular salary, employing an internal DPO will incur additional costs for training, employee downtime and technical literature. It is hard to calculate the total sum of these costs in advance. An external data protection expert on the other hand is remunerated according to a transparent pricing model. Their fees are specified in the service agreement with your company.

You can find more about the salary and costs of a DPO in this article. 

Expert knowledge

Internal data protection officers must first obtain the necessary data privacy knowledge through time-consuming and costly training courses.Even then, they will have to learn the ropes before they can fully assume the responsibilities of the role. In comparison, external DPOs are certified data protection experts who possess the necessary qualifications from day one – even when they (unlike an internal DPO) first must become familiar with your operational processes.

Acceptance

Experience shows that internal data protection officers are often accepted less within their companies than their external counterpart. This can affect cooperation among employees as demonstrated by hesitation or even refusal to answer questions asked by the internal DPO. This is particularly true when it comes to obtaining information from managers, or if the data protection officers try to communicate specific privacy concerns about certain processing methods. In this case, an external data protection officer is at an advantage as an external, independent expert.

Liability

If an internal DPO makes a mistake when performing privacy-related tasks, the executive board bears full responsibility for any infringements against the GDPR, so the company itself retains the full risk of liability. An external DPO assumes a portion of the liability and is insured accordingly. This means that they can pay for losses caused by fines or warning letters if they are the result of insufficient advice.

Availability

An internal data protection officer may not always be available to work – be it due to sickness, holiday leave or pressing business matters. Very few companies have an alternative representative for such cases. This could cause problems, especially when there are deadlines to be met. For instance, data breaches must be reported to the competent authority within 72 hours – whether it’s the weekend or during the holidays. With the entire team of DataGuard experts acting as an external DPO, your company will always have a point of contact – when you urgently need one.

Conclusion

When data protection is implemented properly it can enable your business with a huge competitive advantage. Therefore, you should always make it a priority and decide wisely who your business will appoint as the official data protection officer. This expert can either be an internal solution, but also a designated external solution. 

 

 

Image CTA Expert Male 2

DataGuard is offering a first consultation on data protection free of charge.

If you're interested in outsourcing your DPO position or if your internal DPO needs consultancy on specific topics, our experts are happy to help. Just feel free to reach out to us.

Book an appointment

About the author

Ren Watson

As a results-focussed analyst, Ren has worked in many industries including finance, charity and start-ups and became interested in data protection as a focus over the last decade. Using her analyst skills alongside her data protection expertise, she has consulted with charity, media and energy companies to understand their data protection requirements and has provided guidance and support for implementation of multiple privacy programmes. Today, she provides multi-functional support and awareness within DataGuard and to clients to promote privacy beyond compliance.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk