Is it a good idea to have an internal DPO?

If you are running a project dealing with personal or sensitive, you may already have heard at least once those three letters: DPO.

It is not always clear what this legal figure does and how he/she can help your company to grow.

Under GDPR, the Data Protection Officer (DPO) can be considered the champion of data subject rights - the person upholding the privacy rights of the end users of your application. The GDPR clearly defines what a DPO must do:

🟥 Inform the company and its staff of their duties under GDPR and related regulations.

🟥 Monitor their compliance with GDPR, including assigning responsibilities and ensuring staff are appropriately trained.

🟥 Provide advice relating to DPIA and ensure the company complies with it.

🟥 Cooperate with the supervising data protection authority.

But what does that mean in practice? Let’s look at a few examples of where a DPO can help you.

When do I need a DPO?

So, now you know what a DPO does. However, what is less clear is exactly when you need to appoint a DPO in the first place. The only definite case is public bodies like hospitals, which always need a DPO. However, GDPR lists two other cases where a DPO is required:

  • The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • The core activities of the controller or the processor consist of processing on a large scale special categories of data.

Digital health companies are always processing health data (one of those “special categories of data”).

But what does it mean on a large scale? And are there other times I need to appoint a DPO?

Let’s look at some examples.

1️⃣ Your app collects health data from thousands of users: if your app collects the personal or sensitive data of many users, this will count as large-scale processing.

2️⃣ B2B application: many digital companies sell backend services to other businesses, and often, your customers (especially corporates) will ask you to appoint a DPO.

3️⃣ Conducting clinical trials or external research: in almost every case, you need a DPO if you are conducting clinical trials. Likewise, many external research bodies will ask you to appoint one.

If you are a digital health company, we wrote a special article about DPOs in this business: https://blog.chino.io/gdpr-basics-digital-health-dpo/

Should I hire an in-house DPO?

If you are dealing with sensitive data or in the B2B space, GDPR and data privacy is something you will have to deal with repeatedly throughout the lifetime of your company.

Your customers, users, partners, and investors will ask about it. So, usually, it's great to have someone knowledgeable about these topics.

Having a full-time DPO can help you deal with issues that may arise during your business path, but there are still a number of reasons why you may look for outside help.

1️⃣ Dealing with the same legal problems across different companies.

When you work with a partner specialized in these topics, you are dealing with the experience of sorting out the same problems you have across different organizations. And in reality, you are rarely the first company that has ever dealt with this. Even if we are talking about complicated things like US cloud providers and dealing with sensitive data. The experience across companies like yours dealing with the same problems. Cases, where you are the first one dealing with a particular problem, are rare! External DPOs have already found solutions to the compliance problems you have and implemented those solutions in other companies.

2️⃣ A wider breadth of knowledge.

GDPR, in practice, cannot be solved by mere legal or technical expertise. A reputable partner can provide multidisciplinary support, supporting your business, legal, and tech teams in a language they all understand. GDPR nowadays and data privacy as a whole requires more than legal or technical knowledge. Usually, you need a bit of both. And this different set of skills is rare to find in one single person. So, a company that specializes in this is usually better prepared to give you the multidisciplinary support that you need to get this done right.

3️⃣ Pay for what you really need!

Depending on the provider, you can get a level of support that adjusts to the needs of your business at the stage where you are and not worry about training and other technicalities. When you work with an external partner, you have a better ability to choose the level of support you need. When you are getting started on data privacy, GDPR, and data security, you rarely have enough workload to put into one person working full time in your organization. A partner will not only bring the experience and the expertise to use the time wisely, but also they would give you the level of support that adjusts to what you need at this particular pointing time of your organization. This means that you could save a lot of money, especially if you are a startup or an SME.

0:00
/1:49

How Chino.io can help you

We are the one-stop shop for solving all digital privacy and security compliance aspects.

For many companies, appointing a DPO is both a daunting and expensive requirement.

How can you find someone with the necessary expertise and experience who is able to prove they are independent? That's why we created our DPO as a Service.

Chino.io makes compliant-by-design happen faster, combining legal know-how and data security technology for innovators.

To learn more, contact us and book a free 30-minute call with our experts.