Best practice

3 reasons to choose an external Data Protection Officer

  28. 02. 2019

The GDPR forced most companies to appoint a Data Protection Officer (DPO). The previously unknown concept has become the centre for questions, dilemmas, and challenges regarding how to meet all the GDPR requirements.

Have you also faced the question of who to appoint as a Data Protection Officer? Are you unsure whether it’s better do choose an employee or an external consultant?

Here are some facts that will make your decision easier.

1. Within a company, certain positions present conflicts of interest with the role of a Data Protection Officer (DPO)

Perhaps you thought you’d appoint an executive director - someone who knows how the company operates and knows its business processes in great detail - as the Data Protection Officer (DPO)? Or, perhaps the HR, IT, or marketing director?

Unfortunately, it’s not that simple. The Data Protection Officer may not be employed in a position where he or she is able to define the purposes and means of personal data processing. For example, the HR director is responsible for storing and processing employees’ personal data in their personnel files, and for storing and processing job applicants’ personal data in the HR system. As the HR director is directly responsible for defining the purposes for which personal data are used, they may not assume the role of DPO. Beyond that, he or she may not have the necessary knowledge and expertise.

Employees in such positions cannot serve as the DPO, as this would lead to conflicts of interest. An external DPO allows you to fully and independently ensure that your personal data protection practices are complaint with the relevant laws and regulations on personal data protection.

2. Expertise is the key

It is important that the DPO is well aware of Slovenian and European legislation and has an in-depth understanding of the GDPR as well as experience in the field of personal data protection. In addition, the DPO has to understand the data controller’s operations and organisation, the data processing IT systems and processes, and the relevant personal data protection requirements.

3. Keeping up-to-date takes time

The DPO has to regularly monitor new developments in the law and in personal data protection practices. Employees are often so busy with their day-to-day obligations that they can’t find time for further education and training. Acquiring special qualifications or certificates confirming the necessary expertise the field of personal data protection also requires financial outlays. In addition, it doesn’t make sense for smaller companies to appoint a new full-time employee as the Data Protection Officer, as that person may not have enough work.


What does an external DPO do?



We’ve been successfully cooperating with Mikrocop’s personal data protection advisory team since 2014. We are impressed with their expertise and experience. Ensuring that personal data protection is compliant with the General Data Protection Regulation is certainly a challenge, but with a systematic approach implemented in cooperation with a reliable business partner, it is feasible.

OMV Slovenija, d.o.o.


If you are in dilemma as to whether you already have an employee with the required expertise and experience to serve as the Data Protection Officer, we can offer you help and advice.