Do startups really need to appoint a DPO?

When is a data protection officer required by law? (UK/EU)

According to the GDPR, there are certain situations in which a data protection officer must be appointed:

1. Your company processes special category personal data - A DPO is required if you process special category personal data (e.g. health data) as a core part of your operations or a large scale.

2. Your company conducts mass surveillance - This is referring to companies that routinely and systematically monitor data subjects and carry out processing of that data as the main activity of business.

3. Your company is a public authority - These are public bodies that process personal data. There are some exceptions such as courts and other juridical bodies that can be considered independent.

   
   

If your company falls under any of these categories, the next step is to understand how to appoint a DPO.

When appointing a DPO, what criteria must be met?

There are strict requirements around who can act as your DPO. Here are a couple of examples:

1. The DPO must be suitably qualified. While there is no specific qualification to be a DPO, they do need to have (and be able to demonstrate) the relevant knowledge and experience needed to carry out the tasks of a DPO, i.e. know the regulations inside out.

2. There mustn't be any conflict of interest. For example, you shouldn’t appoint your CTO, or a Managing Director as the DPO, as they’ll be involved in decision making that could create a conflict between the company’s interests, and the interests of data subjects.

3. Your DPO can be an internal hire, or externally appointed (outsourced).

   
   

In-house or outsourced DPO – which is best?

Startups and scaleups in particular, often decide to appoint an outsourced data protection officer (or DPOaaS) – they have the necessary qualifications and experience, plus there won't be any conflict of interest. Not to mention that it usually works out much more cost effective than hiring in-house, also allowing them to stay lean.

Are all "outsourced DPO" solutions created equal?

Most outsourced DPO solutions will provide you with one resource, the DPO, for the purposes of staying compliant. At Onteigo, we go above and beyond – you'll get a dedicated data protection team. Not only do we take care of global data protection compliance, we make your compliance pay dividends. Through implementation of the right tools and strategies, we also help you showcase your compliance effectively, so you can build trust, land bigger deals and increase revenue.

Who does the DPO report to?

The data protection officer needs to report directly to the highest level of management. The DPO also needs to be formally appointed and declared to the supervisory authority by a decision maker within the company.

What happens if I don’t appoint a DPO?

You probably already know that data breaches and violations can lead to some seriously hefty fines, and arguably worse, a damaged reputation. The same applies, if you fail to appoint a data protection officer where required. 

Key takeaways

There are certain situations in which a DPO must be appointed by law, if you want to avoid hefty fines and a damaged reputation – and you need to choose who you appoint, very carefully.

Startups and scaleups in particular rely mostly on external (outsourced) data protection officers, and for good reason. Not only are they adequately qualified and experienced, they don’t present the risk of conflicting interests, and generally work out much more cost effective than hiring in-house.

Once you’ve carefully vetted and selected the right DPO for your company, the DPO should be formally appointed in writing and declared to the supervisory authority.

If you'd like a steer on whether you need to appoint a DPO (without fear of being pitched to), book a free 30-min chat with one of our experts below!