The General Data Protection Regulation (GDPR) is one of the strictest data protection laws in the world. Companies that violate the legal provisions risk fines of up to € 20 million or 4% of their annual global turnover.
Compliance with the requirements of the GDPR, the Federal Data Protection Act (BDSG) and a secure IT environment are therefore mandatory for every company. In order to ensure and monitor compliance with data protection requirements, every company that processes personal data on a large scale should appoint a data protection officer (DPO) – even if there is no legal obligation to do so.
Internal or external data protection officer?
For companies, the question arises whether the DPO should be appointed internally or externally. In the following, we would like to list the main advantages of an external DPO compared to an internal DPO.
Lower costs:
Compared to the average remuneration of an internal DPO (approx. 50-85,000 €/year), the external DPO is basically less expensive. Furthermore, there is no need to invest in the ongoing education and training of an external DPO, which in turn saves costs for the company. With an internal DPO, on the other hand, the company has to pay for further training in order to maintain the professional competence required by law.
High level of expertise and cross-company know-how:
An external DPO brings a high level of expertise in data protection and can contribute his or her experience and knowledge from advising other companies (“cross-company know-how”).
No conflict of interest:
As the external DPO is not part of the company, there can be no conflict of interest. The external DPO always acts impartially and independently.
No (increased) protection against dismissal:
As the external DPO is not an employee, there is no (increased) protection against dismissal.