The Outsourced Data Protection Office

Published on August 4, 2020

Even as companies grapple with the economic impacts of the COVID-19 pandemic, one thing remains clear –  data privacy concerns abound and pandemic or not, businesses governed by the EU General Data Protection Regulation (“GDPR” or the “Regulation”) must remain compliant as the Regulation has no less bite than it did in the pre-pandemic era.

As companies struggle with the new economic reality, many are likely to contemplate shifting existing data protection office functions to other departments, such as legal, to save costs. This strategy should be well-thought-out and scrutinized from both a risk and an operational standpoint. The sobering reality is, those companies with the short-sighted view of the DPO as merely a line item on the company balance sheet are exposing their businesses and brands to significant risk.

This above is underscored by the recent decision of the Belgian Data Protection Authority (“DPA”). In April of 2020, the Belgian DPA imposed a €50,000 fine on a company as the DPA determined that the company’s appointment of its Head of Compliance, Risk Management and Audit to also serve as its DPO was tantamount to a conflict of interest. Specifically, the DPA found that Article 38(6) of the GDPR requires the DPO to have independent oversight of company data protection while maintaining confidentiality and secrecy.

More specifically, the Belgian DPA underscored that “independence” is a core requirement of a data protection officer. To satisfy this fundamental requirement, the DPO must be free from the Controller’s influence on the day-to-day duties of the DPO. Moreover, the DPO should, ideally, report directly to the Board of Directors or as high in the leadership chain as possible to demonstrate clearly and unequivocally that the DPO has an unimpeded line to the BOD, which bears the ultimate responsibility for GDPR compliance. The DPA’s ruling demonstrates a very real and direct impact for those organizations failing to establish an independent and autonomous data protection officer.

In addition to the regulatory requirement of DPO independence, such independence will promote confidence in data subjects that their rights are being adequately protected as the independent DPO is not just another cog in the corporate gears. Moreover, as articulated by the GDPR article 29 Working Party (“WP29”), the DPO is “a cornerstone of accountability and…can facilitate compliance and furthermore, become an advantage for businesses.” Thus, sufficient DPO independence and autonomy acts as both shield and sword by ensuring both regulatory compliance and building brand trust with data subjects.

For those companies struggling with the economic “new normal,” Article 37(6) of the GDPR provides a viable option; data protection office outsourcing. Companies looking to streamline their businesses and strengthen their balance sheets do not have to jeopardize DPO independence to do so. Finding the right DPO as-a-service can be the right strategy for companies of every size and industry.

From a purely optical perspective, choosing to leverage an outsourced DPO is a clear and unequivocal demonstration that the DPO is independent and autonomous. Of course, there must be sufficient interfacing and interaction between the outsourced DPO and all relevant business functions and requisite levels of company leadership. If this critical partnership is agreed to and established up-front, an outsourced DPO can offer tremendous benefit to the company.

In addition to achieving the critical need for DPO independence and autonomy, an organization relying on an outsourced DPO does not have to bear the heavy financial and operational costs required to develop and retain in-house expertise and technologies, which can be particularly appealing to smaller sized businesses from a financial viewpoint.

However, even larger businesses with the budget to build and maintain a sophisticated and effective data protection office can benefit from an outsourced DPO model as they are freed up to separate their business operations from their data protection office, thereby increasing operational efficiencies, maintaining DPO independence and autonomy, and minimizing head-count in these difficult economic times. Just as important, by relying on the outsourced DPO model, organizations overtly demonstrate their commitment to a truly independent office focused on protecting data subject rights, thereby enhancing their brands with customers who are increasingly concerned about protecting their privacy.

While the DPO is an easy target to reduce costs in the short term, the DPO role remains vitally important now as we begin to see economic recovery and a return to business operations on a global scale. As data protection regulation increases and budgets decrease, this is an opportune time for companies to explore the economic, operational, and brand benefits of an outsourced DPO model.