When Should Organisations Appoint A DPO?

Janine Cahoon

Janine Cahoon

When Should Organisations Appoint A DPO?

The enforcement of the EU General Data Protection Regulation has brought data protection to the front line of business agendas around the world. It requires change in how organisations keep, store and process information but it also changes how an organisation takes accountability for its data and how it proves compliance.

Under the EU GDPR, Article 37 a Data Protection Officer is required if your organisation comes under any of these categories:

  1. Public authorities and bodies, including government departments.
  2. Where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
  3. Where the core activities of the organisation consists of special categories of data (i.e. health data) or personal data relating to criminal convictions or offences.

When an organisation decides to appoint a DPO, there is an obligation in Article 37(5) to ensure that the candidate is a person who is adequately resourced and has ‘expert knowledge of data protection law and practices’ and on the basis of their ‘professional qualities’. The guidelines suggest that the level of expertise ‘must be commensurate with the sensitivity, complexity and amount of data an organisation processes’ and that prospective DPOs ‘should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.’

Furthermore, the DPO role will differ from most employees or contractors in that it is statutorily independent and protected. DPOs must be independent, avoid conflicts of interest and they cannot receive instruction regarding the performance of their tasks. What this means is that organisations cannot appoint their CIOs, CISOs, Head of HR, Head of IT etc. as the DPO. Unfortunately, many companies are breaking this fundamental rule.

The reality is that the employment of a full time data protection officer is more often than not, an overkill for the requirements and an expensive choice for the organisation. Therefore, more and more companies are now choosing to outsource their data protection officer requirements to third-party organisations.   DPOaaS (Data Protection Officer as a Service) is an efficient service which frees up time and resources that have been taken over by GDPR, allowing them to get back to what they do best; helping you run your business.

Here are the 5 top benefits of outsourcing your DPO needs:

  1. Access to Expertise

Expertise in National and European data protection law is hard to find and is often not readily available within an organisation. Hiring external consultants gives your organisation access to expert level knowledge and experience that ensures your organisation is compliant with the regulation at all times.

  1. Decreased cost

An outsourced DPO service works on a fixed fee per month basis with an option per-hour add on for additional hours. The outsourcing of a DPO stops your organisation from spending thousands hiring an individual for a role which may not need to be pursued on a full time basis.

  1. Preventing a conflict of interest

Finding an individual within your organisation that fits the role of the Data Protection Officer can be difficult especially considering the conflicts of interest that may entail. Individuals that regularly process personal data are unable to fulfil the role unless they no longer process personal data on behalf of the organisation. A DPO must fulfil their role in an unbiased, neutral manner and take no instruction on their role, therefore eliminating them from completing any processing of personal data except for those required under the DPO role.

  1. Stopping Overkill

Often, the hiring of a full time Data Protection Officer is overkill for an organisation, especially those that do not process much personal data or are SMEs. DPOaaS allows an organisation to pick the amount of hours to suit you and allow the organisation to decide how the DPO reports and communicates.

  1. Dedicated point of contact

With DPOaaS within Smarttech247, you are assigned a dedicated DPO, one person within the organisation that is your go-to contact at a time of crisis. The DPOaaS works just like having a dedicated person on-site and is your point of contact during a breach. This dedicated individual will learn everything that needs to be known about your organisation to ensure accurate response when its needed.

Want to find out more about our DPO as a Service offering? Contact our experts today!


Janine Cahoon

Janine Cahoon