![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcount150X50.png)
![[Jcount.com]](https://www.jcount.com/wp-content/uploads/2014/08/jcountstartupslogo1.png)
If your business regularly handles large volumes of personal data or processes data related to criminal convictions and offenses as part of your core activities, you need to hire a Data Protection Officer (DPO).
Article 37 of the General Data Protection Regulation (GDPR) states that a DPO is a legal requirement if your company’s data processing activities match those outlined in the first paragraph.
Even if the appointment of a DPO is not a legal requirement for your business, it is still worth considering. You may handle data in a way that falls outside of the legal requirement for appointing a DPO, but you would still be liable for any improper use of that data. Appointing a DPO would be a significant help in achieving data compliance.
But that doesn’t necessarily mean you should start writing up a job advert for a new full-time employee. Article 37 allows for DPOs to split their time between several organizations. This is known as an outsourced DPO service.
Supply and Demand
It’s a good time to be a Data Protection Officer. The GDPR legislation introduced in 2018 has made it a legal requirement for many firms to employ them. With so many firms legally obligated to hire them, the demand for DPOs is outstripping supply. As all good business owners know: when that happens, prices go up.
For a small and medium-sized enterprise, this creates a problem. They have to employ an individual with in-demand skills. However, they might only need this individual for a few hours per month. This leaves you with a couple of options:
You could hire a full-time DPO and assign them work unrelated to data protection to fill their hours. The DPO is unlikely to be highly skilled on multiple fronts that your business just happens to need. As a result, you could end up with a very highly paid administrator for 38 hours of the 40-hour work week. To make matters worse, involving your DPO in other areas of your organization could compromise their independence. It will be harder for them to objectively assess and monitor data processing activities if they take part in them.
Alternatively, you could hire someone who will perform the same role for multiple firms. Fortunately, the need for such services has been identified by data security firms and law firms, who can outsource these skills to you.
Benefits of outsourced DPOs
Aside from not being saddled with an extra employee who is largely redundant for most of the week, there are added benefits to an outsourced DPO.
Teamwork
While one individual will be designated as your legal DPO, you will be able to call on the expertise of a whole team. Firms providing outsourced DPO services will be able to employ numerous people with the required data protection skills. If a situation arises that your designated DPO is unfamiliar with, they will be able to rely on the support of their team to solve your problem. Your outsourced DPO team will be working in numerous organizations. This means they will rack up far more experience than an individual DPO assigned to just one firm.
Specialism
Firms providing outsourced DPO operations will also ensure their team has specializations in various industries. Not all data processing is created equal, and while the GDPR laws have a broad scope, they will impact different industries in different ways. It may prove easier to appoint a DPO with knowledge by using an outsourced DPO than by hiring an individual.
Independence
If you are concerned about issues of independence, having an outsourced DPO will help allay those fears. It’s very easy for a full-time employee to become close friends with other employees. They can become overly involved in the success of the company. Generally, this is what you would want from one of your employees, but with a DPO there has to be a level of independence.
Your employees won’t be spending much time with your outsourced DPO. There won’t be a great deal of integration of the outsourced DPO into your company. They will spend time with other companies and you will have more of a client to contractor type of relationship with your business.
Scale
Your business’ activities might not be the same in a few years’ time. Industries change. The amount of data that you might need to collect and process, and the way that you do it could easily change in the near future. Those changes might demand a different level of involvement from your DPO. With an outsourced DPO, it is easier to scale up or down their level of involvement in your company. A traditional employee might not be so flexible with their hours.
Conclusion
For small and medium-sized enterprises there are huge advantages in an outsourced DPO. Larger organizations might require a full-time employee dedicated to just their business, however, smaller organizations may need nowhere near that number of hours. As such, an outsourced DPO may not only be advantageous, it may be the only viable solution.
