Table of Contents
In this post we'll talk about Data Protection Officer (also known as DPO), the person entitled to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
It is easy to imagine how such job function experienced its most intense period of growth and activity in the latest years, following the advent of the General Data Protection Regulation (GDPR) throughout the European Union; starting from that date, the questions relating to the various areas of application of the legislation have gradually given way to a series of requests and information relating to the aspects related to pricing connected to the consultancy activities in the field of privacy, with particular regard to the role of the DPO .
Time to ask ourselves the big question: how much should we get paid for doing that? What kind of compensation to expect for a profession about whose job description there are still numerous doubts and perplexities, not only and not so much for those who have studied the legislation but also and above all on the part of the management in charge of the engagement?
As it was likely to imagine, reality fell like a boulder on the expectations of the many aspiring DPOs. Here's sample of some job offers discussed in a Data Protection Officer bulletin board in 2018-2019:
Call for the second teaching circle of Assemini (a town near Cagliari) amount of the assignment € 500, until December 31st… .. it really borders on the ridiculous. Another estimate made to my client for a clinical analysis laboratory, 700 euros DPO per laboratory and 200 euros for outpatient clinics. Obviously I told my client to rely on other consultants, I don't even think about it from a distance to take the job at those prices.
Just to create interest in the discussion .... know that some municipalities in Liguria have offered ALL-PRIVACY SERVICE (Training + Software + Consultant + DPO) at ....... 960 euros !! the year !! Let's play who does less? are we ridiculous or am I wrong?
These cheap offers will kill the profession before it's even born. [...] I agreed to perform compliance and take on the role of DPO for a debt collection agency in my city [...]. A few days later, before we met to sign the appointment and contract, the owner calls me and apologizes and informs me that they have decided to rely on a service in agreement with the trade association that offers compliance and external DPO service for only € 1000. Ok that by moving in agreement the price can certainly be lower due to the quantity, but 1000 € is too low. [...] So how can we explain that?
... and the list goes on.
Houston, we have a problem (actually, two)!
From these messages we can understood how the amount of people who are trying to "make cash" with the GDPR, combined with the scarcity of documented information on a completely new profession, have led the market to orient itself on a line that appears immediately very low. For "newcomers" it is a cold shower, but who was already working on Privacy at the time of the mandatory DPS (pre-D. Lgs. 5/2012 - 09/022012) or who has or has had the "misfortune" to focus on the "231" (D. Lgs. 231/2001) can only ascertain that, once again, history repeats itself: when compliance is imposed as a mandatory requirement, companies and entities always try to spend as little as possible, exactly like the advertisements for medicines: the less time it lasts, the less money it costs, the better. The same logic was applied to IT Security: most companies chose to not invest anything on that until they were hacked, then they immediately tried to run for cover by hiring a third-party IT company since they didn't have any internal office that could handle such kind of task.
The problem, as can be clearly seen by reading the above interventions, is not limited to the question, which appears all in all legitimate, even partially justified by the obligations to appoint the DPO provided for by art. 37 of the GDPR and then corroborated by the guidelines of the WP29 regarding the same obligations (see WP 243 13/12/2016, par. 2.1; this obligation, however, at least in the Italy of the current crisis, applies to a large number of number of companies that, despite processing a few thousand personal data distributed uniformly on the Italian territory, do not have the size or turnover to afford a DPO).
There is a second problem, much more serious in many respects, which concerns the offer; not on a global level, obviously, but in relation to some package proposals or offers for the supply of all-inclusive services that attempt to bring a delicate and highly personalized assignment such as that of the DPO back into the pricing logic typical of services and activities for the provision of services.
An undergrowth made up of packages, conventions, flat formulas, all-inclusive flat-rate services and so on, which only further corroborates the belief that the appointment of the DPO is nothing more than an annoying regulatory imposition from which to free oneself with the least possible effort: a thousand euros a year and the problem is solved ... until the next nuisance.
The tasks of the DPO
Is it really possible to do this? Or, to put it another way, it is conceivable to think of a compensation for the DPO in terms of a fixed annual flat-rate, that is, parameterized in some way on the company (size, turnover, types and / or quantity of data processed et al. )?
To answer this second question, which is then only a different way of asking the first, it is appropriate to take a step back and briefly summarize the DPO's job description on the basis of the provisions of the GDPR text (art. 39 and following) .
Before delving into the legislation, it is important to make a premise: the DPO is designated on the basis of professional qualities, in particular the specialist knowledge of legislation and data protection practices, and the ability to fulfill their duties. It is therefore a specialized figure with a high professional level. This can begin to provide us with some rough indications on his possible hourly compensation, which for similar figures - lawyers, certified IT specialists et al. - it is around figures ranging from 50 to 200 euros / hour, in some cases even more.
All this, of course, taking for granted that it is really a figure with adequate and verifiable competence, experience and training; otherwise, the problem to be warned about Houston is not about inadequate pricing, but the poor preparation of the DPO.
Now let's try to summarize what are the duties in charge of the DPO provided for by art. 39 of the GDPR:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
As we can see, the DPO mostly carries out a consultancy activity, which takes the form of informing the company about the regulatory obligations required and then monitoring compliance with them, or their effective application. It goes without saying that, in the case (highly discouraged) in which it is an employee, it will be a factual but not substantial consulting activity.
Myths to dispel
Based on what we have learned above, let's try to make a list of myths to dispel, many of which are still present on the net despite more than a month has now passed since the effective entry into force of the GDPR:
- DPO is not a consultant: FALSE. The DPO mainly carries out an information and surveillance role which is substantially similar to the typical activities of specialist consultancy.
- DPO carries out the Impact Assessments on Data Protection / PIA / DPIA (as per GDPR art. 35): FALSE. Its task is to inform the Data Controller of the need to do them - or have them done by the Privacy Officer - and then possibly check them, upon request, in order to verify that they have been made in the appropriate way.
- DPO compiles the Register of Processing Activities (as per GDPR art. 30): FALSE. See the above for the Impact Assessments (point 2).
- DPO is the main regulatory point of reference for the company in terms of privacy: FALSE. That role belongs in the first place to the Privacy Officer, or to the corporate privacy and / or compliance office. If anything, the DPO's task is to provide advice on points not already adequately covered by the existing procedures, with the aim of making the latter more and more appropriate to the types of data processed (and related charges). The DPO is not a stopgap: its job is to push the company to learn how to plug them on its own.
- DPO must deal with employee or staff training: FALSE. The same goes for point 4: the DPO is not responsible for training activities, its task is to ensure that the company organizes the training courses appropriate to the types of data processed (and related charges).
DPO is responsible for how the company operates and acts in the Privacy area: FALSE. The responsibility always and in any case lies with the Data Controller and, limited to their assignment, with the Managers appointed by him; the DPO has no responsibilities other than those directly related to his duties - such as eg. mandatory communication to the guarantor in the event of a significant Data Breach, also on the initiative of the company.
The list may still be very long, but we can stop here for the moment. We have already collected all the necessary elements to be able to draw conclusions regarding the two questions we asked ourselves in the previous paragraphs: how much to ask? Is it possible to think in terms of annual flat-rate, whether fixed or parameterized?
Fixed rate? No thanks
et's start with the second question: the answer can only be negative, due to the fact that the activity of the DPO will always inevitably be subordinated to a series of extremely variable - and largely unpredictable - aspects present in the reference company. Elements such as turnover, the number of employees, the type and quantity of data processed are undoubtedly important and will certainly have their weight, but only if placed in relation to a series of living and dynamic components of the company such as, by way of example:
- preparation of the Owner and / or employees; the ability and willingness to carry out training activities;
- company receptivity in compliance with the regulations or in the adoption of changes;
- flexibility and versatility of the procedures;
- presence or absence of a management system to which the privacy system is anchored;
- presence or absence of a certain third-party audit culture or external control measures;
- presence, training and capacity of the Privacy Officer or the privacy / compliance office;
- presence or absence of IT infrastructure and its complexity;
- company's exposure to the various types of data breaches, as well as the number of data breaches risked or suffered;
... and so on.
Is it possible to measure these aspects effectively at the end of one or two cognitive meetings functional to the formulation of a service offer? Obviously not. Consequently, a DPO aware of its functions will never be able to establish an annual flat rate. It follows that, if a company or an individual professional offers you the provision of a Data Protection Officer activity based on a fixed rate, either he knows you very well - for example he is already your supplier - or it is very likely that he intends to offer you a poor service, the minimum necessary to make you compliant with the new regulation in terms of mandatory appointment ...
... which, mind you, is and always will be the secret dream of many owners. But this is certainly not the goal of the new regulation, nor should it be the attitude favored by those who intend to build a real professionalism in the field of Data Protection.
Compensation calculation criteria
Before reaching the conclusion of this article, let's try to find a way to answer the first and most difficult question, related to what the remuneration for a DPO should be. Since, as we have seen, a fixed or parameterized rate cannot work, the only way to calculate an acceptable pricing is to think in terms of man-hours. First of all, therefore, it is advisable to create a cost table that will be used to calculate the remuneration relating to the hours actually worked, taking care to distinguish the activities carried out in the company from those carried out remotely.
A likely hypothesis from which to start could be the following:
- Activities carried out in the company: € 100 + VAT / hour. Audits, inspections, on-site checks and verifications, interviews, meetings et al.
- Activities carried out remotely: € 50 + VAT / hour. Documentation review, off-site consultancy, information checks, regulatory research, communications to the guarantor, conference-call et al.
It goes without saying that the above criterion is designed for external DPOs or for collaborators hired with a VAT number: after all there is a general consensus on the fact that appointing an employee is not a good idea, given the objective difficulty of demonstrating the requirements of independence, autonomy and freedom provided for and required by the GDPR.
This simple calculation method is obviously not sufficient to formulate an offer, but it can be a good starting point if supported by an adequate audit plan and an estimate of a certain number of standard activities, which can be pre-planned and pre-calculate: all net of possible further activities - strictly to be agreed and authorized during the year - which will eventually become necessary following unforeseeable or emergency events, also as a consequence of the possible change in regulations or new implementing measures issued by the Guarantor: think, for example, of the long-awaited harmonization decree, scheduled for August 2018, and of the innovations that it could introduce - positively or negatively - regarding the charges associated with the Data Controller or the DPO.
Wanting to give a practical example, using the above numbers it would be possible to hypothesize a quote of this type:
- Document analysis (8 hours off-site): 400 €
- 4 audits per year (4 hours on-site each): 1600 €
- Periodic alignment meetings on site (6 hours on-site): € 600
- Remote consultation (8 hours off-site): 400 €
For a grand total of € 3,000 / year, without considering further needs or requirements to be assessed during construction: this is certainly an adequate compensation for the effort sustained in terms of service rendered.
Anyone who works or has worked in the consultancy sector knows perfectly well that the adoption of a criterion for determining pricing based on actual hours of use has the enormous advantage of protecting both the client (the company) and the professional. (the DPO): the first will avoid the risk of paying excessive costs compared to the services received, while the second will never run the risk of having to work below the expected profit margin. A risk analysis is not needed to understand that this is a considerable reduction in business risk for both parties, to the full advantage of the enhancement (and therefore, hopefully, of the quality) of the work actually performed.
At the same time, we do not doubt that there will be many Owners (and not a few DPOs) who will not be able to help but turn up their noses at these rates: the first, because it is a question of seriously considering a "nuisance" they were hoping for. to settle with a modest amount, as well as entirely allocable in the pre-final balance; the second, because the pricing on an hourly basis and calculated on the activities actually carried out is a cold shower for those who dream of millionaire compensation for a job that, although specialized and anything but simple, should not be overestimated either in terms of complexity or even less at the level of assumption of responsibility - provided of course that the company has (or provides for itself) a privacy officer and / or a privacy office worthy of the name.
Let us always remember that the main task of the DPO is to increase the level of awareness of the Owner and his company in the matter of Privacy, certainly not that of acting as a mysterious, ineffable and overpaid bumblebee: the credibility of his own profession is at stake.
We have come to the end of this long post about the duties and remuneration of the Data Protection Officer, a professional figure who has already been defined - not entirely wrongly - as the 21st century condominium administrator. This metaphor - which many will find humiliating, reductive and perhaps even offensive - appears in fact adequate to the extent that it reminds us that the value of the DPO is not measured by the size of the annual invoice paid by the individual company: the market in fact predicts that this type of professional figure provides his services to a portfolio of clients, creating the conditions for a career entirely based on personal skills, with all that follows: contractual strength, the possibility of stipulating higher hourly rates and therefore more advantageous economic conditions, and al ... just like any other professional in the sector.