How do you choose your external DPO?

It's not easy to find your way around the various GDPR DPO offerings. We present the main types of players and the key points for finding the right DPO support to be GDPR compliant.

An immature market 🚀

To choose the right DPO for GDPR compliance, you need to see how this market is evolving.

The personal data compliance market has existed since 1978 and the Data Protection Act. It has accelerated sharply since the implementation of the GDPR at European level in 2018.

Since 2018, the market has seen many players address GDPR topics, with different approaches. There's been a certain windfall effect, since the market is booming in a world that's going digital and using more and more data.

It's clear that the market is not mature. It's growing fast and will become more structured over the years.

In these conditions, it's not easy for a company to identify the right service to handle its GDPR compliance. Here, we'll spell out the main types of players and a few key points to ensure that your support will be appropriate and of high quality.

There are 4 main types of players offering GDPR compliance services:

• Law firms and consulting firms
• GDPR consulting firms
• IT security and digital transformation firms
• Legaltech (excluding Dipeeo)
• Dipeeo

Law firms and consultancies 👨‍⚖️

Law and consulting firms provide GDPR compliance and outsourced DPO services .

Benefits

• High level of competence and quality

• Full legal compliancee.g privacy policy, cookie policy, registry, etc.) It seems that control of technical service providers is not always included.

• clients confidence

Disadvantages

• High level of competence and quality

• Full legal compliancee.g privacy policy, cookie policy, registry, etc.) It seems that control of technical service providers is not always included.

• clients confidence

• Expensive (€16k for compliance and €6k for DPO) Successive quotes as needs evolve

• Time-consuming compliance , given the manual audit method and the drafting of all documents.

• Very low skill level

• Not very innovative or adapted to today's market

Law firms cater mainly to large corporations or companies with substantial financing capacity, given their fees.

GDPR consulting firms 📕

GDPR consulting firms provide GDPR compliance and outsourced DPO services. They have mainly appeared with the GDPR since 2018.

Benefits

• Full legal compliancee.g : privacy policy, cookie policy, registry, etc.) Beware of the offer you choose. They also offer partial packages (website only or initial audit...)

• Generally quite inexpensive

Disadvantages

• Longe.g law firms)

• Not very innovative, as there are no tools to help client achieve compliance. In addition, documents are not updated automatically, and there is no online training.

• Members are neither DPOs nor trained lawyers = average GDPR skill level

In conclusion, the cost advantage over a law firm comes from lower structural costs and lower HR costs. The offer may therefore be attractive, but there is a greater risk of non-compliance overall.

GDPR consulting firms are flourishing and competing head-on with law firms in the VSE/SME sector. 

We consider freelance DPOs in this category.

IT security and digital transformation firms 🔒

IT security and digital transformation firms have decided to offer their client a complementary GDPR and, where applicable, DPO offering as part of a website creation or securing project.

Benefits

• Turnkey offer including security and compliance of visible aspectse.g privacy policy)
• Compliance included in the initial service

Disadvantages

• Partial compliancee.g : many providers only provide the privacy policy, which represents 5% of the GDPR)
• Not very innovative, as there are no tools to help client achieve compliance. In addition, documents are not updated automatically, and there is no online training.
• Very low skill level
• Very high risk for the client in the event of an inspection

These firms focus primarily on small and medium-sized businesses. They are ideally positioned to work with clients upstream of the website creation process.

As for GDPR consulting firms, although compliance is more than partial and of poor legal standard

Legaltech outside Dipeeo 

There are a significant number that have developed since the GDPR was implemented in 2018. They position themselves as a "compliance assistance tool". they are Saas software that helps to pilot or organize one's compliance. Some tools make it possible to produce a "digital" processing register.

These tools are designed for GDPR DPOs to help them in their activities. Legal skills remain necessary, however, for the drafting of legal documents (which represents a substantial part of GDPR compliance).

Benefits

• Useful in the context of accountability [1].

Disadvantages

• No GDPR compliance: the tools don't allow you to write / draft the GDPR documents required to be compliant
• Innovative
• Expensivee.g around €200 excl. tax/month for a very small business, to which must be added the personnel costs for the internal or external DPO)
• For DPOs only

[1] Accountability means being able client demonstrate compliance in the event of an audit. Legaltech GDPR tools are useful in this respect, as they enable all GDPR documents to be filed and centralized in the software. However, these tools do not produce the documents for the user.

Dipeeo: the outsourced GDPR DPO 

Dipeeo offers an outsourced DPO service to handle all the client's GDPR issues.client have a single point of contact, their DPO, who is a legal expert or lawyer.

Dipeeo carries out all the client's compliance work, drafts documents, answers questions and deals with unforeseen circumstances....

In addition to video exchanges, the client and the Dipeeo DPO will collaborate via the digital platform. This automates all the low value-added tasks involved in GDPR compliance.

Benefits

Dipeeo carries out compliance on behalf of the client (on behalf of the client) and acts as DPO for the CNIL (National Commission for Information Technology and Civil Liberties) on behalf of the client.

The client has access to the entire GDPR support package in a single, all-inclusive fixed-price monthly offer .

Dipeeo's lawyers / DPO support clients in the event of difficultiese.g clients complaints, HR, CNIL (National Commission for Information Technology and Civil Liberties) inspections, etc.).

This study is biased, as it was carried out by Dipeeo. It is important to study each case individually to make the best support decision.

We'd like to give you two key pieces of advice to help you make the right choice of service provider. You can also consult advice from the CNIL (National Commission for Information Technology and Civil Liberties) on appointing a DPO.

Check and contract the scope of the service provider's intervention 🔍

Depending on your business, your size, your tools, the activities to be carried out for your GDPR compliance may vary. It's important to describe the services included with your future service provider. This will help you avoid cost surprises when adding a service or partial (and therefore unnecessary) compliance.

Many offers on the market are partial and do not enable 100% GDPR compliance.

Check and request a commitment from thespeaker DPO who will be your contact person 

Some DPOs spend several years studying IT, intellectual property and new technologies, and become lawyers. Others take a few months' training and declare themselves DPO.

This can have an impact on the quality of your support, particularly on key business issues: whether or not you have the right to use certain data, negotiating with partners, etc.

It is important to have your DPO's profile validated and written into the service provider's contract.

Hopefully this article will help you choose the right DPO 🙂