- Externe Datenschutzbeauftragte bieten unabhängige und spezialisierte Unterstützung bei der Einhaltung von Datenschutzvorschriften
- Sie übernehmen Aufgaben wie Schulungen, Datenschutz-Folgenabschätzungen und die Entwicklung von Richtlinien
- Externe DSB sind kosteneffizient und vermeiden Interessenkonflikte innerhalb des Unternehmens
- Kertos unterstützt Unternehmen mit Expertenwissen und maßgeschneiderten Lösungen, indem es ihnen einenen externen Datenschutzbeauftragten zur Verfügung stellt
The Development of the Role of the Data Protection Officer in Europe
Even before the enactment of an omnibus data protection law, like GDPR, that applies across the European Union, the roles of DPOs were required under different jurisdictions. For example, Germany, under the Federal Data Protection Act (BDSG); France, under the Data Protection Act (Loi Informatique et Libertes); and Spain, under the Organic Law on Data Protection (LOPD), required companies to appoint DPOs to ensure compliance with data protection laws.
However, after the enactment of the GDPR in the EU and other nations following suit, the role of DPOs only became standardised and uniformly defined. The GDPR has provided a detailed framework for organisations to appoint data protection officers, encompassing their roles, responsibilities, and qualifications. Now that DPOs have become a common requirement, companies are gradually valuing their significance in ensuring compliance.
Article 37 of the GDPR requires all public authorities to appoint a DPO. "As per Article 38(1) under the GDPR, the DPO must be involved "properly and in a timely manner, in all issues related to personal data protection" in order to carry out data protection tasks to the full extent. Additionally, private organisations must appoint a DPO in the following cases:
- Their core activities involve the regular and systematic monitoring of individuals on a large scale.
- They conduct large-scale processing of special categories of personal data, including data revealing racial or ethnic origin, political opinions, or religious or philosophical beliefs.
According to statutory provisions, a data protection officer may be outsourced externally or hired internally. For resource-constrained companies, the cost of hiring and maintaining an in-house data protection officer can be high. Therefore, they rely on external data protection officers, whose responsibilities are akin to those of internal ones.
Difference between an internal and an external DPO
The difference between an internal and an external data protection officer lies in employment terms: whereas an internal DPO is a permanent employee, an external DPO provides leeway to companies for on-demand contract signing.
External DPOs also offer independent oversight, which frees companies from internal conflicts of interest. While an internal solution may still have to acquire certified expertise—the training cost of which a company has to bear—an external data protection officer comes with proven expertise in the field.
Additionally, not everyone in a company can take on the role of a data protection officer. Those for whom a conflict of interest may arise—for example, board members—between their regular position and the role of DPO are certainly not.
IT managers, personnel managers, and marketing heads are apt profiles for an internal DPO, but they too require expertise in the field of data protection law. Comparatively, an external data protection officer is an outsourced data protection officer who is not employed directly by a company and has expert knowledge of data protection law.
Primary responsibilities of an external DPO
Among the broad field of duties that a data protection officer is responsible for, the main ones include assuming the role of a mediator, acting as the contact person for the supervisory authority, and providing the supervisory authority with necessary documents and information to carry out their investigation, correction, approval, and consultation powers.
At its crux, an external DPO plays the sole role of ensuring compliance with data protection regulations and has no other decision-making powers. DPOs make sure that the personal data of customers, employees, providers, or any other individuals is processed in compliance with applicable data protection rules.
A DPO engages in internal discussions when advice on data protection best practices is required to devise policies and procedures in compliance with applicable data protection laws and regulations. Working in collaboration with other departments, including IT, compliance, legal, and business units, they address the issues with data protection, implement privacy measures to address the risks, and share ideas on data protection principles and best practices.
The DPO advises data controllers on whether to carry out the data protection impact assessment (DPIA), methods to be used to carry out the DPIA, and when it is necessary to engage outside resources to carry out the DPIA. Based on the findings of the DPIA, the DPO further advises controllers on whether abandoning the operation altogether is optimal or whether implementing safeguards can ensure compliance. Their insights at the beginning of a new project or initiative, as well as during any changes made in business processes that may impact the privacy rights of individuals or the company itself, are invaluable.
Why do companies need an external data protection officer?
1. Expertise and up-to-date knowledge
DPOs are multi-disciplinary individuals. To effectively carry out their roles, they encompass a knowledge set not only limited to privacy regulations but also IT, risk, data management, and business insights. Their expertise in the field of data protection law and practice is a must (in particular, high-level competence and distinctive IT knowledge).
Requirements for such a high degree of knowledge and expertise make it difficult for organisations to fill the position adequately. An external DPO may not comprise a single individual but a team of specialists. Collectively, their familiarity with the latest data protection legislation, guidance, case law, and best practices—in addition to ensuring compliance—adds value to a business and its people at multiple touch points.
In cases of data breaches or companies facing reputational damage, their expertise in navigating through the crisis and mitigating the impact matters the most. External DPOs can help them take the necessary steps and mitigative measures to protect their reputation and customer trust. With a team of specialists dedicated to data protection issues, organisations can make sure they stand firm in the face of challenges.
2. Cost-effectiveness
Expenses on an internal DPO go beyond recruiting and regular salary, including additional costs for training, employee downtime, and technical literature. Organisations may not evaluate the total sum of these costs in advance and repent later. Comparatively, costs for external data protection can be calculated in advance based on the specific requirements of the company. Most external DPOs have a transparent pricing model that organisations can specify in the service agreement. This tailored approach results in significant cost savings.
3. Independence and neutrality
It has been accurately observed that the DPO embodies the roles and functions of the supervisory authority (such as a national data protection authority) within an organisation. Simply put, the DPO acts as an integral regulator to oversee data protection practices. Therefore, they should have a neutral and independent function and not be subject to the management's directives or instructional authorities.
The GDPR envisages that the DPO should perform their work in an independent manner. In accordance with Article 38(3), the DPO is not subject to instructions and is directly subordinated to the highest management level." It means that controllers do not have the authority to direct DPOs to act as per their direction. For example, controllers cannot interfere with DPOs' decisions to reach a particular conclusion or alter the investigative findings of a complaint.
The DPO should report to the highest level of management in an organisation, such as the board of directors. This ensures that management is promptly informed of data protection matters. External DPOs are free from having their autonomy compromised, as is the case with internal DPOs when they're put in positions where conflicts of interest arise.
4. Flexibility
External DPOs are ready-made teams, which allows them to quickly adapt to the tailored requirements of companies. This is best suited for organisations where the need for data protection oversight goes up or down over time. For example, businesses with fluctuating workloads or seasonal peaks in data processing activities.
It also helps companies in scenarios where changes in the regulatory landscape are introduced, which could require an extensive internal restructuring. Hiring external DPOs allows businesses to allocate their internal resources efficiently. Simultaneously, it enables internal personnel to focus on their core business activities, while external DPOs ensure compliance.
What does an external data protection officer do?
1. Employee training
The knowledge transfer and sensitisation of staff in data protection matters is one of the key components of keeping a company on course for compliance. Through close interaction with team members, an external DPO develops tailored training programmes to ensure a sufficient level of privacy awareness among them. It includes educating staff on data protection regulations, policies, and best practices.
In case there are any changes made to the existing data protection laws and regulations, the DPO conducts training sessions to update employees' knowledge bases. Through targeted training, the external DPO promotes awareness of the careful and compliant handling of sensitive data and fosters a culture of compliance.
2. Policy and procedure development
DPOs are responsible for creating and implementing policies and procedures to promote best practices in handling sensitive personal data.
- Policy development includes outlining a framework for the lawful collection, processing, storage, and deletion of data. With changes in business processes, technologies, or applicable laws, external DPOs review the company's privacy-related documents and make relevant updates as best suited.
- Establishing procedures for data handling includes documenting data processing activities, implementing access controls to ensure only authorised individuals have access to sensitive information, and limiting data collection and processing to what is necessary for company-specific purposes.
- Preparing incident response plans that outline steps to be taken in the event of a data breach or security incident, including the development of strategies for mitigating the impact of data breaches. It also includes, as required under GDPR, notifying regulatory authorities and affected data subjects about the scope and nature of the incidents.
3. Contact with supervisory authorities and data subjects
The DPO serves as the central point of contact between the organisation, data subjects, and regulatory authorities. Acting as a liaison between these parties, they address enquiries, concerns, or requests related to data protection.
It's the primary role of a DPO to ensure that the rights of data subjects are respected (Article 15, GDPR) and that their requests for access, deletion, portability, rectification, and restriction of processing are handled in compliance with applicable laws and regulations.
To stay abreast of regulatory developments, external DPOs communicate issues related to personal data processing and draft responses to regulatory inquiries. DPOs also provide consultation on matters involving interactions with regulatory authorities, including reporting data breaches.
Kertos as a potential solution for external DPO services
Kertos provides external data protection officer (DPO) solutions and, if necessary, also provides support to your internal data protection officer in their daily tasks. Our multidisciplinary team of specialists brings in-depth knowledge and experience in the latest data protection legislation, guidance, case law, and best practices.
Outsourcing your DPO function to us eliminates any conflict of interest while we bring the following to the table:
- Extensive knowledge and professional qualifications in the fields of data protection law and practice,
- The ability to carry out a data protection audit where we examine your processes and procedures together,
- Familiarity with challenges and obstacles, and
- Access to best practices around how to achieve and maintain compliance,
- Employee awareness and training programmes.
Take a demo of our software. Our experts will guide you through our services and answer all your questions to create an offer tailored to your requirements. Once you decide to work with us, we will introduce your team to our platform and explain every finding and measure needed to achieve compliance with relevant data protection laws and regulations.
