When Instagram was fined a record 405 million euros in Ireland this month for alleged mishandling of teens’ data, it was another high-profile reminder of the importance of data privacy in the digital world. With complex regulatory requirements, increased consumer awareness and greater expectations placed on organisations, the way in which customer data is generated, processed and stored has become a key consideration for companies of all sizes.
For some, the solution lies in outsourcing the Data Protection Officer (DPO) function to legal or privacy expert partners, providing the external expertise required to maintain compliance. This approach has its benefits, but it comes with considerations too. Let’s explore the pros and cons of outsourcing a business’ data protection function.
Privacy by Design
The main point to make when considering outsourcing compliance functions is that whilst it is helpful to have experts to guide and advise a business, outsourcing does not remove the need for internal governance functions, policies, procedures, training and staff awareness of a company’s data protection obligations and responsibilities. This is referred to in data protection laws as a ‘Privacy by Design’ approach – outsourcing cannot fix or absolve a company of those responsibilities. As such, any outsourced DPO function needs to go hand in hand with a business’ internal governance framework and privacy function.
Once that principle is understood and applied, there are three clear benefits to an external DPO function:
Accessing specific knowledge and expertise. Under Article 39 of the UK GDPR, the Data Protection Officer must inform and advise the controller / processor of their obligations under applicable data protection law and monitor the organisation’s compliance with relevant legislation. DPOs must therefore have an understanding of and be an expert in applicable data protection law. It is easy to see why organisations may wish to outsource their DPO function if they do not have a suitable depth or breadth of expertise in data protection matters in-house.
Avoiding potential conflicts of interests. Under the UK GDPR, the exercise of a DPO’s duties must not result in a conflict of interests. The UK GDPR does specifically set out how exactly these conflicts of interests may arise, but the European Data Protection Board has clarified that the DPO cannot hold a position within the organisation that leads them to determine the purposes and the means of the processing of personal data.
Any individual’s suitability for the DPO role will need to be analysed on a case-by-case basis, but examples of individuals who should not oversee the DPO function might include senior management positions such as the CEO or COO. Organisations may therefore choose to appoint an external DPO in order to avoid the risk of such conflicts of interests.
Responding to high volumes of queries. The DPO’s duties under Article 39 of the UK GDPR may well require them to respond to high volumes of data subject queries and/or see to particularly onerous data protection-related tasks which they may not have time for or the resources to effectively manage those tasks. By outsourcing some proportion of its DPO function, an organisation can use external data protection specialists with sufficient person-power to manage the more time-consuming data privacy-related duties, leaving its own employees to focus on wider business activities.
For example, where an individual lodges a complex Data Subject Access Request (DSAR) with an organisation, a DPO / their team, depending on the size of the organisation, will often be required to sift through large quantities of information to discern which data are disclosable and which may be subject to an exemption. An outsourced DPO can administer DSARs in a more time-efficient manner, and provide a more objective insight as to whether exemptions may apply to certain data.
There are other consideration to make too, not least the scale and costs of outsourced services. Some DPO duties lend themselves to being carried out by a third party outside the business, such as the volume tasks mentioned above, but for others it will be more appropriate to carry them out in-house. For example, effective data mapping requires an intricate knowledge of the company’s day-to-day business processes that may be difficult to communicate to a third-party provider. Likewise, an internal DPO (or data protection ‘lead’ where a DPO isn’t formally required) may find it easier to monitor the company’s ongoing data protection compliance, given their involvement in the organisation’s operations.
Businesses may therefore wish to consider a hybrid approach, whereby some DPO functions are contracted to an external provider while certain duties are fulfilled within the organisation. Which processes are outsourced and which processes remain internal will depend on the specific processing activities carried out and where internal capabilities and strengths lie. Experts could also be engaged to work with a business to create an internal privacy framework which is then applied uniformly both internally by staff, and externally by an outsourced DPO function.
Finally, remember that outsourcing an organisation’s DPO function does not absolve that organisation from its wider obligations under the UK GDPR. Companies with an external DPO must still maintain robust data protection policies, promote good data protection practices at every level of the business and generally uphold the data protection principles.
External DPO service providers, whilst offering valuable benefits to the organisation, are not a one stop shop for privacy and data protection compliance. The appointing organisation may be subject to regulatory intervention should they fall short in their data protection practices.