What are the costs of an external data protection officer?

Data protection consultant costs

Use of external data protection officers

The data protection officer (DPO) is a sought-after specialist. Under the GDPR, the data protection officer plays a key role in companies when it comes to protecting the rights and freedoms of data subjects - and thus ensuring compliance with data protection requirements.

Data protection officers rely on their extensive technical and legal knowledge, their knowledge of national and international data protection requirements and their knowledge of the latest technology. Multilingualism is also an increasing characteristic of data protection officers - especially in a corporate context.

The data protection officer is independent in his or her function and is not bound by instructions from the management. This makes the role of the data protection officer particularly challenging. For example, an enormous gray area has developed in the context of "legitimate interest" (Article 6(1)(f) GDPR) - at the interface between entrepreneurial decision-making freedom and data protection requirements. In this gray area, the data protection officer (internal and external) must regularly find a balance that carefully weighs up the interests involved.

The costs for a data protection officer can therefore not be calculated across the board for all companies and situations. However, hiring a full-time data protection officer alone can go beyond the financial framework. Part-time solutions are also only partially effective and recommended. Outsourcing the data protection officer is therefore a regular option.

Three advantages of an external data protection officer

Knowledge and experience: An external data protection officer or external data protection consultancy specializes in the implementation of data protection requirements in companies. Experienced consultants support companies with their specific data protection issues. Pragmatic and tailor-made solutions are developed with the client in a time and cost-efficient manner.

Flexibility: The option of a "single point of contact" means that an external data protection officer is only responsible for data protection queries. An employee who, for example, spends 25% of their working time as an internal data protection officer will not only lack the necessary expertise, but will also need considerably longer to answer questions relating to data protection law. External consultants can also be hired to provide an "outside perspective" on data protection projects, such as the creation of a deletion concept or a data protection impact assessment.

Costs: The cost advantage of an external data protection officer also depends on the actual contractual framework between the company and the consultant (monthly costs, flat rate or fixed hourly rate). This means that a company can also choose "data protection consulting by design" and spend or save financial resources in a targeted manner.

Data protection consulting by design

The following five questions should help you to put together your individual package for the external data protection officer:

  1. Where do I need support?
    Do you need an external data protection officer with sector-specific knowledge for your company, e.g. pharmaceuticals, agriculture, healthcare or finance? Do you need cross-sector advice?
  2. What can the data protection officer cost?
    What budget do you have available for data protection and the external data protection officer? You should determine how much support you need for data protection issues. Is a monthly flat rate worthwhile or do you prefer to bill on an hourly basis?
  3. What kind of advice do you need?
    Is data protection a foreign concept to you or do you have basic data protection regulations? Do audits, the drafting of documents and communication with third parties have to be carried out by the data protection officer or can you free up internal resources for this?
  4. What is the scope of advice?
    Are you self-employed, a smaller company or a corporate group? Do you need a group data protection officer? Do you need external data protection officers for different countries - EU or non-EU?
  5. How quickly do you need to answer?
    Think about how quickly you need feedback on data protection issues. Are 7 days enough for you or do you regularly need clarification within a few hours?


    Get in touch with usif you would like to find out more about the benefits of an external data protection consulting solution for your company.

Share this post :