External DPO, a decision you will not regret!
For a short time now, everyone who works in a company or is self-employed has been dealing with the big issue of data protection. The question: external or internal DPO? The appointment of a data protection officer is essential if at least ten people are involved in the processing of personal data. Another criterion is if processing operations are undertaken that are subject to a data protection impact assessment pursuant to Art. 35 of the GDPR, personal data are processed commercially for the purpose of transmission or for the purpose of marketing activities. Then a data protection officer must be appointed anyway.
External or internal data protection officer
In principle, the data protection officer can be an employee from within the company. This can save a lot of time and money. You already know the data protection officer and do not have to introduce him or her to the company structure. That should be enough. Stop! That's what you think! Even an internal DPO costs money, time and possibly some nerves. Remember, even the smartest employee has to acquire knowledge in this area. First and foremost, that means training and education costs. Since this employee probably also performs other tasks and activities in the company, only evening or weekend seminars may be an option.
Training and fines
In this way, you can have access to a (basic) trained employee within a few weeks, but you can also send him or her on vacation or to the next training measure right away. Data protection is all-encompassing and should be handled with great care and responsibility. Otherwise, there is a risk of painful fines. Once the child has fallen into the well, it becomes difficult to get it out again. The employee, who in the meantime is not subject to dismissal, may have done his best, but he could only fall back on training basics and not on the necessary experience and all-embracing expertise in and beyond data protection. Anyone who practices data protection should definitely think outside the box and always stay up to date.
Advantages of an external DPO
First and foremost, an external, certified data protection officer faces the company impartially and neutrally. As an advisor at your side, he has a high level of experience, expertise and the necessary competence in data protection. Particularly at the beginning, every member of the company must first come to terms with the new guidelines. The external DPO supports them as a constant advisor and checks on a monthly basis whether innovations are being complied with. To ensure that every employee is aware of the risks involved in handling personal data, the external DPO provides regular in-house training.
Data protection mishaps
If data protection mishaps occur in the company, the DPO is liable in the event of consulting errors. For example, the loss of a business cell phone or laptop can release highly sensitive data to strangers. Of course, this loss must be reported immediately to the DPO, who will contact the authority, thus preventing greater penalties for employees and the company. In addition, the external DPO is able to mediate between the authority and the company in critical situations and smooth the waters.
The financial aspect should not be ignored either. An external DPO supports your company for a monthly, fixed and agreed fee. Each month, he or she will prepare an invoice with a complete list of activities. This allows you to see directly which steps have already been taken and in which specialist areas there is still a need for action. You save on additional wage costs in contrast to an internal DPO, who must continue to be paid in the event of illness. However, to ensure that the external DPO can provide reliable advice, he always attends further training courses at his own expense. This means that you do not have to make any unplanned investments, such as for training materials or lost working hours. If you are still dissatisfied and the external DPO does not fit into the company structure, he can be terminated at any time, as stipulated in the contract.