Do I need a data protection officer, and may I hire an external one?

A data protection officer assists the data controller in ensuring that privacy is safeguarded. Public enterprises must always have a data protection officer. Private companies must have a data protection officer if they, as a part of their main activity and in a large scale, either regularly and systematically monitor people, process sensitive information, or process information about criminal offenses. Even if you are not obliged to have a data protection officer, it may be wise. This is especially true if you process sensitive personal data or personal data in a large scale, or you are in doubt as to whether you are required to have a data protection officer. 

The role as data protection officer can be performed by external service providers, such as lawyers. Bull & Co offers data protection officer as a service, which you can read more about here (Norwegian). If you need help assessing whether the company needs a data protection officer, you can contact us here