The role of the data protection officer has come into much greater focus since the introduction of the GDPR.
As the number of data breaches and cybersecurity attacks continue to rise within and outside of the legal profession, should your firm appoint your own dedicated data protection officer or look for an outside provider to deliver compliance services?
What does an in-house data protection officer do?
Their main responsibilities are to ensure that:
- a business complies with all relevant data legislation,
- data is kept safe,
- data is sufficiently protected it from being stolen from hackers or bad actors within an organisation,
- only relevant data is collected and kept,
- all communications are opted-in, and
- care is taken if data needs to leave the country (for example, to be stored on a cloud service)
How much does a data protection officer cost?
According to CW Jobs, the average salary for jobs in data protection is £62,500. This cost will rise to well over £70,000 when National Insurance Employers’ Contributions and pension costs are added on top.
Why do companies need a data protection officer?
Other than public sector bodies, the following types of organisations need to appoint a data protection officer:
- organisations processing data on a large scale where the personal data it holds needs to be monitored systematically and regularly
- organisations which process special categories of data on a large scale. Information considered to be in a special category includes data relating to health, religion, race, sexual orientation, criminal offences, and criminal convictions.
Prior to the introduction of GDPR, it was widely reported that companies with more than 250 staff would be required to have a data protection officer. However, the final version of the legislation offers no exemption for smaller firms.
According to WP29 (Article 29 Working Party), the appointment of a DPO should be encouraged for all businesses, regardless of whether they are required to have one, to promote best practice and to demonstrate compliance.
Data protection officer as a service (DPO-as-a-service)
GDPR however makes no distinction on whether a DPO should be an internal appointment (that is, a salaried member of staff) or a contractor (acting on a service contractor). The legislation only stipulates, whoever is appointed for the role, that they need to be given the necessary tools and resources they need to carry out their responsibilities.
Given the high cost of internal DPOs, many legal companies choose to use an outside or contracted DPO – the so-called “DPO-as-a-service”.
What benefits does a DPO-as-a-service bring a business?
Other than the cost benefits (a DPO-as-a-service arrangement provides legal firms with protection at a fraction of the cost of an internal appointment), an outsourced DPO is available to assist an organisation on its company-wide privacy policies, data protection issues, and GDPR compliance requirements, specifically with reference to articles 37-39 of the regulations.
Highest competence in data and cybersecurity matters involve not only the deployment of reliable and up-to-date technology (hardware and software) but they require an ability among staff members to identify weaknesses in the business and an ability to report them to management. DPO-as-a-service arrangements include employee training and individual guidance on data protection issues as they arise.
DPO-as-a-service contracts are generally offered by IT and software consultancies. This means that clients benefit from a holistic approach based upon the specific legal technicalities and requirements of GDPR together with how to implement any measures needed quickly and efficiently. They’re also generally part of a much larger team offering a wider range of skill sets and experience than an internal DPO could offer on their own.
Why is an annual GDPR audit important?
Outsourced DPOs will also conduct annual GDPR audits, providing an up-to-date and company-specific oversight on all the data protection activities, procedures, and policies used by a firm.
The risk to legal firms’ data grows year on year as the methods used to attempt to access and download sensitive data becomes more sophisticated and harder to trace. As part of a GDPR audit, an outsourced DPO will identify and report on all current risks together with providing advice on mitigating those risks.
Contact Sprout IT
Sprout IT works with solicitors’ practices and barristers’ chambers across London and the South East. To speak with one of our team about whether your firm would benefit from DPO-as-a-service, please call us on 020 7036 8530 or contact us here.