External DPO Data Protection Officer

Benefits of appointing an external DPO

It is not always easy for a company to create a DPO position internally or even to train an employee for this function. It is usually preferable to use an external DPO agency to carry out this mission, or eventually assist the DPO already appointed internally.

Need to call on an expert in law and information systems.

Outsourcing the DPO function has many advantages. Remember that the entry into force of the GDPR requires in-depth knowledge of the regulation, the technologies available and the procedures to be implemented and maintained. The DPO is therefore highly qualified as specified in Article 37 paragraph 5 of the GDPR . The DPO may be a lawyer (ideally with technical knowledge and experience related to information systems) or an IT security expert. In any case, the DPO shows mastery of the legal requirements of the GDPR, a certification of competence is strongly recommended.

Cost minimization and immediate results

The integration of a new employee represents a significant burden for a company. Recruitment procedure, remuneration, social charges, or even the training of the employee, all those elements are to be taken into account before initiating a recruitment procedure. The external DPO solution is a turnkey offer, with no hidden costs and easily budgetable. The company thus benefits from an accelerated return on investment.

Know-how and expertise of the external DPO

In the field of compliance and data protection, it is essential to be able to assess the knowledge of candidates for recruitment and it is not easy, especially when it comes to DPO position. Who then has the knowledge and qualifications necessary in the company to assess the candidate?

External DPO flexibility

In the event of regrettable recruitment, the risk incurred by the company is then increased. How long does it take before you realize this? …to carry out the dismissal within the deadlines? … to be able to initiate a new recruitment procedure? An external data protection officer offers great flexibility: immediate start, no commitment, guaranteed scalability according to your activity and your needs, possibility of changing DPO at any time.

You are a client and not an employer of your external DPO

Being a client of your DPO allows you above all to focus on the core activity of your business and to approach compliance with greater serenity. The service agreement with your external DPO allows you to significantly minimize your liability, to reduce your administrative tasks and to benefit from the solutions provided by your external DPO.

Reinforce your customers and partners brand trust.

Appointing an external DPO is an effiecient solution for building your organization’s brand trust. Your customers have an obligation to ensure that their subcontractors comply with the requirements of the GDPR, their liability may be directly engaged on the basis of your own breach of duty. Article 82 of the GDPR – Right to compensation and liability provides details in this sense that we invite you to read.

If you do not undertake any compliance process, it is very likely that your customers and prospects will sooner or later be tempted to turn to one of your GDPR-compliant competitors. This is quite understandable since they seek to minimize their own liability and strengthen their brand image in the eyes of their own customers.

Be proactive, transform your obligation into a competitive advantage, and immediately communicate to your customers and partners the contact details of your new external DPO. You thereby demonstrate your desire to place the protection of personal data as one of your company’s top priorities.

    Let’s talk about appointing your external DPO

    Main services offered by the external DPO

    We support you in accordance with the recommendations of the CNIL (Commission Nationale de l’Informatique et des Libertés) and the GDPR, in particular concerning:

    • Notifications
    • Permission
    • Data transfer
    • Cookies Directive
    • Annual Report
    • Data Subject Requests
    • Tailor-made training

    Data processing audit and recommendations

    We assess your level of compliance with current data protection regulations such as GDPR. A comparison of your situation with the legal requirements makes it possible to identify the shortcomings and to share with you recommendations which implemented following a priority order.

    Cross-border data transfers

    We assist our clients in managing personal data transfers for global operations. These are transfers outside the borders of the European Economic Area (EEA) to countries offering different levels of protection according to the standards of the European Commission, from adequate level (Switzerland, Israel, etc.) to more “problematic” countries (like the United States). We explore the available legal possibilities (standard clauses, BCR binding corporate rules, etc.) and select the most efficient solution to validate the transfer.

    Data management within the company

    We examine, evaluate, modify your data processing with the relevant departments of your company. We help you develop and implement personal data management policies that comply with applicable national laws and specific industry requirements.

    Employee personal data

    We advise you on the rights of your employees (video surveillance, emails, social networks), privacy policies of human resources data and processing regarding sensitive categories of personal data.

    Supervisory Authority Investigations

    Administrative and criminal penalties are a real threat to organizations that are negligent with the GDPR. National supervisory authorities, such as the CNIL in France, regularly carry out on-site inspections following a violation that has been reported to them.

    Organizations are well advised to anticipate these investigations, as they often lead to revealing breaches much larger than the one for which the procedure was initiated. We assist our clients during investigations by regulators and assist them during any resulting litigation in order to mitigate their liability, to reduce damage to their reputation, and to avoid exorbitant fines.

    Trainings

    We train executives in the management of risks related to the protection of personal data, compliance with the GDPR and its implementation.

    Questions Answers about the external DPO

    How to designate an external DPO?

    Appointing an external DPO is just as easy as appointing an internal DPO. The procedure is identical with the supervisory authority, the designation of the data protection officer is done online via the CNIL website (Link to the CNIL designation interface) by completing a 4-step form : information about the company, information about the DPO, public contact details and finally a summary followed by submition.

    How to choose an external DPO?

    First of all, it should be ensured that the DPO has the required qualities, that he demonstrates legal expertise in the field of data protection and contract law, knowledge of the techniques and tools available in information systems security. You must be ensured that he has professional insurance by requiring a certificate of insurance policy covering in particular the risks related specifically to the activity of DPO on the one hand and to the activity of GDPR representative (both activities being perfectly distinct, and not included in each other in terms of responsibility). You have to make sure how your collaboration will concretely take place throughout the compliance process and then its maintenance.

    What is the price of the service of an external DPO?

    The evaluation of the cost of an external data protection officer requires special attention in order to control your budget and thereby the success of the compliance project in the medium term. It is common to use flat rates for certain functions or tasks that are reasonably foreseeable in terms of complexity. Flat rates can be supplemented by time-spent pricing for mission elements whose workload is difficult to predict. Regarding the packages, be sure to clearly define the services included without being satisfied with general formulas, it is thus preferable to provide a list of deliverables. We also recommend setting a limit for each service offered as part of a package.