Organizations that find themselves in need of a data protection officer under the EU General Data Protection Regulation will need to decide on whether to staff it internally or outsource it, whether it is a full-time or part-time position, and whether the DPO will handle their responsibilities hands-on or by mentoring, overseeing, or training others. If an organization has decided on outsourcing the DPO role and selected its DPO based on their skills for the role, an agreement must be reached on a services contract. This involves certain legal considerations important to the parties, addressing DPO-specific issues that may arise and determining the types of outsourced DPO services desired.
DPO contract considerations
Each party to a DPO services contract will want specific provisions. For the DPO-services firm, the key terms are those minimizing their legal liability exposure. A controller/processor is liable for damage caused if its processing activities infringe the GDPR or if a processor acts “outside or contrary to lawful instructions of the controller.” Article 79 allows a data subject to bring a lawsuit against a controller or processor for non-compliance that infringes her/his rights. A DPO is excluded from direct liability to data subjects (“DPOs are not personally responsible in case on non-compliance with GDPR," per the Article 29 Working Party) but that does not mean that a DPO could not be targeted for legal action from the controller, processor, or affected non-data-subject third parties. And DPAs can issue significant fines for non-compliance, though it is unclear when they might do so against a DPO, who is required to cooperate, consult, and be a point of contact with the DPAs.
While an outsourced DPO cannot have their contract terminated “unfairly” by the controllers/processors for “performing their tasks,” what if the DPO does not carry out their responsibilities or does so negligently? What if the DPO provides professional advice that is inaccurate, not based upon an independent stance, or based upon a conflict of interest? Not only does a DPO need to have professional liability insurance to address claims for negligence in his/her role, but they require services-contract language that requires that the controller/processor indemnify the DPO for any third-party legal actions and limits the DPO’s legal liability exposure within their relationship with the controller/processor.
Other contractual provisions should echo the GDPR, such as acknowledging the DPO’s independence and the process to use when there is a difference in opinion. The contract should represent there are no current conflicts of interest. The contract term should be of a specific duration and not tied to any outside events or actions. There need to be specified turnover activities upon termination, including allowing the DPO to retain certain documentation. The DPO’s budget for legal advice and training to maintain her/his expert knowledge should be detailed. Confidentiality rules and reporting lines must be specified.
DPO contract issues
When negotiating the DPO services agreement, unexpected issues can arise. For example, an outsourced DPO may be offered compensation paid partly in company stock. Can the DPO accept this form of remuneration without a conflict of interest arising between their role in providing independent advice and wishing for rapid share price growth? Is an outsourced DPO required to only accept compensation in the form of cash payments not tied to the prospects of the controller/processor? Even if this does not create an immediate conflict of interest, but a conflict were to arise sometime in the future, would the stock have to be divested at no gain? Unusual compensation would have to be clarified in the contract.
The independence of the outsourced DPO requires separate data and email storage for legal professional privilege materials and communications, as the controller will retain possession of the DPO’s company storage upon contract termination. Imagine the DPO has collected personal data by being contacted directly by a data subject under Article 38(4). When that data subject later demands their rights to erasure under Article 17, does the outsourced DPO have a sufficient legal basis to continue processing the data subject’s data by retaining it on their separate data storage? To avoid this, an outsourced DPO should try to minimize their need to store data subject personal data. This separate data store based upon data minimization and defined retention periods should be clarified in the agreement.
The issue of independence arises when a DPO needs legal advice. It is best if the DPO is a lawyer so that they can handle all aspects of data protection legal issues. There are times though when the DPO may want to turn to another lawyer for legal advice, whether to receive a second opinion, insights into unsettled areas of law, or details of cases or statutes in other jurisdictions. Which lawyer can a DPO take legal advice from? Advice from the controller’s in-house counsel would call into question the DPO’s independence. The controller’s external counsel may, with certain safeguards, be sufficiently freed of conflicts. However, DPOs should understand that many law firms have stayed out of the outsourced DPO services market due to potential conflicts of interest. When a DPO and the controller and their counsel differ significantly in their opinions, the DPO would need to engage a separate law firm and the contract needs to address this possibility.
DPO contract services
The main commercial focus will be on the services provided by the outsourced DPO. WP29 recommends the controller “outline … in the DPO’s contract … the precise tasks of the DPO and their scope.” Outsourced DPO services occur both when fully engaged and as a series of potential startup services. The structure of the DPO role is also important, as the outsourced DPO does not need to be the doer of all tasks. Instead, the DPO may be in a role where they are instructing or mentoring less experienced staff who will eventually take over the DPO role. The controller/processor must decide on the DPO role structure, the tasks outsourced, and the startup versus ongoing services.
There is always the question of whether a controller or processor needs a DPO. Sometimes a DPO is clearly required and other times clearly not required, but the most prevalent situation is likely to be where it is either not clear one is required or when it would just be better to voluntarily have one than not. The WP29 recommends that “unless it is obvious” that a DPO is not required, there should be an internal analysis documenting the factors that were considered and the conclusion that was reached. While this is the responsibility of the controller/processor based on their accountability, there is no reason why the outsourced DPO cannot document and supplement this analysis, adding their expertise on data protection law.
Before beginning the ongoing DPO role, there may be a variety of startup activities. As required tasks, the DPO would have to gain an understanding of the organization’s data protection posture shown through its policies, procedures, actual practices, and the level of awareness and commitment across the organization. The DPO would also need to understand the significance of any findings that must be remediated to reach a minimally compliant data protection program. The outsourced DPO must also understand in detail whether the resources and time that will be available are sufficient to perform the role, as well as the necessary communication channels.
Optional activities may have immediate deadlines or not fit within the time constraints of the ongoing role. For example, the controller/processor may require a data processing workflow/inventory to determine what personal data is being processed, a DPIA may be required for new technologies or processes, a data protection compliance audit may be required to create a baseline to measure future progress against, an analysis of the implications of GDPR may be necessary for organizations not sufficiently prepared, and other activities such as advising on information security policy creation and privacy by design may be needed.
photo credit: ThoroughlyReviewed Legal Contract - Must Link to https://thoroughlyreviewed.com via photopin (license)