Pursuant to the GDPR, organisations are obliged to appoint a DPO in certain cases. If you’d like to know whether you are obliged to appoint a DPO, you can use our DPO checker tool. But appointing a DPO can still be of immense benefit to you, even if you aren’t obliged by law to do so.

Advantages to a voluntarily appointed DPO

  • It transmits a clear message that you take privacy and data protection seriously, and promotes a positive image;
  • A DPO will in any event help you to fulfil the (new) obligations specified in the GDPR such as the following:
    • Providing assistance in implementing the principles of Privacy by Design & Default;
    • Providing information and advice relating to the obligations arising from the GDPR;
    • Monitoring compliance (legal and in-company policy);
    • Providing implementation and advice relating to Privacy Impact Assessments (PIA, or gegevensbeschermingseffectbeoordelingen in Dutch)
    • Collaboration with the monitoring authority (the Privacy Commission in Belgium);
  • He is your first point of contact – internally as well as externally – for matters relating to data protection, which will serve to increase trust in all the parties concerned.

Shadow DPO

If you have already appointed an internal DPO, we will be pleased to provide him with support in the performance of his duties. For example, we can update him on this new legislation in the short term, or we can provide him with support in the long term relating to the legal aspects. An additional advantage here is that we as a third party can take an objective view of the internal challenges at your organisation and can furnish him with new or different solutions.

The GDPR explicitly provides that a Data Protection Officer can be an external consultant. The advantage to this is that he is able to act independently and with the necessary detachment in respect of your company.

Dismissal of the DPO

Moreover, the GDPR states that the DPO may not receive any instructions from the company in the performance of his duties, and he may not be dismissed or subjected to other disciplinary action due to the performance of his duties as a DPO. This has major implications if an internal employee is appointed as DPO at a company. For example, this would be difficult to combine with his position, since employees come under their employer’s authority by definition.

Independence of the DPO

Moreover, if an internal employee is appointed as DPO, certain structures will have to be adjusted in order to confer sufficient power and independence on him. The organisation will also have to train the new DPO. This will be far more the case for an external DPO, who will be able to fall back on his own organisation in that respect.

Appointing an organisation as DPO

In addition, the external consultant may be an organisation, which means that it can deploy various persons to flesh out the position of DPO with their combined expertise. In that case, the division of tasks must be made absolutely clear and one central contact person must be appointed.

Confidential function of the DPO

Persons whose data is processed have more confidence in an external DPO organisation than in a person actually employed at the company in question.

Continuity

Employers will often have to invest in training courses, software packages and organisation in order to enable their internal DPO to perform his duties properly. In this respect, there is a genuine risk of an internal DPO being induced to leave his employment, certainly since this new position will be very much in demand.

Non-linear position

The position of DPO is a non-linear position which would have to be taken on additionally by a certain employee. It is therefore a non-linear position in itself which provides the relevant employee with very few opportunities to further their career.