By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Notice for more information.
Data Protection

Internal DPO VS External DPO: Which one fits my organisation?

February 6, 2023
5 min

What is a DPO?


DPO is an acronym that stands for Data Protection Officer. The Data Protection Officer oversees the company’s data protection strategy and its implementation to ensure GDPR compliance. Their role entails advising companies on their data protection obligations, monitoring and providing advice on Data Protection Impact Assessments, and acting as a point of contact for data subjects and the Information Commissioner Officer (ICO). Under Article 37 of the General Data Protection Regulation (GDPR), certain organisations are required to appoint a DPO if they carry out certain types of processing.

So, now that you know about the role of a DPO and why certain businesses need to appoint one; what are the main differences between an internal and external DPO and which one fits your organisation? Let’s take a look.

Internal DPO


An internal DPO is an existing employee commissioned by management within a company to perform the tasks of a data protection officer. These employees have the right to regular further training to maintain specialist knowledge on the topic of data protection law and extended protection against dismissal. Businesses may choose an internal DPO because they already have pre-existing knowledge of the company and the specific operational conditions. However, an internal DPO may be blind to shortcomings in company processes which may cause conflicts of interest.

Although the costs for businesses remain largely unchanged in the case of an internal DPO, it is often difficult to find a suitable in-house, qualified candidate who can meet the legal requirements. In most cases, in-house employees have very limited or non-existent knowledge and experience in relation to data protection roles.

External DPO


An external DPO is either hired as an employee by a company or outsourced through a data protection consultancy, like Penross. These DPO’s have existing qualifications and a wide range of experience in data protection through working with different companies in many industries, especially if they are outsourced through a consultancy.


This is particularly effective in the terms of saving time and money, especially in the context of harsh deadlines imposed by the GDPR and ICO. The benefit of having exposure to similar projects and experience over a wide range of sectors is invaluable and cannot be overstated.


External DPO’s have the advantage of regular contact with supervisory authorities, as a point of contact for data subjects and for the latest industry updates; a benefit for organisations to have the most recent procedures and policies.


An external DPO will have no bias towards the company they work for and no conflicts of interest, meaning they have no existing loyalties to the company as an in-house DPO would. Some organisations may show reluctance to hire or outsource a DPO because of this. It is a law that a company must also converse with an external DPO about the data protection decisions, whereas they wouldn’t have to with an internal DPO.


Whilst an external DPO may be more expensive, the wealth of knowledge, experience and professionalism they possess is invaluable to any organisation. Outsourcing a DPO for a set amount of time or alternatively only for as long as you need them is often a good, cost-effective solution for companies that may not be able to afford to hire a full-time DPO.

Conclusion


To summarise, there is no right or wrong answer when it comes to the debate of an internal vs external DPO. There are many things to consider when choosing the best option for your organisation and it depends entirely on company circumstances, such as the size of your business and what your data protection needs and goals are.

Luckily, DPO Experts provides a range of privacy and data protection services aimed at businesses of any size, including GDPR training, DPO as a Service and GDPR Shield packages.

How can we help you?

Get in touch and find out how we can help you achieve your goals