News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to contract with your outsourced DPO Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

""

Organizations that find themselves in need of a data protection officer under the EU General Data Protection Regulation will need to decide on whether to staff it internally or outsource it, whether it is a full-time or part-time position, and whether the DPO will handle their responsibilities hands-on or by mentoring, overseeing, or training others. If an organization has decided on outsourcing the DPO role and selected its DPO based on their skills for the role, an agreement must be reached on a services contract. This involves certain legal considerations important to the parties, addressing DPO-specific issues that may arise and determining the types of outsourced DPO services desired.

DPO contract considerations

Each party to a DPO services contract will want specific provisions. For the DPO-services firm, the key terms are those minimizing their legal liability exposure. A controller/processor is liable for damage caused if its processing activities infringe the GDPR or if a processor acts “outside or contrary to lawful instructions of the controller.” Article 79 allows a data subject to bring a lawsuit against a controller or processor for non-compliance that infringes her/his rights. A DPO is excluded from direct liability to data subjects (“DPOs are not personally responsible in case on non-compliance with GDPR," per the Article 29 Working Party) but that does not mean that a DPO could not be targeted for legal action from the controller, processor, or affected non-data-subject third parties. And DPAs can issue significant fines for non-compliance, though it is unclear when they might do so against a DPO, who is required to cooperate, consult, and be a point of contact with the DPAs.

While an outsourced DPO cannot have their contract terminated “unfairly” by the controllers/processors for “performing their tasks,” what if the DPO does not carry out their responsibilities or does so negligently? What if the DPO provides professional advice that is inaccurate, not based upon an independent stance, or based upon a conflict of interest? Not only does a DPO need to have professional liability insurance to address claims for negligence in his/her role, but they require services-contract language that requires that the controller/processor indemnify the DPO for any third-party legal actions and limits the DPO’s legal liability exposure within their relationship with the controller/processor.   

Other contractual provisions should echo the GDPR, such as acknowledging the DPO’s independence and the process to use when there is a difference in opinion. The contract should represent there are no current conflicts of interest. The contract term should be of a specific duration and not tied to any outside events or actions. There need to be specified turnover activities upon termination, including allowing the DPO to retain certain documentation. The DPO’s budget for legal advice and training to maintain her/his expert knowledge should be detailed. Confidentiality rules and reporting lines must be specified.

DPO contract issues

When negotiating the DPO services agreement, unexpected issues can arise. For example, an outsourced DPO may be offered compensation paid partly in company stock. Can the DPO accept this form of remuneration without a conflict of interest arising between their role in providing independent advice and wishing for rapid share price growth? Is an outsourced DPO required to only accept compensation in the form of cash payments not tied to the prospects of the controller/processor? Even if this does not create an immediate conflict of interest, but a conflict were to arise sometime in the future, would the stock have to be divested at no gain? Unusual compensation would have to be clarified in the contract.

The independence of the outsourced DPO requires separate data and email storage for legal professional privilege materials and communications, as the controller will retain possession of the DPO’s company storage upon contract termination. Imagine the DPO has collected personal data by being contacted directly by a data subject under Article 38(4). When that data subject later demands their rights to erasure under Article 17, does the outsourced DPO have a sufficient legal basis to continue processing the data subject’s data by retaining it on their separate data storage? To avoid this, an outsourced DPO should try to minimize their need to store data subject personal data. This separate data store based upon data minimization and defined retention periods should be clarified in the agreement.

The issue of independence arises when a DPO needs legal advice. It is best if the DPO is a lawyer so that they can handle all aspects of data protection legal issues. There are times though when the DPO may want to turn to another lawyer for legal advice, whether to receive a second opinion, insights into unsettled areas of law, or details of cases or statutes in other jurisdictions. Which lawyer can a DPO take legal advice from? Advice from the controller’s in-house counsel would call into question the DPO’s independence. The controller’s external counsel may, with certain safeguards, be sufficiently freed of conflicts. However, DPOs should understand that many law firms have stayed out of the outsourced DPO services market due to potential conflicts of interest. When a DPO and the controller and their counsel differ significantly in their opinions, the DPO would need to engage a separate law firm and the contract needs to address this possibility.

DPO contract services

The main commercial focus will be on the services provided by the outsourced DPO. WP29 recommends the controller “outline … in the DPO’s contract … the precise tasks of the DPO and their scope.” Outsourced DPO services occur both when fully engaged and as a series of potential startup services. The structure of the DPO role is also important, as the outsourced DPO does not need to be the doer of all tasks. Instead, the DPO may be in a role where they are instructing or mentoring less experienced staff who will eventually take over the DPO role. The controller/processor must decide on the DPO role structure, the tasks outsourced, and the startup versus ongoing services.

There is always the question of whether a controller or processor needs a DPO. Sometimes a DPO is clearly required and other times clearly not required, but the most prevalent situation is likely to be where it is either not clear one is required or when it would just be better to voluntarily have one than not. The WP29 recommends that “unless it is obvious” that a DPO is not required, there should be an internal analysis documenting the factors that were considered and the conclusion that was reached. While this is the responsibility of the controller/processor based on their accountability, there is no reason why the outsourced DPO cannot document and supplement this analysis, adding their expertise on data protection law.

Before beginning the ongoing DPO role, there may be a variety of startup activities. As required tasks, the DPO would have to gain an understanding of the organization’s data protection posture shown through its policies, procedures, actual practices, and the level of awareness and commitment across the organization. The DPO would also need to understand the significance of any findings that must be remediated to reach a minimally compliant data protection program. The outsourced DPO must also understand in detail whether the resources and time that will be available are sufficient to perform the role, as well as the necessary communication channels.

Optional activities may have immediate deadlines or not fit within the time constraints of the ongoing role. For example, the controller/processor may require a data processing workflow/inventory to determine what personal data is being processed, a DPIA may be required for new technologies or processes, a data protection compliance audit may be required to create a baseline to measure future progress against, an analysis of the implications of GDPR may be necessary for organizations not sufficiently prepared, and other activities such as advising on information security policy creation and privacy by design may be needed.

photo credit: ThoroughlyReviewed Legal Contract - Must Link to https://thoroughlyreviewed.com via photopin (license)

Author
Headshot Thomas Shaw, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Enforcement
Privacy Operations Management
3 Comments

If you want to comment on this post, you need to login.

  • comment Nader Henein • Nov 2, 2017 
    So we're back again to recommending that the DPO be a lawyer! Over the past year, we have seen demonstrable proof that putting doing so leads in one of two directions: 
1) The Loophole Hunt: the DPO spends the majority of their time trying to find loopholes to escape applicability rather than protecting data subject rights.
2) KYA Paralysis: the business is brought to a standstill as the risk to proceed in almost any direction is deemed too great. 

All the GDPR requires is that organizations focus on better preserving the rights of data subjects, everything else is noise. The DPO, whether internal or outsourced should focus on the practicalities of that task, if they spend their time pondering remote "what ifs" (which seems to be the cornerstone of the corporate lawyers profession) then that takes time away from the actual work.
  • comment Deena Coffman • May 6, 2018 
    I agree, Nader.  While a privacy lawyer is an important contributor, the technology,  process and financial aspects comprise 85% or more of the work that needs to be done in building and managing a privacy program.  Equating all of privacy with just the legal component is extremely short-sighted.  Imagine someone stating that all HR professionals should be lawyers because of employment laws.  Or, that all CFOs should be lawyers because of SOX.   Or, ..... well, you get my point.
  • comment Kurt Kane • Dec 3, 2023 
    <p>An outsourced DPO does not have to be a lawyer. Just someone with experience on the various international data privacy laws. </p>
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
A view from Brussels: To be sovereign, or not to be
From another delay to the European Agency for Cybersecurity's European Cybersecurity Certification Scheme for Cloud Services, to the European Data Protection Board's strategy for 2024-2027, Parliament's adoption of the European Health Data Space, and ramped up enforcement of the Digital Services Act...
Read More queue Save This
ANPD unveils efforts to streamline DSAR process
Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, and the Ministry of Management and Innovation in Public Services Management and Innovation Secretariat presented a process for streamlining data subject access requests. The improvements include simplifying complaint f...
Read More queue Save This
Related Stories
Tags
Enforcement
Privacy Operations Management
Recent Comments