Established by the GDPR, the DPO is at the heart of the organizations’ compliance system. Its role, status and missions reflect the importance given to it by the legislator. In this respect, even when its appointment is not mandatory, it remains strongly recommended to appoint one (I) and to outsource it to an expert firm (II).
I – It is always appropriate to appoint a DPO
We know that, even when it is not mandatory, the GDPR still provides organizations with the option of designating a DPO.
In our opinion, this option left to the discretion of companies should be seen as an opportunity to be seized that provides a competitive advantage.
To have a DPO is to have the assurance that the organization within which it carries out its missions will be in compliance with the GDPR:
Appointing a DPO is undoubtedly a guarantee of trust for your customers and partners, who will be assured that the data they have entrusted to you will be protected.
The publication of the DPO’s contact details on the websites as well as in your advertising material will therefore be intended to reassure your contacts while enhancing your company’s image.
We know that, according to the principle of accountability, it is up to the organisations to prove their compliance, not only to the supervisory authority but also to their economic partners.
Indeed, it will no longer be possible for companies to have contractual relationships with organizations that are not in compliance with the GDPR.
Unless you don’t mind jeopardizing your business model, it will be necessary to demonstrate to your partners and customers that you have a real action plan in order to be able to continue to sell them goods and services.
To do this, you will need to be able to produce a number of documents, including procedures, guides, checklists, registers….
Like these elements, the designation of a DPO may also help to demonstrate that your organization is in compliance.
II- The benefits of outsourcing
Whether appointed internally, shared or outsourced, the GDPR offers a wide range of opportunities for organizations that need or wish to use the services of a DPO.
Among these options, it is undoubtedly outsourcing that we are in favour of.
The GDPR clearly states that the DPO must have, at the time of his appointment, the necessary skills and knowledge to carry out his/her duties.
As we have said, the qualities that he or she must demonstrate are numerous: legal expert, IT security expert, project manager, risk manager and facilitator.
However, this “five-legged sheep” is almost impossible to recruit internally, whereas outsourcing makes it possible to guarantee both competence and expertise.
By definition, an external DPO will be de facto independent and free from any conflict of interest, which is clearly required by the European regulation.
Without being a protected employee, it is very likely that the procedure for dismissing the DPO will be as restrictive as that of the CIL (notification and motivation of dismissal to the CNIL, receipt of the CNIL’s opinion after a period of one month….. ).
In this respect, outsourcing provides more flexibility as it makes it easier to change DPOs by terminating the service contract.
In addition, it should be recalled that the company remains fully liable and that under no circumstances can the DPO be held liable if the body in which it carries out its missions is found not to be in compliance.
In this respect, we must stress that the responsibility of the external DPO will be stronger than that of the internal DPO insofar as it will always be likely to incur its contractual responsibility.
In addition to the training costs that the DPO will have to undergo on a regular basis, it can be very costly for an organization to mobilize a full-time internal resource.
Regardless of the company’s structure, outsourcing is undeniably cost-effective.
For more information on external DPO : https://dpo-consulting.fr/