Outsourcing the data protection advisor

To fill the position of data protection advisor, appropriate practical experience is also required in addition to the necessary specialist knowledge. Even under the EU GDPR, it quickly became clear that the number of qualified and experienced data protection officers was inadequate to meet market demand. In this blog post, we discuss what things need to be taken into consideration when outsourcing.

At the outset, it should be noted that outsourcing the data protection advisory function does not release the company (i.e. the controller under data protection law) from fully complying with the provisions of the Data Protection Act. In short, while tasks can be outsourced, responsibility cannot. The responsible company therefore remains responsible for the following areas:

• lawful processing of personal data
• ensuring the rights of the data subjects
• protection of data through technical and organisational security measures
• retaining records of processing
• cooperation and consultation with the supervisory authorities
• reporting data protection violations
• carrying out data protection impact assessments 

By contrast, the data protection advisor has the following tasks in particular:

• timely involvement in all issues related to the protection of personal data
• advice on data protection impact assessments
• informing the responsible company and the processors about their obligations
• receiving notifications from data subjects about their rights and the processing of their data
• monitoring compliance with the DPA and related laws as well as the policies of the company responsible for the processing
• facilitation and implementation of audits
• cooperation and consultation with supervisory authorities 

A company which has decided to outsource the data protection advisory function needs to make sure that the data protection advisor who may be entrusted with the role has the necessary expertise and skills. The following aspects in particular need to be considered:

• length of professional experience as a data protection advisor
• any certifications in the area of IT and data protection
• membership in relevant professional associations
• previous participation in data protection impact assessments
• nature and scope of the data protection projects managed
• knowledge of the different data protection laws worldwide
• location of the service provider (inside or outside Switzerland)
• experience in emerging technologies (e.g. Internet of Things, blockchain, smart devices, etc.)
• any additional data protection mandates with possible competitor companies
• available resources
• experience with the local data protection authority (FDPIC)
• availability, especially ad hoc for clarification of data protection violations

The above list is not exhaustive and can be extended where necessary. It is important to do your due diligence and ask the right questions when outsourcing this important function. 

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en

#social#