They should be alarmed. A failure to appoint a DPO can carry a substantial fine of EUR 10 million or up to 2 percent of the company’s global turnover for the previous year, whichever is higher.
What Does a DPO Do?
A DPO does not exist only to handle extreme situations such as breaches. A DPO will also communicate with the regulatory authorities and provide useful advice to the company regarding data protection impact assessments, best practices and other legal obligations for data handling.
DPOs must be independent. They are responsible only to the upper management, and in fact, they should be present at company meetings.
The GDPR does not prescribe any official educational requirements for the role of a DPO. Still, evidently a DPO must be competent enough to handle all of the duties mentioned above. A DPO may be a person from within the company, but most often, and especially in small companies, there are no adequately trained staff.
A Booming Market
It is expected that up to 75 thousand new DPOs will be required all over the world as a consequence of the GDPR. Large companies will undoubtedly have to redesign their privacy departments if they have not done so already. A substantial number plan to hire new staff to deal with mounting privacy issues.
However, not all companies have to appoint a DPO. Companies (including SMEs) are exempt as long as they do not process sensitive data or if their core business is not data processing. But even small companies can benefit from a DPO without it costing them a fortune. We strongly advise that all companies doing any kind of data processing appoint one.
Smaller companies are finding themselves in a bind. They are most often in need of quality guidance for data processing, but lack the necessary know-how, as hiring privacy staff can be a significant expense.
Small business-owners stand to gain a lot from outsourcing their DPO duties.
Outsourcing: A Solution?
The solution for most problems faced by small companies seems to be outsourcing. Or, in many cases, DPO-sharing between the parent company and its subsidiaries can be a viable option. A single DPO can work for several small businesses, as they do not have too much workload due to their occasional processing. Outsourcing DPOs can also be beneficial if the current DPO is on vacation, or if there is increased workload.
Hiring a full-time DPO or training someone from within the company to take over the role would be an unwise choice. The former due to large costs and the latter due to responsibilities and the risk of improper education. Conflicts of interest can arise if an employee is changing or taking a dual role in the company – e.g. HR and DPO.
DPO Fees
An outsourced DPO can work for your company on a fixed-fee or a per-hour basis, with services that you should agree upon beforehand. It is a good solution not only to satisfy the requirements of the GDPR, but also to ensure your company is employing proper data handling and privacy policies for a moderate sum of money. A good DPO will provide invaluable guidance to your company, and perhaps even save you money in the long-term due to enactment of automated workflow processes.
Potential Issues
An outsourced DPO is not a good solution for larger companies or those who base their business on data processing. These will simply require dedicated staff who will be able to handle all the issues and the workload in a timely manner.
Take care to negotiate the exact range of services with your outsourced DPO in order to avoid any misunderstandings and disappointments. Remember to budget for any additional resources the role of a DPO could require.
Companies providing DPOs should be careful to avoid conflicts of interest. Your company should never force a DPO to make unwarranted decisions to your liking. Remember, a DPO must be independent; whatever they are doing, they are doing it for the good of the company (and to avoid huge fines).
A Solid Choice
Overall, outsourcing a DPO is a great and cost-effective option for smaller businesses who want (or have to) hire a privacy expert or seek advice. It is a simple and usually worry-free option – as long as your core business does not include complex data processing on a large scale.
