Hiring an external DPO? Here’s what to consider
First, what are your motivations?
This might sound weird to ask up front, but it really helps. Just take a moment and ask yourself where the idea to designate a Data Protection Officer came from. Common answers we heard include:
“A consultant said we should.“
“We need it to pass certain certifications.”
“It’s mandatory by law.”
“It will make the company GDPR compliant.”
By the end of this article, you should have enough information to make a decision that is both lawful and appropriate for your company.
Regardless of where you are right now, including a DPO in your organizational structure and hiring a person for this role is a very big deal. The illusion of “solving the issue” simply by externalizing the tasks to a service provider is all the more dangerous because it bypasses some prior questions every company should ask.
Are you legally obliged to designate a DPO?
Before going into the details of what a DPO does, let’s get this myth out of the way: not all organizations need to appoint a DPO.
The requirement does not depend on company size or industry. You simply need to look at the source, which is Article 37(1) of the GDPR. There are three cases where organizations need to designate a DPO, and you should interpret whether these apply to you:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
In addition to reviewing the GDPR provisions, you should also look at national GDPR implementation legislation, which, depending on the country, might add to the situations that trigger the obligation to appoint a DPO. For example, Romanian Law no. 190/2018 includes an interesting article that connects the processing of national identity numbers based on legitimate interest to the appointment of a DPO as a safeguard to data processing.
What does a DPO actually do?
OK, let’s say you are not legally obliged to designate a DPO, but you are thinking about doing this because it might help your company.
Some organizations assume that once they hire a DPO, that individual will handle all privacy measures and “make the company GDPR compliant.” This expectation is misleading.
So, let’s examine the DPO role and see whether other roles (e.g., Data Protection Manager, Privacy Manager, CISO, etc.) would be more appropriate for your needs.
If you read carefully article 39 of the GDPR, which regulates the tasks of a DPO, you will not find any language suggesting that the DPO should implement all privacy measures or is responsible for ensuring that the organization is GDPR compliant.
Here are the main tasks of a DPO:
informs and advises about data protection obligations
monitors compliance with data protection legislation and the organization’s policies (see, it does not provide that the DPO implements the compliance measures)
provides advice in data protection impact assessments (note that it doesn’t instruct the DPO to carry out the DPIA)
cooperates and acts as a contact point for the supervisory authority and for data subjects.
So essentially, the DPO is concerned with oversight and advice and acts as a contact point for the supervisory authority and data subjects.
Bummed out that the DPO role is not what you hoped for?
This is no reason to get stuck or give up on the data protection program altogether. Here are some practical recommendations for setting up your internal privacy roles:
The DPO can do more, but it’s a fine balance.
First of all, art. 39(1) says that the list of tasks is open, while art. 38(6) provides that the DPO may fulfil other tasks and duties. Consequently, the DPO does not have to limit its job description to the tasks explicitly provided in the GDPR. So, you can add tasks for the DPO, but in all cases, you must be careful not to fall into any of these traps:
Conflict of interest: this is the bogeyman topic when it comes to DPOs. It basically means that whatever additional tasks and duties a DPO might have, they should not put the DPO in the position of making decisions regarding the purposes and means of processing personal data. This is because the DPO is essentially an oversight position, they should not monitor the compliance of their own data processing activities. Looking at the EDPS recommendations on the topic, we see that other situations might point to a conflict of interest, such as non-compliant reporting chains and dependency in managing the budget.
Overburdening the DPO: If you keep adding straws to the camel’s back, you might break the key legal requirements applicable to the DPO role. If the DPO does not have the time and resources to fulfil their fundamental tasks according to Article 38-39 GDPR because they are too involved in the small day-to-day stuff, then the organization is in violation of the GDPR.
Maybe you need other types of data protection roles.
Stop believing that the DPO is the only privacy-relation function out there. You might actually only need a role that is involved firsthand in designing data protection compliance measures, and this might be a Privacy / Data Protection Manager. Here are the advantages:
You do not need to follow all formalities concerning the role of the DPO, if you are not legally obliged to appoint one.
A manager on this topic can be more involved in designing and overseeing the implementation of data protection measures in the organization.
The job description and reporting chain are more flexible, but you should keep in mind what you need in the end. If someone is in a conflict of interest or feels that their opinions are unduly influenced, this does not help the organization achieve compliance.
Make everyone feel responsible for complying with data protection legislation.
Remember that all employees who process personal data should know and observe the legal requirements – this is not a one-person job. This is achieved through training and awareness, which can be complemented by creating a network of Privacy Champions or Privacy Liaisons in each team/department where personal data processing occurs.
Still thinking about hiring an external DPO?
If you do need—or want—a DPO and are considering external providers, here are some key points:
Professional background: The GDPR does not limit the professional qualification of the DPO and does impose a specific background. However, do mind the requirement that the DPO should have “expert knowledge of data protection law and practices”. Since the GDPR is neutral and general and should be applied in the context of other laws (e.g., employment, financial, consumer protection, etc.), make sure that the DPO is helped by lawyers who can advise on relevant fields of law.
Years of experience: The GDPR does not refer to this matter, but it does say that the DPO must be designated “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. Since this is an oversight role, we discourage assigning it to absolute beginners in the field (even if they have already been with the organization for some time in a different role), and we recommend asking for information about previous experience.
External vs. Internal: There is no good or bad between choosing an external vs an internal DPO. It all depends on (a) the professional qualities of the DPO, (b) the resources they have at their disposal, and (c) the cooperation with management and all members of the company.
Keep close: When hiring an external DPO, make sure they are aware of the company’s operations and activities. With fractional roles, it is very easy to become estranged. If the DPO does not know what is going on, they will never be able to advise on the data protection obligations. Keeping the DPO involved is also an explicit requirement of the GDPR (article 38). Set up efficient communication channels and make sure the DPO can access discussions or receive briefings about data processing activities. Especially if the DPO is external, they will need trusted liaisons within the company who can keep them informed about ongoing projects and issues.
Reporting channels: Ensure that the DPO has open communication channels with the company's higher management. According to the GDPR, the DPO “shall directly report to the highest management level.” This is crucial when swift action is needed to eliminate or reduce risks, so make sure you are not pushing the DPO to the fringes of your company.
Contractual clarity: If you hire an external DPO, set clear fees and define the workload together. They can only work within the scope of the contract, so expectations on both sides need to be realistic.
How We Can Help
If you’re creating or refining data protection roles within your organization, we can:
Serve as your external (fractional) DPO or in other privacy-related roles.
Advise on setting up DPO or privacy roles (job descriptions, reporting chains, policies, procedures, etc.).
Offer guidance in selecting the right DPO or privacy specialist for your needs.
With the right approach and clear expectations, you’ll ensure that data protection is more than a box-ticking exercise—it will be part of your company’s culture and risk management framework.
