One of the most important decisions that European organizations make is choosing the right Data Protection Officers, or DPOs. Briefly, DPOs are expertly trained legal professionals who are responsible for ensuring that an organization’s data management practices are compliant with the General Data Protection Regulation, or GDPR.
Given that DPOs hold a uniquely pivotal role in any organization, it is vital that they can operate efficiently and successfully within the broader organizational culture. To be more specific, organizations can choose to hire an internal, or in-house, DPO as an official employee who is well-adapted to internal organizational practices. On the other hand, some organizations choose to outsource their DPO to bring in a professional from an external, diverse background and broader skill set.
This article weighs the benefits and drawbacks of both internally and externally hired DPOs. Additionally, it argues that hiring an external DPO is the best choice, especially for small and medium-sized enterprises (SMEs), because they tend to be more efficient, risk-resilient, and innovative in the long run.
What are DPOs? Why are they Important?
Data Protection Officers, or DPOs, are legal experts who serve as independent advisors to organizations processing personal data. DPOs are one of the most important figures in an organization because they are the central point of contact, responsible for making sure an organization’s data practices are GDPR compliant.
DPOs are highly qualified professionals. Although the GDPR does not specify one path for becoming a DPO, it outlines several broader considerations. More specifically, Article 37(5) of the GDPR requires that DPOs possess “some expert knowledge of data protection law” and can comprehensively fulfill the DPO tasks specified in Article 39 of the GDPR. In short, the five broad responsibilities DPOs have include:
- Advising and informing organizations of all their obligations under the GDPR
- Carefully monitoring an organization’s compliance with the GDPR, initiating the proper changes, and suggesting preemptive areas of improvement. DPOs use several tools to monitor the organization, including impact assessments, delegating tasks, conducting audits, and raising employee awareness through GDPR training
- Completing frequent Data Protection Impact Assessments (DPIAs) to evaluate, review, and provide direct guidance on an organization’s GDPR compliance as specified in Article 35 of the GDPR
- Acting as a liaison between the organization and the higher supervisory authorities in both the EU and the Garante Privacy
- Assessing risk associated with an organization’s data practices and making suggestions to mitigate the risk of non-compliance with the GDPR
Along with fulfilling the above tasks and obligations, DPOs are required to remain “easily accessible” within each organization that they are advising, under Article 37 of the GDPR. They may advise multiple organizations, provided that this accessibility requirement is met. Additionally, Article 38(6) of the GDPR demands that DPOs remain independent advisors and receive no instructions from the organization on how to complete their assessments. When completing tasks, DPOs are bound to the official GDPR text and the guidance of “supervisory authorities” in the EU.
Key Differences Between Internal and External DPOs
One critical decision organizations must make when choosing a DPO is whether to outsource from an external firm or to hire the professional as a direct employee. This decision is pivotal because it directly impacts hiring costs, conflict levels between the DPO and employees, the DPOs’ time flexibility, and the advice they provide to the organization.
Below are the noteworthy and insightful differences between internal and external DPOs:
| Internal DPOs | External DPOs |
| Directly employed by the organization | Outsourced through a point of contact not affiliated with the organization |
| Hired long-term on a full-time salary basis | Hired short-term on a part-time service contract basis |
| Higher risk of a conflict of interest developing | Lower risk of a conflict of interest developing |
| Objectivity and independence may be compromised by organizational culture, hierarchy, or expectations | Objectivity and independence are typically maintained |
| Greater opportunities for intraorganizational cooperation may lead to easier but less creative solutions | Fewer opportunities for intraorganizational cooperation may lead to difficult but more creative and diverse solutions |
| High recurring costs: salary, employee benefits, recruitment, GDPR training, and other employee-related costs | Low one-time costs: hourly fee specified in the contract |
| Expertise is limited to internal projects and observations | Expertise is more diverse and stems from cross-sector, multi-cultural experiences |
| Can work with one organization as a salaried employee, which mitigates confidentiality issues | Can work with multiple organizations at once, which raises confidentiality concerns |
| Extended employee protections against dismissal | Limited protections against dismissal (as a non-employee) |
| Require periodic training on GDPR updates, which the organization funds | Have all the necessary training and certification before being hired |
| Can develop an in-depth understanding of an organization’s culture, operations, and strategy | Cannot become fully embedded within an organization’s culture, operations, and strategy |
| Often undertakes a dual role to do employee projects and DPO tasks | Undertakes one primary role to complete DPO tasks |
There are significant differences to consider when hiring a DPO. Such characteristics impact long-term organizational outcomes, such as the cost of hiring a DPO, conflict levels with the DPO, and advice organizations receive from the DPO.
On the one hand, internal DPOs are more likely to be readily available and accessible in person as direct employees of the organization. They cost more to employ (approximately $40,000 to $150,000 per year) and have more guaranteed employee benefits and protections that prevent wrongful dismissal. Moreover, internal DPOs’ clear affiliation with the organization may eventually compromise their ability to be objective and independent. Their expertise is often limited to the internal organizational culture, which may lead them to suggest less creative and innovative solutions.
On the other hand, external DPOs may work with multiple organizations as long as they satisfy the Article 37 “easily accessible” requirement. Thus, they may be more accessible through email or virtual environments rather than in-person meetings. However, external DPOs cost less since they are hired on an agreed-upon hourly fee. They also draw upon more creative and innovative solutions from vast cross-sector and international experiences.
Why is it Best to Hire an External DPO?
Ultimately, the decision to hire an internal or external DPO is a company-specific consideration. The Italian Data Protection Authority, known as Garante Privacy, suggests that large, multinational organizations with complex data processing activities would most benefit from hiring an internal DPO. Due to economies of scale, it would make sense for these corporations to invest more upfront to systematically organize their processing activities.
While internal DPOs can be beneficial, only a small portion of organizations conduct processing activities on such a vast scale. SMEs tend to have much simpler processing systems. Thus, most SMEs and larger organizations should opt for an external DPO because they are more cost-efficient for companies with simple data processing systems. Ultimately, external DPOs are the best option to guarantee long-term growth, innovation, and GDPR compliance. Four key reasons why external DPOs are better to hire are:
- Independent oversight: External DPOs hold one role that is unaffiliated with the organization, meaning they are detached from the organizational context and culture. Therefore, they have minimal bias, can prove no conflict of interest, and can act without constraints as mandated by Article 38 of the GDPR. Conversely, internal DPOs often wear a “double hat” as they take on DPO tasks along with other internal assignments. This dual role makes it challenging for internal DPOs to remain objective, maintain neutrality, and remain unbiased.
- Risk mitigation: External DPOs are a less risky option because they are more likely to remain objective. The dual role internal DPOs hold may create a provable conflict of interest between the organization’s goals and DPOs’ tasks. As the risk of developing a conflict of interest rises, so does the risk of non-compliance with Article 38 of GDPR. Consequently, by violating this clause, organizations open themselves up to fines as high as 10 million euros for less severe breaches or 20 million euros for more severe breaches.
- Diverse expertise: External DPOs draw from a diverse range of experiences across various sectors, organizational cultures, and geographic locations. Thus, this allows them to offer rich, creative, fresh, and broadly-applicable insights into the rapidly evolving legal landscape, privacy requirements, and technological trends surrounding data protection law and the GDPR. External DPOs are already hired with this diverse experience, whereas internal DPOs may require years of organization-funded training to reflect a similar cross-cultural experience.
- High flexibility: External DPOs’ diverse experiences also enable them to offer highly flexible and tailored recommendations. A nuanced understanding of the laws and regulations across various industries allows external DPOs to offer new perspectives, innovative solutions, and preemptive suggestions to complex situations. Additionally, external DPOs are qualified upon hiring and thus ready to act immediately, whereas internal DPOs may require months of training before taking action.
- Cost effectiveness: External DPOs cost less because they are often pre-trained professionals hired on a service contract basis. The contract specifies an agreed-upon hourly rate that the organization pays only when consulting with the DPO. This is beneficial because it allows organizations to access external professional support without committing to the long-term employee salaries, benefits, recruitment, and periodic training costs that they would otherwise incur by hiring a DPO internally.
Italy’s Perspective on External DPOs
In Italy, Garante Privacy has certified that external DPOs can be successful in GDPR enforcement provided that they are expertly trained, free of conflicts of interest with the organization, and easily accessible. Additionally, external DPOs can be especially effective at using their diverse experiences to introduce innovative ideas to SMEs, which can ultimately drive growth in these organizations.
Many Italian companies, especially SMEs and expatriate-run organizations, rely heavily on law firms (such as A.L. Assistenza Legale) and consulting sources to assist with the DPO outsourcing process. We, A.L. Assistenza Legale, can connect you with a DPO who understands your organization’s culture and adequately accommodates all of your needs. Some examples of how organizations can benefit from outsourcing a DPO are:
- Receiving multilingual legal guidance, especially for those international organizations looking to expand into Italy and understand the GDPR
- Adding a point of connection between the organization and supervisory authorities in order to more effectively and fully understand the GDPR requirements and preemptively anticipate changes to regulations
- Integrating risk management assessments from DPOs to avoid hefty fines for GDPR non-compliance and to utilize the most efficient data processing tools
Conclusion: Get Help Hiring A DPO
DPOs are the direct point of contact for all matters relating to GDPR compliance. While the decision to hire an internal or external DPO is always company-specific, external professionals provide the most compelling and comprehensive advantages: independence, diverse expertise, high flexibility, and cost effectiveness. In short, hiring an external DPO is the strategic best practice to ensure your organization is GDPR compliant, especially for organizations navigating multinational or simple data processing systems.
At A.L. Assistenza Legale, our lawyers advise Italian and international organizations on all matters related to data protection law, including GDPR compliance and outsourcing DPOs. We also help multinational organizations adjust their practices to be compliant with Italian regulations, such as the GDPR. If you wish to learn more about data protection law or hiring a DPO (both internal and external), feel free to contact us!
