A DPO can be an internal or an external person.  We believe that an external DPO is, for most organisations, a better solution.

Here’s why.

Access to the right level of expertise

The DPO must be an expert in data protection. He or she must also have sufficient credibility both to report to the Board (the GDPR states that the DPO must report to the top-level decision-making body in an organisation), and to liaise with the ICO in a number of scenarios, including breach.

Independence and an external view

It’s too easy for internal resources to lose sight of the wood for the trees: an external DPO has the benefit of a more detached perspective.

It is also easier for an external DPO to provide the independence and the critical ability that the role requires.

Cost

The combination of these attributes does not come cheap.

Having an external DPO for a few days a month is likely to be a more cost-effective solution than an internal appointment.