If you want to rely on an expert as an external data protection officer (DPO) for your company, it is important to select them carefully and then appoint them in compliance with the law. The best practice described here will help you to find the right data protection officer for your company and to begin a successful cooperation.
Step 1: Selection of the appropriate data protection officer
If you have decided to appoint an expert as your external data protection officer rather than an employee, you should pay attention to at least the following characteristics when selecting the suitable service provider:
- The provider’s employees who are to be appointed as external data protection officers have appropriate legal qualifications with specialisations in data protection law and adjacent areas of law. Data protection is a multi-disciplinary matter, which is why knowledge of labour law, public law, unfair competition law, telecommunications law, etc. is required in addition to data protection law.
- The provider has employees who can demonstrate comprehensive IT knowledge. This is the only way that the data protection officer can properly check your IT in the first place and help you with the concrete implementation of the legal requirements in your company.
- The provider’s team has a proven track record of several years of professional experience in data protection and information security to ensure that all consultancy processes are as highly optimised as possible.
- The provider can demonstrate experience from your industry so that any specialisations in your business model do not become unexpected obstacles.
- The integration of international data protection law is included with the provider so that you can work in a data protection-compliant manner when using cloud computing, data transfers to the U.S. or the use of software-as-a-service (SaaS).
- Ideally, the provider should design its service and cost structure transparently (e.g. as a data protection flat rate), so that you are safe from cost traps or unpleasant surprises.
Step 2: Kick-off meeting and document review
After you have decided on the quote that suits your company, a kind of kick-off meeting should take place. At this first meeting, your management and other responsible persons will be
- informed about the legal and practical requirements of data protection and the related issues of information security, and
- prepared for the tasks to be performed.
At this kick-off meeting, you should be able to present the data protection service provider with existing documents on the current organisational and technical status in your company in the area of data protection and IT security. Some providers want to view these documents in advance. They can usually be anonymised and cleansed of business figures.
The future external data protection officer will review and evaluate these documents and check them for completeness and legal compliance. In the process, they may also check your company’s website.
Step 3: Data protection audit
The next step in the appointment of the external data protection officer is the data protection audit of your company. The audit should ideally take place at the location where the relevant company IT is located so that the auditors can get a concrete impression, but can also take place remotely.
As part of the data protection audit, questions regarding IT security management, data protection management and building security are clarified with the various responsible persons – especially from the areas of IT, human resources, marketing, and sales.
The audit serves to document the current status of the company in the area of data protection. The measures already taken and still to be implemented in the company that are necessary for data protection compliance are documented.
Ideally, the experts of the data protection service provider review according to recognised and systematic criteria, such as the ISO 27001. You can assume this is the case if an appropriately certified auditor is present.
Step 4: Audit report and catalogue of measures
The subsequent audit report is, to a certain extent, the working basis for the external data protection officer to be appointed. They can use it to derive or bring about continuous improvement in in your company´s data protection compliance. For this purpose, the report should
- contain a detailed description of the data protection compliance found in the company during the audit, and
- give recommendations for action for each of the individual findings.
With very good data protection providers, the recommendations for action in the audit report are provided with different priority levels and degrees of maturity. This allows you to quickly recognise whether the implementation represents the fulfilment of the legally required minimum standard or realises a data protection and information security management that goes beyond this.
Step 5: Appointment of the external data protection officer
After these important preparatory steps, you are ready: You can appoint the service provider’s expert as external data protection officer. The appointment as a formal act should be documented.
Depending on the provider, you may be able to choose between different pricing options here, e.g. from simple implementation of the minimum legal requirements to proactive data protection management. When making your decision, you should consider the following aspects in particular:
- How many tasks do you want to delegate to the external data protection officer – and how many can you actually do internally?
- Is your company active in a special industry with regard to data protection (e.g., finance, health, online marketing)?
- Does your company have several locations, possibly even abroad, or is it a corporate group?
Conclusion: Make data protection a top priority
The five steps described are a prototypical way to appoint an external data protection officer in the company. The suggestions are based on activeMind’s many years of practice in this area. Other providers may well take other paths.
As an entrepreneur, however, you should make sure that your path to an external data protection officer is similarly systematic. Because only systematically implemented and appropriately documented data protection makes your company legally compliant – and also gives you a competitive advantage. So even if the topic of data protection seems annoying to you, you should make the appointment of an external data protection officer a management matter!