There is great debate in the DPO community as to whether it is better for a business to have an in-house DPO, or an external one. I could settle it now and simply say: different businesses are suited to different things. But that would make a short and boring blog, so let’s look into it further.
I should start by confessing that I work as an external DPO (also known as DPO as a Service/DPOaaS), so my experiences may be one-sided, but that doesn’t mean that I think it is always the best thing for a business, or even the DPO themselves. To try and ensure there is no bias, I tapped into my DPO network to get their views too. Between us, we believe these are the top 5 advantages of both.
5 Reasons to have an in-house DPO
Having your DPO as a full-time or part-time employee means that they are always on hand, available to attend meetings at the drop of a hat, available to chat in the corridor, and respond to emails when you need it. An external DPO may have a number of clients and need to juggle their diary to be able to attend meetings, or may have an SLA that doesn’t always match with your need to know something immediately.
2) In-house knowledge
Quite often an in-house DPO will have been promoted from within the business so already has a broad knowledge of the company and the challenges faced in the various departments. If they are an external hire, then the fact they are now completely dedicated to just your business means they will acquire a depth of knowledge beyond anything that an external DPO ever can. You don’t need to take time to bring them up to speed on new products, or the details needed to help them support a Data Protection Impact Assessment, in the same way you will with an external DPO.
3) Value for money
Whilst the tasks of the DPO are designated within the GDPR, it does not mean that a DPO cannot do other tasks, as long as they do not conflict with the role of the DPO. That means your DPO can have another role within your company. You can truly get your money’s worth from an internal DPO resource. In reality, this can be problematic, and the balance of power means that it may be difficult for an in-house DPO to say no when expected to do conflicting tasks.
4) Can rely on the support of the business when there is a security incident or breach
An in-house DPO knows exactly who to rely on in times of crisis. They can quickly pull together a breach team and are likely to have more clout than an external DPO if they believe something is reportable, or if they are trying to get the full facts of the incident. The danger is if the board is more likely to listen to a “consultant” than their own employees.
5) Water cooler moments
Do not underestimate the power of the water cooler or the tea break. In-house DPOs are likely to be ahead of any external DPO when it comes to someone having a “great idea” which then results in all sorts of data protection chaos. They can get in there early and assess the risk before any damage is done. Physical visibility means that an in-house DPO can build relationships easily and is more likely to be invited to initial meetings about a project. An external DPO has to rely on being told about these things (or as I do, being an integral member of as many Slack channels as possible, including “rate my dinner”!)
5 Reasons to have an external DPO
Taking on an external DPO means that you only pay for what you use. It may be that the DPO has a minimum amount of hours per month, but that’s usually to ensure you do all turn up to the regular governance calls and to give you a guaranteed set of hours to use before you incur additional cost. There is no holiday pay, no national insurance, no pension contribution and no benefits or bonuses to consider. Costs range considerably, so make sure you shop around.
Whilst all DPOs must have “expert knowledge of data protection law and practices and the ability to fulfil the tasks” as outlined in article 39 of the GDPR (Article 37), it can be very difficult for an in-house DPO to stay up to date with the ever-evolving regulations around the world. An external DPO spends an estimated 4–8 hours a week* staying up to date with case law, new regulations, and deep diving into the nuances of data protection. That would be a luxury to an in-house DPO. In addition, external DPOs work across clients, within and across sectors. It gives them a broad knowledge of best practise, how others are addressing similar issues, and experience on how the local Data Protection Authority may view the risk-based approach that you are planning on relying on.
*Based on an unofficial poll of a group of DPOaaS
3) No conflict of interest
A DPO must perform their duties with no conflict of interest. This level of independence is guaranteed with an external DPO. As a DPO needs to report to the board, an internal DPO is likely to be a C-level executive. Their bonus structure and share allocation could make it difficult to be fully independent.
External DPOs are disposable. That probably sounds harsh but it’s true. You are not allowed to sack an internal DPO for carrying out their regulatory duties as a DPO. If you were to make them redundant or dismiss them for any reason, you could find yourself having to defend yourself rigorously. With an external DPO, you have a contract in place that has termination clauses. You can increase hours as you need them, you can decrease hours, you can hold them to an SLA, you can decide you just don’t like them anymore and you can replace them with a new one. The flip side of course is that they can pretty much do the same to you. You may not get the level of loyalty that you would get from an in-house DPO.
5) Their network
Being an external DPO is a pretty lonely job; they are never truly part of a business the way an in-house DPO is, they don’t have colleagues, they don’t get to go on team nights out or join in the water-cooler gossip. As a result, they have to forge their own networks and who better than other external DPOs? That means their network is full of people with extensive knowledge and experience in exactly the areas that benefit you. If they don’t know the answer to something, then they know someone who does.
Of course, all of these are generalisations and need to be taken with a pinch of salt. There are advantages and disadvantage to both an internal and external DPO. The key thing is that you get the right person for your business who is able to oversee your compliance with the data protection laws that impact you, that will aim to protect you from straying too far off the path and guide you through the maze of compliance.
In-house or external, the right DPO is a huge asset to your company.
This is the second part in a 3-part series by guest contributor Tash Whitaker. You can read the first part by clicking here, and get the final piece in your inbox when it’s available by signing up below.