The idea of a virtual DPO (data protection officer) – or at least one who works remotely – is enticing. It would mean you could outsource the role, gaining expert advice without having to bring someone in to complete the tasks as part of your everyday business practices.
But is such a setup possible? The GDPR (General Data Protection Regulation) is notoriously strict, but what does it say about outsourcing the DPO’s tasks?
Who can be a DPO?
There are no formal requirements for who can become a DPO. The position doesn’t need to be filled by a lawyer or qualified data protection practitioner. The only requirement, unsurprisingly, is that they have strong knowledge of data protection law – ideally encompassing both technical expertise gained from qualifications and practical experience.
We also urge you to look for strong communicators, as a big part of the DPO’s job involves interacting with senior management and employees about compliance practices.
But that’s not to say they need to be in the office communicating face-to-face. It’s entirely possible to perform the DPO’s duties remotely – and in many circumstances it’s beneficial.
Unless you prefer to employee an experienced DPO on a full-time basis, the only alternative is to hand the responsibilities to an existing employee alongside their current role.
Doing so creates a potential conflict of interest, the risks of which are outlined clearly in the GDPR.
The Regulation states that the DPO must work independently and without instruction from their employer, so if an employee is balancing their existing tasks with those of the DPO, conflicts could arise.
A virtual DPO helps organisations avoid that risk, because their only association with the organisation is as an independent advisor.
This doesn’t make them any less invested in the organisation’s success, though. A good DPO, whether in-house or remote, will take the time to understand the needs of the organisation, and provide advice tailored to their needs.
Virtual DPO services
A virtual DPO can complete all the tasks that an in-house one would, and at considerably less expense – given that you don’t need to recruit or train a dedicated employee.
Their responsibilities include:
- Advising staff on their responsibilities when processing personal data;
- Monitoring the organisation’s data protection policies and procedures;
- Overseeing the establishment and maintenance of the personal data processing register (the ‘Article 30 record’);
- Providing guidance on data breach monitoring, management and reporting;
- Acting as a point of contact between the organisation and its supervisory authority;
- Recommending to management when DPIAs (data protection impact assessments) are necessary or mandatory;
- Helping clients identify personal data processing activities, verifying that data processing activities are GDPR compliant, and providing advice and guidance on GDPR compliance best practice;
- Facilitating GDPR training, and general data protection awareness training for staff who handle personal data; and
- Communicating with individuals about privacy concerns and how they can exercise their data subject rights.
As you can see, there’s nothing here that demands a DPO’s presence in the office.
Other tasks – particularly those related to providing advice – require direct communication, but telephone or video calls are perfectly adequate for this.
This is where communication skills are vital. You don’t want to be stuck in a meeting room for hours as the DPO tries to explain complex regulatory rules to the team; you want someone who can get their point across concisely and in a way that everyone will understand.
Despite their physical distance, an expert on the other end of the phone line with the right skills can be just as helpful and as much a part of the team as someone in the room – particularly if that person doesn’t have the necessary GDPR expertise to lead the debate.
Where to find a virtual DPO
Our DPO as a service is the perfect option for organisations looking for someone to take on the DPO’s responsibilities remotely.
One of our data protection experts will be assigned to your organisation and will work with you to understand your compliance requirements.
You will also be allocated a second, equally qualified and experienced expert, who will step in when your DPO is on annual leave or off sick. This ensures you always get the help you need and aren’t left in the lurch during in a crisis moment.
Led by a management team of experienced DPOs, lawyers, barristers, and information and cyber security experts, we have provided our services to organisations across a wide variety of sectors, including health and social care, education, professional services, financial institutions, retail, technology, media and telecoms.
Because we specialise in data protection and information security, our team has sector-specific knowledge and experience, and visibility of the latest trends, best practice, developments and challenges.
How much does a virtual DPO cost?
Our services are scoped individually and sold in bundles of hours – typically 50, 100, 150 and 200.
It’s hard to say how much DPO support you’ll need until we’ve discussed your organisation’s setup, but you can be assured that we’ll work with you to scope a solution that suits your requirements.
By employing a virtual DPO, your organisation will:
- Access a team of expert DPOs with a proven track record;
- Enjoy cost savings in recruitment, employment and retention;
- Be assured of a truly independent DPO service;
- Take advantage of a service that is flexible according to your organisation’s needs, with pricing to match.