Hiring a DPO

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.

Who is a Data Protection Officer (DPO)?Data Protection Officer for GDPR Compliance

Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.

Who needs a Data Protection Officer?

According to the text, you need a data protection officer if:

  • You have more than 250 employees in your company
  • You are processing data on a large scale basis. This would mean that the data you collect, process, store or use affects a large number of people. It could be a city population or processing of personal data for behavioral advertising by a search engine
  • Your processing is carried out by a public authority or body
  • You are processing  sensitive data such as health, trade union membership, geolocation, sexual orientation, genetic, or children data
  • You are monitoring, and tracking systematically. For example, if you are monitoring users video data systematically or tracking internet users systematically to review television rating points
  • You are processing special categories of data that could be related to a criminal offense
  • If you are a processor and systematically monitoring data such as internet traffic, IP address or visitors etc.

What are the basic responsibilities of a Data Protection Officer?

The Data Protection Officer should have the following responsibilities:

  • to inform and advise the controller or the processor as well as the employees who carry out processing pursuant to this Regulation and to other Union or Member State data protection provisions
  • to monitor compliance with this Regulation or with other Union or Member State data protection provisions. This also includes compliance with the policies of the controller or processor in relation to the protection of personal data: the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits
  • to provide advice when requested with  regards to the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36,
  • The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.

This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.

What are the basic tasks of your Data Protection Officer?

In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:

  • Ensure that controllers and data subjects are informed about their data protection rights, obligations, and responsibilities and raise awareness about them;
  • Create data protection goals and principles based on the GDPR and make sure the controller i.e. the company follows it
  • Give advice and recommendations to the institution about the interpretation and/application of the data protection rules;
  • Create records of processing activities within the institution and notify the EDPS of those that present specific risks (so-called prior checks);
  • Ensure data protection compliance within their institution and help the latter to be accountable
  • Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative;
  • Cooperate with responding to requests about investigations, complaint handling and inspections conducted by the authorities
  • Draw the institution’s attention to any failure to comply with the applicable data protection rules
  • Conduct a Data Protection Impact Assessment if required and review it monthly, quarterly and yearly
  • Create Data Processing Agreement and coordinate with the third-parties
  • Create and update privacy policy, cookie policy and other data protection related policies
  • Train staff involved in data processing
  • Conduct audits to ensure compliance

Qualifications for Data Protection Officer

There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:


  1. IAPP Certifications
  2. TÜV in Germany
  3. IT Governance in the UK

Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.

What do we have to do to support the DPO?


You must ensure that:

  • the DPO is involved, closely and in a timely manner, in all data protection matters;
  • the DPO reports to the highest management level of your organization, i.e. the board;
  • the DPO operates independently and is not dismissed or penalized for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO appropriate access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.


10 Best Practices for Hiring a Data Protection Officer

As a controller or processor, the following are the best practices for hiring a data protection officer:

  1. You can find data protection officers on LinkedIn & Facebook Groups with the search term GDPR for groups
  2. IAPP has their own groups where you can find 40,000 different privacy professionals
  3. Conferences on GDPR like Summits and gatherings are a good place to find such data protection officers
  4. Hire a data protection certified specialist or a lawyer specialized in the  field
  5. Make sure your data protection officer understands your IT infrastructure and your application
  6. You can hire an external DPO
  7. A DPO should have great managerial and negotiation skills. They should also have a comprehensive understanding of the controller/processor, the data subjects, and the law
  8. Many experts give tutorial and content on the GDPR. If you are planning to hire an external DPO then see their webinars, blogs and public profiles
  9. Do your due diligence and ask for at least 3 references from their previous customers. If you are hiring someone internally, then ask their immediate supervisors
  10. If you are hiring an external data protection officer, make sure that you go with someone who does not have a lot of clients. If this data protection officer has a lot of clients, then your work is probably going to get ignored if you don’t pay them based on packages


Should I hire an external or internal Data Protection Officer?

Internal vs. External Data Protection Officer

In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.


Internal Data Protection Officer

If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.


External Data Protection Officer

In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.


Differences between external and internal data protection officer

First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.


In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.


If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.


Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.


We would like to explain this to you in more detail with a table:


ItemInternal DPOExternal DPO
CostIn addition to the regular salary, costs for education and training, as well as acquisition of literature, must be borne by the companyTransparent cost structure through contractually agreed prices
CompetenceTime-consuming and complex further education measures to obtain the technical knowledgeCertified, existing and immediately retrievable expertise
LiabilityPartially transfers the liabilityLiability for the correct advice by the external DSB. Risk minimization for the company
Data ControlAll the data stays within the companyAll the data and company understanding stays with an external


Time Commitment100% committed to the projectPartially committed to project and most likely involved with many other companies


Time to understand the business It won’t take much time to understand the business and process since the internal DPO was a part of the companyIt takes time for an external DPO to understand the company and mostly like you’ll pay for an audit


Response timeMuch faster since already part of the companyMuch slower because the external DPO was not part of the company


Cancellation of employment contractAn internal data protection officer is protected by law. Basically, you can’t fire him/herAn external DPO can be easily replaced based on the contract terms and timelines


How much does a data protection officer cost?

Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.


Common Mistakes to avoid while hiring a DPO

  1. Don’t hire cheap data protection officers. They’re not worth it and probably won’t take your case seriously
  2. If all the work is done by the company’s internal lead, and the external DPO is only for the  purposes of the website then don’t hire that DPO
  3. Don’t hire someone internally in your company as a DPO if the role has an inherent conflict of interest. For example, don’t hire a marketing or customer support person as a DPO because they might be biased. Here’s what the working party suggests regarding hiring an internal DPO and avoiding a conflict of interests:
    1. to identify the positions which would be incompatible with the function of a DPO,draw up internal rules to this effect in order to avoid conflict of interests
    2. to include a more general explanation about conflict of interests
    3. to declare that the DPO has no conflict of interest with regards to its function as a DPO, as a way of raising awareness of this requirement
    4. to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be kept in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
  4. The following roles are in conflicting positions: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of Human Resources or head of IT department
  5. Hiring a full-time data protection officer, when you only need a part-time data protection officer


Here’s a sample Appointment Letter for a DPO from ECOMPLY.io

Sample Appointment Letter for Data Protection Officer:


Ms. Sample   – Data Protection Officer –

Sample Street 2

23456 Sample City

Appointing Mr. / Ms. ### as Operational Data Protection Officer

The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.

Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.

In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.

Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.

Representing the management:

_______________________________ ______________________________

Place, Date                                                    Signature Managing Director



I approve of my appointment to Data Protection Officer:


Signature Data Protection Officer

Ms Sample


If you have any further questions or want to know how we can help your DPO, book a demo with us!


10 Critical Steps to GDPR for SMEs

10 GDPR Critical Steps for SMEs and its owners

Does GDPR apply to Small business (SMEs)? Will SMEs get fined? Are you scared about a €20 Million fine for your company? There is a solution to this.

This year GDPR is coming that is binding to all companies and organizations handling data of all individuals within the EU. From now on, your company can be held liable for the data it collects and uses. Fines up to €20 Million or 4% of annual turnover can be imposed. This company was fined $250 Million, even before the GDPR was in place. But this can be totally avoided!

Are you ready for GDPR? If yes, read more to see if you have everything in place.

Not ready yet? Follow the steps below to be GDPR ready!


Step 1: Be aware of what GDPR is and what it means for your company (even if you’re an SME)

GDPR is a regulation of the Parliament and of the Council which comes into force on May 25th. As a regulation it affects companies and their customers as much as a national law.  Decision makers and key people in the organization must now identify what processes of the company are not GDPR compliant and should analyze the kind of resources that will be required to tackle this in time for the GDPR implementation. UK’s ICO provides in-depth information of what the GDPR is and all that you must know regarding it. If you are a small business owner (SMEs) than GDPR affects you as well.

Our GDPR-glossary would help you to understand the various terminologies that is relevant. You must also know where your company stands in relation to the GDPR compliance. You can take this gap assessment to find out!

Step 2: Document all personal data your company holds

GDPR requires you to maintain records of processing activities. GDPR does not take SME owners out. You have to do this.

Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so called records of processing activities (RPA), to the competent data protection authority at all times.

The development of the records of processing activities is also a key step because it enables the company to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!

Need help with organizing your data for GDPR compliance?)

If you need help figuring out how you can record processing activities, this tool will help you organize your data.

Step 3: Inform everyone concerned through a privacy notice

The individuals whose data your company uses must be informed through a privacy notice detailing in simple terms what kind of data you obtain, in what ways you obtain it, for which purposes you need it and, in case, if you are transferring the data to countries outside the EEG.

Do you need a privacy notice? With this tool you can create a first draft that meets the legal requirements.

Privacy Notice

Step 4: Checking if your data processing adheres to the individual rights

Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.

Step 5: Consent for SMEs and its customers

The normal way to justify proceedings is also the most important pillar of data protection: consent! Your company should review how you seek, record, and manage consent.It is important that the consents meet the new GDPR standard, so your company must perhaps review and refresh all consents. SMEs owners have to also do this and all the time.

For example, it is necessary to keep the grammar and content of the consent easy and in an understandable format which can be understood by anyone. UK’s ICO provides a consent guidance guide that is a useful tool in defining consents as per the GDPR.

Step 6: Requests for subject access regardless if you’re an SME

Your company should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.

You will have a month to comply, rather than the current 30 days.

You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Step 7: Outsourcing of data processing

When your company works with a data processor, it should review the outsourcing contracts of data processing to comply with the GDPR. First, make sure you own those contracts, which is not always the case with free cloud services. At the latest on request of the competent data protection authority, you must be able to present the contracts. After all, these contracts must also be compliant with the GDPR and there is a high probability that they have to be adjusted.

Step 8: Data Protection Officer (DPO)

Probably your company has to appoint a DPO to take responsibility for the regulatory compliance.

This DPO will report to the highest position in the firm and has to make sure the company will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.

Another option is a virtual DPO, that can help your company be GDPR compliant. The best part is that it costs much lesser and reduces company man-hours involved by 75%!

GDPR for SMEs might not directly have a DPO requirement but if SMEs process special category of data such as health data. It would good to hire a DPO externally or part-time internally.

Data Protection Officer

Step 9: Data Protection Impact Assessment and Protection by Default and Design

Your company has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.

If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risks. Important aspects to grant this security are pseudonymization, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.

Step 10: Data breaches and notifications

Your company must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.

Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the company and to the data subject regarding his privacy.

One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.

Links and Further Information

Data Protection Authorities in EU countries

This list provides the websites of the Data Protection Authorities in your country. You can find more specific content for your region from the corresponding website.

Get help preparing for the GDPR

If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments, and data protection by design.

If you’re a small business (SME) owner, you need help with GDPR and just starting, get this guidebook to start with.