A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)
General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.
Who is a Data Protection Officer (DPO)?
Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.
Who needs a Data Protection Officer?
According to the text, you need a data protection officer if:
You have more than 250 employees in your company
You are processing data on a large scale basis. This would mean that the data you collect, process, store or use affects a large number of people. It could be a city population or processing of personal data for behavioral advertising by a search engine
Your processing is carried out by a public authority or body
You are processing sensitive data such as health, trade union membership, geolocation, sexual orientation, genetic, or children data
You are monitoring, and tracking systematically. For example, if you are monitoring users video data systematically or tracking internet users systematically to review television rating points
You are processing special categories of data that could be related to a criminal offense
If you are a processor and systematically monitoring data such as internet traffic, IP address or visitors etc.
What are the basic responsibilities of a Data Protection Officer?
The Data Protection Officer should have the following responsibilities:
to inform and advise the controller or the processor as well as the employees who carry out processing pursuant to this Regulation and to other Union or Member State data protection provisions
to monitor compliance with this Regulation or with other Union or Member State data protection provisions. This also includes compliance with the policies of the controller or processor in relation to the protection of personal data: the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits
to provide advice when requested with regards to the data protection impact assessment and monitor its performance pursuant to Article 35
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36,
The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.
This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.
What are the basic tasks of your Data Protection Officer?
In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:
Ensure that controllers and data subjects are informed about their data protection rights, obligations, and responsibilities and raise awareness about them;
Create data protection goals and principles based on the GDPR and make sure the controller i.e. the company follows it
Give advice and recommendations to the institution about the interpretation and/application of the data protection rules;
Create records of processing activities within the institution and notify the EDPS of those that present specific risks (so-called prior checks);
Ensure data protection compliance within their institution and help the latter to be accountable
Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative;
Cooperate with responding to requests about investigations, complaint handling and inspections conducted by the authorities
Draw the institution’s attention to any failure to comply with the applicable data protection rules
Conduct a Data Protection Impact Assessment if required and review it monthly, quarterly and yearly
Create Data Processing Agreement and coordinate with the third-parties
Train staff involved in data processing
Conduct audits to ensure compliance
Qualifications for Data Protection Officer
There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:
TÜV in Germany
IT Governance in the UK
Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.
What do we have to do to support the DPO?
You must ensure that:
the DPO is involved, closely and in a timely manner, in all data protection matters;
the DPO reports to the highest management level of your organization, i.e. the board;
the DPO operates independently and is not dismissed or penalized for performing their tasks;
you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
you give the DPO appropriate access to personal data and processing activities;
you give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information;
you seek the advice of your DPO when carrying out a DPIA; and
you record the details of your DPO as part of your records of processing activities.
This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
10 Best Practices for Hiring a Data Protection Officer
As a controller or processor, the following are the best practices for hiring a data protection officer:
You can find data protection officers on LinkedIn & Facebook Groups with the search term GDPR for groups
IAPP has their own groups where you can find 40,000 different privacy professionals
Conferences on GDPR like Summits and gatherings are a good place to find such data protection officers
Hire a data protection certified specialist or a lawyer specialized in the field
Make sure your data protection officer understands your IT infrastructure and your application
You can hire an external DPO
A DPO should have great managerial and negotiation skills. They should also have a comprehensive understanding of the controller/processor, the data subjects, and the law
Many experts give tutorial and content on the GDPR. If you are planning to hire an external DPO then see their webinars, blogs and public profiles
Do your due diligence and ask for at least 3 references from their previous customers. If you are hiring someone internally, then ask their immediate supervisors
If you are hiring an external data protection officer, make sure that you go with someone who does not have a lot of clients. If this data protection officer has a lot of clients, then your work is probably going to get ignored if you don’t pay them based on packages
Should I hire an external or internal Data Protection Officer?
Internal vs. External Data Protection Officer
In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.
Internal Data Protection Officer
If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.
External Data Protection Officer
In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.
Differences between external and internal data protection officer
First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.
In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.
If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.
Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.
We would like to explain this to you in more detail with a table:
In addition to the regular salary, costs for education and training, as well as acquisition of literature, must be borne by the company
Transparent cost structure through contractually agreed prices
Time-consuming and complex further education measures to obtain the technical knowledge
Certified, existing and immediately retrievable expertise
Partially transfers the liability
Liability for the correct advice by the external DSB. Risk minimization for the company
All the data stays within the company
All the data and company understanding stays with an external
100% committed to the project
Partially committed to project and most likely involved with many other companies
Time to understand the business
It won’t take much time to understand the business and process since the internal DPO was a part of the company
It takes time for an external DPO to understand the company and mostly like you’ll pay for an audit
Much faster since already part of the company
Much slower because the external DPO was not part of the company
Cancellation of employment contract
An internal data protection officer is protected by law. Basically, you can’t fire him/her
An external DPO can be easily replaced based on the contract terms and timelines
How much does a data protection officer cost?
Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.
Common Mistakes to avoid while hiring a DPO
Don’t hire cheap data protection officers. They’re not worth it and probably won’t take your case seriously
If all the work is done by the company’s internal lead, and the external DPO is only for the purposes of the website then don’t hire that DPO
Don’t hire someone internally in your company as a DPO if the role has an inherent conflict of interest. For example, don’t hire a marketing or customer support person as a DPO because they might be biased. Here’s what the working party suggests regarding hiring an internal DPO and avoiding a conflict of interests:
to identify the positions which would be incompatible with the function of a DPO,draw up internal rules to this effect in order to avoid conflict of interests
to include a more general explanation about conflict of interests
to declare that the DPO has no conflict of interest with regards to its function as a DPO, as a way of raising awareness of this requirement
to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be kept in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
The following roles are in conflicting positions: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of Human Resources or head of IT department
Hiring a full-time data protection officer, when you only need a part-time data protection officer
Here’s a sample Appointment Letter for a DPO from ECOMPLY.io
Sample Appointment Letter for Data Protection Officer:
Ms. Sample– Data Protection Officer –
Sample Street 2
23456 Sample City
Appointing Mr. / Ms. ### as Operational Data Protection Officer
The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.
Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.
In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.
Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.