How to structure your DPO team

In a tech business, processing data means generating profits. Whether a sales representative is searching for leads or a data scientist is analyzing clients’ data, the company processes personal data and must, therefore, comply with the GDPR. 

But compliance with the GDPR is also a tricky task. Where to start? Who to ask? What is considered personal data? When is the deadline? There are so many questions and so few answers. 

At this stage, companies often turn to outsourcing their compliance debt, and, in most cases, hiring an outsourced data protection officer is a reasonable solution. 

Data protection officer: hire first or outsource first? 

A typical early-stage DPO team includes the following team players: 

• a legal specialist or CEO leading the project; 
• a CTO or lead software engineer, and 
• an outsourced privacy counsel (a data protection specialist). 

The advantages of having an outsourced DPO early in the process are numerous, so we call a few:

• they typically have a large portfolio of different projects and frameworks and learn faster; 
• they have access to other similar businesses and may give advice on your next steps or specific risks; 
• they have lots of research behind them, so may answer some requests faster;
• they usually have a flexible charging policy, so you can tailor your costs to your needs; 
• they usually work in groups, so you’re covered even if your leading DPO is currently inaccessible. 

Over time, especially if you are expanding your EU presence, you’ll include other people in this team. 

Privacy management in times of maturing 

At this stage, it is important to remember that privacy may influence your technical backlog and turn into your privacy debt, so consider adding privacy-friendly thinking to your job postings and company culture. 

The DPO team may then include: 

• product owners (especially if you develop a few apps at the same time)
• the customer care lead; 
• information security team;
• the HR department’s representative; 
• the finance/accounting specialist, and especially 
• the marketing/sales experts. 

It is usually a challenge to find a slot in everyone’s schedules to talk over the compliance issues, so you need someone to navigate various aspects of the compliance map and gather knowledge. This is usually when the company decides to replace the outsourced DPO with an in-house one, and it often turns compliance into a challenge itself: for example, the outsourced specialist must step off as soon as the in-house specialist steps in, and a newcomer must review the legacy documentation, collect and manage current backlog, meet all new people and rebuild the network, and respond to new challenges. Not many people are able to start so quickly and avoid burning out, so be careful! 

Privacy, in-house and outsourced: a perfect match? 

But while the grips are being handed over to the in-house privacy expert, it is recommended that you keep the outsourced DPO at least for a while:

• the DPO helps the in-house expert study the company’s origins and see why everything works as it works; 
• the DPO shares their knowledge about team chemistry, working lifehacks, usages and priorities; 
• the DPO helps complete parallel processes and mundane tasks such as running the training program while the newly appointed in-house reviews and audits the documents; 
• the in-house specialist may still enjoy the outsourced DPO’s expertise at a lower cost as if they got an in-house back office with all the advantages mentioned earlier. 

So, in well-established companies, there is a constellation of talents working on privacy and data protection compliance:

• in-house privacy expert (or head of privacy) working as a moderator and process owner; 
• chief operations officer or chief legal officer,
• information security teamlead, 
• head of customer care, 
• head of HR and competence development, 
• marketing and sales chiefs, 
• and an outside data protection firm (an outsourced DPO) to help navigate the privacy backlog, protect the customers and monitor the industry’s best practices. 

By keeping everyone in the feedback loop and strengthening the in-house privacy presence by the industry experts, legal and privacy functions may encourage positive change in the processes inside technology and operations without any harm done to the business. 

Concluding details: other benefits of having a DPO-as-a-service

Finally, Privacity’s experts witnessed many smaller firms becoming well-known and valuable brands while evolving their compliance program by automating it, scaling it, and using it as an effective marketing tool, too. It requires a solid base, and it is better to invest your effort early (by signing suitable data processing agreements and assessing the vendors used deep in the infrastructure). 

Sometimes, a mere mention of a professional DPO team working with your staff on your product may give your clients and partners a sense of comfort and a positive outlook on the possibilities of working with you. 

Privacy is often an integral part of the company’s brand image and perception, a point of contact for the clients to reach the people behind the interface and resolve their grievances. Here at Privacity, we focus on the customers and handle your business future with care and understanding, working together with your in-house specialists, end users and technologies to bring the best results possible.