As the deadline for the implementation of the GDPR nears, many if not most companies outside those early starters have not yet filled their DPO role as required under the new regulation. There are essential job skills and appropriated profession to fill such roles, as discussed in earlier articles on the topic. With the limited quantities of qualified and experienced DPOs insufficient to meet the market demand, there will be a hurried rush to reserve any available resources for dedicated use. For everyone else, they will most likely need to outsource their DPO role, as allowed by the GDPR using a services contract.

The good news is that there is a veritable army of vendors ready to meet these needs. Roughly, this breaks down into three categories. There are firms offering DPO cloud apps, task checklists and work aids in varied formats. A second category is those firms offering DPO training and all manners of DPO skill certification. The third category comprises those firms offering real people to provide the DPO service, either full- or part-time, at monthly or hourly rates. As the first two categories apply to companies that already have a resource designated to fill the DPO role, this article will focus on outsourcing of the role, with an external resource providing DPO functions under a services contract.

Here's what controllers need to know before contracting with a DPO outsourcing firm as well as some questions to ask a potential DPO before selecting a candidate.

Things to know

Some controllers may be surprised by this, but hiring a DPO does not let them off the hook. Not one bit. The controller remains fully responsible for complying with the GDPR, including conforming to the principles for lawful processing of personal data in the GDPR, ensuring the rights of data subjects, protecting data through technical and organizational security measures, keeping records of processing, cooperating and consulting with supervisory authorities, providing notification of data breaches, carrying out data protection impact assessments as appropriate, and ensuring the appropriate authority exists to transfer personal data outside the European Economic Area.

While outsourcing is typically a risk treatment technique that allows for the sharing of risk with the outsourcing firm, that is not really the case in the outsourcing of the DPO role. 

Controllers, who determine “the purposes and means of the processing of personal data,” and processors working on their behalf, should think of the DPO as someone who helps facilitate compliance for the controller’s role, not someone who replaces it. The role of the DPO is to carry out the following tasks: Be timely involved with all issues relating to the protection of personal data; consult with controllers on DPIAs; instruct controllers and processors on their obligations under the GDPR; receive communications from data subjects regarding their rights and processing of their data; monitor compliance with the GDPR and related laws and the controller’s policies; facilitate or carry out audits; attend DP meetings; and cooperate and consult with supervisory authorities.  

Controllers also need to understand that DPOs must remain independent. DPOs have concurrent responsibilities to the controller’s operational teams, to the board of directors, to data subjects, and to the local data supervisory authority, and so cannot significantly tilt in any of these directions. Think of the DPO’s independence as a center tent pole holding up the whole canvas, and what happens if it leans in any direction. Controllers also must not instruct DPOs in the performance of their tasks and need to provide the DPO the necessary resources to carry out their tasks. Enhancing their independence is the prohibition that DPOs cannot be penalized or dismissed by controllers or processors for performing their tasks, including termination of DPOs working under a services contract.

Controllers must understand that they remain legally liable to data subjects for the processing of their personal data. While outsourcing is typically a risk treatment technique that allows for the sharing of risk with the outsourcing firm, that is not really the case in the outsourcing of the DPO role. Data subjects can initiate litigation against controllers and processors under the GDPR for damages resulting from infringements of that regulation, but there is no specification for data subjects bringing a claim against a DPO.

Controllers not established in the EU need to evaluate whether they require a DPO, as the GDPR applies to non-EU controllers and processors who offer goods and services to EU residents or monitor EU residents’ behavior. All controllers, as a threshold question, must first know if a DPO is required. DPOs are required for public entities and for private entities whose core activities include processing that “require regular and systematic monitoring of data subjects on a large scale” or “processing on a large scale of special categories of data,” plus processing of personal data on criminal offenses and convictions.  

If the controller does not have the internal ability to analyze this question, perhaps it can be done and documented by tasking potential DPOs to justify the need for their role. Voluntarily designating a DPO even if one is not strictly required is encouraged by the EU’s data protection authorities, who view DPOs as “cornerstones of accountability,” facilitating GDPR compliance and a potential competitive advantage in business.

Questions to ask

Controllers outsourcing the DPO role must gain assurance through interviews, presentations, and questionnaires that the potential outsourced DPO has the professional skills and capabilities for the role. Some skills, such as the ability to communicate well and handle the required relationships, can be evaluated while interviewing a DPO candidate. A non-exhaustive list of questions to ask a DPO candidate should include at least the following, where “you” refers to the DPO candidate and not the DPO outsourcing firm:

• How many years have you been involved with the laws of privacy, data protection, and information security?
• How many years have you been involved with each of: IS auditing, IT infrastructure, data management, risk management, and software programing?
• What relevant professional licenses and certifications do you possess?
• What professional associations related to data protection are you a member of?
• What risk assessment methodology would you utilize as a DPO and why?
• What types of DPIAs, privacy seals, and information security standards certifications have you been involved in?
• What types of organizations and projects have you led?
• Which countries have you practiced professionally in?
• Will you be resident in an EU member state for the duration of the contract?
• How do you stay informed on emerging trends in technology and law?
• How will you maintain your independence while working closely with us?
• Do you or your firm have any existing or potential conflicts of interest in taking on this DPO role?
• To what extent will you need to rely on your firm’s knowledge, experience, and capabilities to supplement your own?
• Are you able to provide legal advice on data protection? What is the scope of that advice, and where will you refer matters beyond that scope?
• What experience and ethical obligations do you have to maintain confidentiality?
• What subject areas have you taught professionally and raised awareness on?
• What relationship do you have with the local data supervisory authority?
• How familiar are you with our industry, technologies, and processes?
• How do you address your potential exposure to legal liability for this role?
• In what manner, and how often, will you keep the board informed of your activities?
• (For non-EU controllers) What experience do you have with our laws and culture?
• What type of resources will you need to assist you in your DPO role?
• If you provide this service on a periodic basis (e.g., certain hours per month), how will you be available if the need arises (e.g., data breach, new systems, new processing)?
• What are the first three things you would do in your role as our DPO?