External DPO Pricing: What It Must Include

·

There is no single statutory fee for an external DPO. The price depends on risk, size, sectors, project volume, suppliers, rights requests, incidents and the availability required. The useful comparison is not "how much does the appointment cost", but how much dedication, independence and real capacity the service actually includes. A cut-price DPO who only lends a name can leave the substantive obligation unmet.

What You Are Actually Contracting For

The DPO informs and advises, monitors compliance, advises on data protection impact assessments (DPIAs), cooperates with the supervisory authority and acts as the point of contact. The DPO must be involved in good time, have adequate resources, report to the highest level of management and act without instructions.

The external service does not transfer liability away from the controller or processor. Nor is it the same as an annual audit, or an advisory role that decides on the processing activities themselves.

Why the Price Varies

Complexity of the Controller

Number of entities, sites, employees, countries and joint controllers. A group with several companies needs more coordination and accessibility.

Nature of the Data

Health data, children's data, biometrics, profiling, surveillance or criminal-records data all raise the level of specialisation and review required.

Volume and Change

A stable organisation with few processing activities needs less dedication than a platform with weekly releases, campaigns and new suppliers.

Technology and Suppliers

Cloud services, artificial intelligence, international transfers, apps, cookies, geolocation and sub-processor chains all add diligence and testing requirements.

Incidents and Rights

The contract can include a reasonable pool of hours or specific billing. You need to know what happens outside business hours and in the event of a serious breach.

Starting Point

If there is no inventory, no contracts and no procedures in place, an initial compliance project comes first. It is worth keeping this separate from the recurring service so the real scope is not obscured.

Components of a Proposal

ComponentMinimum content
AppointmentNotification and public contact point
OnboardingContext, inventory and monitoring plan
AdviceQueries and projects with a defined turnaround
MonitoringRisk-based reviews
DPIACriteria and advice, with clear limits
RightsSupport with complex requests
BreachesAssessment, documentation and notification
AuthorityCooperation and complaints
TrainingRole-based sessions with evidence
ManagementIndependent, periodic reports

If a proposal does not quantify these activities, it cannot really be compared.

Pricing Models

Fixed Fee

Suitable for predictable activity. It should specify hours or capacity, turnaround times, meetings, deliverables and what happens if these are exceeded.

Hours Pool

Offers flexibility, but can discourage queries if every contact eats into the balance. It needs transparent usage tracking.

Per Project

Useful for a DPIA, an audit or a complex incident. It does not replace ongoing monitoring.

Hybrid

A base fee for ordinary functions plus an agreed rate for extraordinary projects. This usually makes costs predictable without promising unlimited availability.

Work Out the Scope Before Asking for a Price

Prepare a scope sheet covering:

Without this information, quotes will each rest on different assumptions.

A Credible Minimum Commitment

There is no universal figure. The proposal should show how it will cover:

  1. Knowledge of the organisation.
  2. Involvement in projects.
  3. Monitoring and sampling.
  4. Handling requests from data subjects and the authority.
  5. Ongoing professional development.
  6. Reporting to management.
  7. Cover during absences.

The European Data Protection Board (EDPB) has identified insufficient resources, insufficient expertise and conflicts of interest as recurring problems. The price must allow these failures to be avoided.

Independence and Conflicts of Interest

The provider should not design a processing activity, approve it and then certify its own work. It can offer other services provided the functions are kept separate and it does not determine the purposes and means of processing.

Questions worth asking:

A contract that allows the DPO to be replaced for giving an inconvenient opinion compromises independence.

Competence and Team

The GDPR requires a qualification based on expert knowledge and the ability to carry out the tasks. There is no single mandatory qualification.

Consider:

Professional certification can be evidence of competence, but it does not replace experience and resources.

SLAs and Availability

The proposal should set out:

ServiceCommitment to define
Routine queryFirst-response time
ProjectReview turnaround
Rights requestEscalation against the statutory deadline
BreachUrgent channel and availability
ComplaintOwner and coordination
ReportFrequency and recipient

"Unlimited support" without a defined SLA or capacity is not a guarantee of anything.

What Deliverables to Expect

The DPO should not become a producer of templates with no follow-through.

Comparing Proposals

Use a weighted scoring matrix:

CriterionIndicative weight
Independence and conflicts20%
Experience and team20%
Scope and dedication20%
Responsiveness and incidents15%
Monitoring and reporting15%
Total price and extras10%

A low price does not make up for a conflict of interest or insufficient coverage.

Costs That Are Often Left Out

There is nothing wrong with excluding them, but it must be stated explicitly.

Warning Signs

  1. An "appointment" with no onboarding.
  2. Thousands of clients per professional with no visible team.
  3. No direct contact with management.
  4. No urgent channel.
  5. The same person acting as DPO and as operational head of marketing or IT.
  6. A price with no assumptions behind it.
  7. Identical, automated reports.
  8. A promise of "guaranteed compliance".
  9. No cover and no continuity plan.
  10. Being penalised for issuing recommendations.

A Hiring Timeline

Week 1

Define the scope, risks and preferred model.

Week 2

Request comparable proposals and a meeting with the actual team.

Week 3

Assess independence, track record and SLAs; ask for references.

Week 4

Sign the contract, communicate the appointment, publish the contact details and approve the 90-day plan.

Contract Checklist

Frequently Asked Questions

Can a Standard Rate Be Published?

A rough guide can be given, but a responsible quote needs to know the scope first. Without it, the price says nothing about the real coverage.

Is the More Expensive Service Better?

Not necessarily. What should be compared is evidence, independence, dedication and results.

Does It Include a DPIA?

The DPO's advice is indeed part of the role, but intensive execution can be budgeted as a separate project. This must be made clear in the contract.

Can a Group Share a Single DPO?

Yes, provided the DPO is easily accessible from every establishment and has sufficient resources.

Who Pays for a Fine?

Legal liability rests with the controller or the processor, depending on the case. The contract may set out the provider's own liabilities, but it cannot override the GDPR.

Official Sources Consulted

Summum Consultoría can prepare a proposal based on risk and scope, without turning the appointment into a mere formality.