As we all know, the General Data Protection Regulation, or as it is often referred to, “the GDPR” states that all organisations should appoint a data protection officer (DPO) if they are a public authority or body, or if they carry out certain types of personal data processing activities. The ICO website has a list of activities that would fall in this category but for simplicity, it is basically, data that relates to an identified or identifiable individual.
So there’s no way around it, right!
But is it best to work with an external GDPR consultant or to nominate someone within the business. The ICO allows you to do either, so which is the best route? Obviously, as we are the Data Protection People, we argue that it is better to use a trained external GDPR consultant and this blog is all about the reasons why.
I guess the most obvious argument is one of resource resilience and backup. Most organisations don’t have the luxury of a DPO team, so if one person is off work or ill then the business is left with limited to zero back-ups. At best there might be another team member with some knowledge, but you are then entering into the realms of inaccurate advice and at worst accidental non-compliance.
As people say, a bit of knowledge in the wrong hands can be dangerous.
A further point on resilience is that one person can never have all the answers. The GDPR is a very complex piece of legislation and it is open to interpretation. In short, even the most experienced DPO can make mistakes, so it is much better to have the option to dip into a wider pool of resources so that complex issues can be discussed across a broader gene pool. This helps to eliminate individual errors and provides resource backup when needed.
The second argument for an external GDPR consultant would be one of independence. Whether we like it or not, an internal employee has a responsibility to him/herself as well as the business. This naturally causes a conflict of interest which is not always advantageous. An external consultant can take a truly independent view based on the facts, so you can always be sure that the advice given is devoid of bias.
I guess the next logical point would be one of expertise or experience. An outsourced GDPR consultant will support clients across many sectors, even countries, and as such will have had to tackle data privacy issues across many diverse scenarios. Although it is possible to recruit a DPO that has diverse experience, often this isn’t the case and an in-house DPO tends to have limited exposure to data privacy within their own business or sector.
My final point is one of money. As we all know a person’s salary is not the only employment cost to consider. Training, benefits, holidays, sick pay, pensions are all costs that must be met when employing an in-house DPO. Then there is the increasingly transient nature of the modern labour market. Put simply, people are changing jobs more often so there is the cost of recruitment and the hassle that goes along with onboarding new staff. Obviously, with an external GDPR consultant, there is a fixed cost and it is up to the provider to ensure that the appropriate consultancy resource is available when you need it.
In summary, although having an in-house resource may initially appear attractive, I would suggest that it is not as clear cut as you might think. External GDPR consultants live and breathe the GDPR and they simply have broader experience due to the multiple clients they support. This exposure to diverse sectors, scenarios, and often international legislation is simply hard to mirror using internal resources. Furthermore, the fact that you don’t have to worry about resourcing the role, coupled with the consultant’s independent position makes for what I would argue a compelling reason to look externally rather than internally.