Tag Archives: technology

Choosing your DPO: Full-Time? Service? Consult?

I’ve noticed many SMEs running  LinkedIn ads for DPOs, who are recruiting full-time employees.  And it’s disappointing to see how often other options are overlooked. 

Which DPO Option and Benefits Suit You Best?

I think it’s important to consider all the available options before making a decision.  Yes, you could employ a Full-Time DPO for your business.  Or you could contract with DPO specialists to provide DPO as a service.  Or appoint an internal ‘non-specialist’ and support them with an external data protection consultancy or consultant.

I’ve listed below some of the benefits from these options, so that the next time you need to find a DPO, you have information to help you make an informed decision about what type of DPO you actually need, and what solution might fit you best.

1. Cost 

As with any new employee, hiring a highly qualified full-time DPO involves significant costs, especially in salary and benefits.  Outsourcing the DPO role means you only pay for the DPO services and time you use. You don’t need to consider staff benefits, holiday, sickness, appraisals. Or the time, cost and expense involved if you need to let them go. Nor do you need to be concerned about FTE overheads like office space, equipment or other resources.

2. Expertise

Internal DPOs may struggle with budget constraints and limited resources. Outsourcing can provide a more cost-effective solution with access to necessary resources as needed. An outsourced DPO service can give you more or less support month by month, depending on your needs. You can choose how much time you need, and, in any case the time required can be flexible. You can ramp it up or down depending on whether you have a large project, or simply need ongoing maintenance. And if you need an interim DPO, you can appoint a consultant with no need for long term commitment.

3. Flexibility / Scalability

Top quality DPOs (whether FTE or outsourced) are experts in data protection law regulations. But perhaps the biggest advantage to using the DPO-as-a-Service or consultancy option is that those DPOs will have gained considerable and diverse experience from working in many different industry sectors.  They see many and varied solutions to common data protection issues from the numerous clients with whom they work.  And vitally, within a team of DPOs in a consultancy, they will always be learning from each other, considering solutions based on the shared knowledge of the whole team.  And that shared knowledge becomes your company’s shared knowledge.

4. Unbiased Approach

An outsourced DPO or consultant has the advantage of being independent and unconflicted. They are able to consider your issues with fresh eyes and no bias.  This means that they can conduct unbiased audits and assessments of your data protection practices. Then help you implement any remedial actions. 

5. Internal Challenges

Full-time DPOs often face challenges such as lack of support from key stakeholders and cooperation within the organisation. Although fully engaged with the client and its goals, outsourced DPOs can navigate these challenges more effectively due to their independence. 

Conclusion

The traditional route of hiring a full-time employee may be perfect for many companies. But it’s clearly not the only solution.  So when you next need to appoint a DPO, you could state that not only full-time employees, but also DPO-as-a-Service providers or consultants are welcome to apply. 

That way you can be sure that you don’t miss out by excluding the right person by default.  And of course, you can review and interview applicants as normal and make your own decision about which individual or option fits your needs best. 

Data Compliant International

If you are looking for a DPO or supportive consultant, Data Compliant International provides DPO-as-a-Service, and data protection / privacy  consultants to a wide range of business sectors.  If you’d like to know more about how we help our clients, please take a look here.  If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742.  

Data Protection and Privacy Impacts of the New UK Data (Use and Access) Bill

Background

On Wednesday 23 October 2024, the UK Government published its Data (Use and Access) Bill (“DUA“). It promised to “harness the enormous power of data to boost the UK economy by £10 billion” and “unlock the secure and effective use of data for the public interest“. 

The DUA mirrors many of the concepts and provisions from the previous Government’s abandoned Data Protection and Digital Information Bill (“DPDI“), though there are subtle changes. The DUA appears to place greater focus on data sharing and digital. 

It is worth noting that the EU is set to review the UK’s data transfer adequacy status in mid-2025. Maintaining adequacy status is vital to the UK. (Possibly) as a result, some of the more contentious issues included in the discarded DPDI have been removed from the DUA. 

With the mid-2025 adequacy review date in mind, the government will undoubtedly try to get the Bill through as quickly as possible. After two readings in the House of Lords, it is now at Committee Stage.

DUA – Key Points for organisations

The key points of the DUA are:

  • UK Adequacy Status:  As stated above, the EU is reviewing the UK’s adequacy status in Mid-June.
  • Accountability requirements:  in the DPDI, there were plans to amend and simplify the accountability obligations required under GDPR.  These have NOT been carried over into the DUA.  Specifically there are to be no changes to:
    • the requirements for a DPO
    • requirements for Records of Processing Activities
    • requirements for Data Protection Impact Assessments.
  • ICO Reform: The Information Commissioner’s Office will be replaced by a new corporate body called Information Commission.  Executive members will be appointed and scrutinised by the Chair and non-executive members.  The Commissioner will be required to look to public interest factors around data protection. For example, it must consider the desirability of promoting innovation and competition.  There is also emphasis on protecting children in relation to data processing.
  • Special Category Data:  the Secretary of State has the power to add and remove new special categories of data. Those that already exist in Article 9 may not be removed. 
  • Data Subject Access Requests (DSARs): The discarded DPDI inlcuded the concept of an exception around “vexatious” requests. This has NOT been included in the DUA. However, proportionality is a key consideration in the DUA, which makes responding to DSARs more straightforward, including by confirming that a DSAR search for personal data need only be “reasonable and proportionate”
    • The 30-day time period to complete a DSAR begins only after the organisation has confirmed the individual’s identity.
    • The DUA also helps businesses by turning common DSAR practices, based on ICO guidance, into law.This offers certainty for organisations. For example, where
      • If an organisation has large amounts of information about the data subject, it may ask the subject to narrow down the information requested. 
      • While it seeks this information, it may briefly halt the time frame.
  • Legitimate Interests: there is a new concept of recognised legitimate interests where certain data processing activities will not require a full Legitimate Interest Assessment (LIA), specifically, for example:
    • safeguarding national security or public safety
    • responding to an emergency
    • crime prevention / investigation
    • public health
    • exercising data subject rights, regulatory functions or civil law claims. 
  • This list can be updated ongoing subject to parliamentary approval. 
  • It is worth noting that the European Court of Justice has consistently ruled that any interest that is legal may be a legitimate interest – i.e. that a purely commercial interest can be a legitimate interest.
  • In addition, when conducting an LIA, it is acceptable to take into account not only the benefits to the individuals, but also so the environment (e.g. paper reduction), economy (e.g. generating growth and spending budgets in a targeted manner).
  • Privacy and Electronic Communications Regulations:  PECR is included in DUA, and therefore is aligned with the levels of fine available for GDPR breaches.  This is a massive increase from the £500,000 maximum fine currently in place.  In addition, the DPDI’s email soft opt-in for non-commercial organisations (such as charities) is NOT currently included (though lobbying is ongoing).
  • Cookie Consent Exemptions: The aim is to reduce the number of cookie consent banners.  DUA allows the use of cookies without consent in specific circumstances, such as ensuring security or preventing fraud, collecting information for statistical purposes for own use, to improve the website functionality and appearance to the user, and to provide emergency assistance.  This is particularly beneficial to those parties who do not use advertising cookies – for example B2B websites.
  • Digital Verification Services: DUA aims to create a framework for trusted online identity verification services, moving away from paper-based and in-person tasks (e.g. registering births and deaths online). Companies providing digital verification tools must be certified against government standards and will receive a ‘trust mark’.
  • Smart Data Schemes: The introduction of smart data schemes will require businesses in sectors like financial services and public utilities to enable data interoperability and secure data sharing. This aims to enhance consumer confidence and drive innovation
  • Data Access Provisions: The DUA introduces data access standards similar to the EU’s Data Governance Act, enabling controlled data sharing between businesses and public authorities. 
  • Automated Decision Making: The DUA will make it easier for organisations to adopt a broader use of automated decision-making for low-risk, beneficial processing – for example when using artificial intelligence (AI) systems. It limits the scope of the UK’s GDPR Article 22 to cover only “significant” decisions, and those based either in part or entirely on special category data. 
  • Data Transfers: the DUA replaces Chapter 5 of the UK GDPR with a new “data protection test” for the Secretary of State to consider international data transfers, in which the objective is to ensure standards are not materially lower than in the UK.  This differs from the EU approach which looks for equivalence.

Timetable

With the upcoming adequacy review in mind, it seems likely that the government is trying to get the Bill through as quickly as possible – it has already had two readings in the House of Lords and is currently at Committee Stage in the House of Lords.

Data Compliant

If you would like help or assistance with any of your data protection obligations, please email dc@datacompliant.co.uk or call 01787 277742,  And, for more information about to meet your accountancy obligations – both before and after the DUA comes into force, please see here.

Victoria Tuffill

18th December 2024