What to Expect from Your DPO-as-a-Service Provider
May 23, 2024 Kateryna Dubas Privacy program

What to Expect from Your DPO-as-a-Service Provider

A Data Protection Officer (or DPO) is a professional overseeing (but not being responsible for) your organisation’s privacy culture. Whether they are an outsourced provider or an in-house specialist, their tasks are the same as defined in Article 39 GDPR:

  • to inform and advise the team of their obligations under the applicable data protection law(s);
  • to monitor compliance (for example, by giving advice during the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits); 
  • to provide advice where requested (especially in the context of data protection impact assessments); 
  • to stay in contact with the supervisory authorities and cooperate with their requests. 

In brief, the Data Protection Officer is a person to go to in case of doubt regarding the company’s privacy compliance. 

Outsourced or in-house? 

Many organisations have a DPO as an outsourced service provider, either as an extension of their privacy chapter or as a substitute for an in-house specialist. Regardless of the contractual difference, the DPO still must be available to the company’s employees and encouraged to give advice, be informed of the company’s plans, and intervene with a comment where a need arises. 

If in-house, a DPO must not have a conflict of interest. For example, they must not hold positions (such as head of a risk assessment or information security) that induce them to disregard privacy or keep silent on possible problems. 

DPOaaS has one important advantage: they are, in general, less prone to conflict of interest. Conflict of interest may arise when a DPO is expected to hide a breach or security incident or act as if the company is GDPR-compliant. External DPOs have multiple clients at once, and their employment does not depend on the company’s dissatisfaction with the DPO fulfilling their legal obligations. 

DPO-as-a-Service 2024: What to Expect

What does a DPO-as-a-Service do 

As it was said, everything that an in-house DPO does! 

Usually, their tasks include:

  • regular audits (planned and urgent, for example, where a compliance gap is discovered or a new product is planned);
  • keeping an eye on new products, product development, and general business processes such as finance, accounting, etc., to avoid misuse or amassing of unattended data; 
  • privacy training; 
  • participating in various assessments, such as data protection impact assessments (DPIA), human rights assessments, legitimate interest assessments (LIA), transfer impact assessments (TIA), etc.; 
  • advising the legal department on privacy-related consequences of (non-)signing a data processing agreement (for example, what protections of data can be more suitable in case of a specific data processor); 
  • supporting the employees and data subjects in case of any data-related questions; 
  • helping handle the data subject requests and supervisory authority actions;
  • overseeing and monitoring the data protection program. 

Even though the DPOaaS is not a part of the organisation, they must be provided with all necessary resources to perform tasks effectively and have access to all key management information and stakeholders. It usually means that they must be present during important meetings that involve changes to data processing, such as opening a new market presence or selling a website or app. 

Ensuring the DPOaaS’ effectiveness 

You can employ various methods to assess whether your Data Protection Officer does a good job. We will focus on the most popular ones: metrics and dashboards. 

Performance metrics are the first indicator that you will think of when you decide to hire a DPO. Choosing the precise metrics carefully is important, as it must not create a conflict of interest. For example, you cannot make the DPO’s reward dependent on the absence of attention from the supervisory authority, as it will induce your DPO to conceal any possible compliance problems. 

Possible metrics may include, however:

  • percentage of data subject requests closed timely; 
  • yearly audit progress; 
  • shortest response period to the data subject requests during the previous month; 
  • number of training events that are followed by the team’s stellar test results, and so on. 

Privacy dashboards are useful tools that help you see bottlenecks and possible problems at a glance. They can take various forms, starting with monthly reports and ending with specialised software, but their general aim is to showcase progress, current status, and existing backlog (or privacy debt). A typical dashboard will comprise of:

  • data map; 
  • list of tasks; 
  • list of documentation; 
  • tracker of data subject requests; 
  • tracker of data breaches and incidents; 
  • list of vendors; 
  • audit schedule. 

Other control mechanisms, such as regular interviews and one-to-one meetings, outside audits and reviews, certification checks, or any other system adopted in your company, can be combined and even added to these methods. 

These are the general expectations: the typical workflow, performance level, and integration with the company’s processes of a specialist hired as a Data Protection Officer-as-a-Service. However, you can always contact us and schedule a meeting with our team to learn more about details and use cases, or ask about your organisation’s unique needs.

Kateryna Dubas
Privacy Consultant, LLM, CIPP/E, CIPT, FIP

Your message