How should DPOaaS price their services on a case-by-case basis?

If you are an external Data Protection Officer offering so-called “DPOaaS” you will often find yourself wondering about your pricing. Since you are shouldering some of the risk, you want to make sure that your pricing makes your business worth your while at the end of the year. You have to find a price which your customer appreciates and which matches your effort. In this article, we look at how to price two different types of DPOaaS: servicing and collaboration.

What are “servicing” and “collaboration” approaches?

What we are seeing in the business is that DPOaaS typically have two approaches to their DPOaaS offering.

We call the first approach collaboration. This approach reflects the type of DPO work that the law intended. For example, the external DPO works with the client and focuses on supervising and checking the work of the client, while leaving the bulk of the work to data protection coordinators on the client side. In a DPOaaS setting this means that the hired DPO provides the client with documents, advice and regular checks, but will not act if his documents are not used and/or his advice is not adhered to. In his regular checks, he will point out deficits patiently, typically in writing for accountability. We call this mode collaboration because it requires strong activity on the client side. On the DPO side, the work is easy to schedule and estimate the required efforts. Also, the work tends to be similar from client to client.

The second approach we call servicing. This work mode is driven by the market (instead of the law) in which clients require a service and are willing to pay for it. Colloquially speaking, the client pays to have his problem go away. The hired DPO does most of the work whereas the client will only act when there is absolutely no alternative. In a DPOaaS setting this means that the hired DPO provides the client with documents and advice, but also proactively collects information, puts together documentation (e.g. the RoPA), responds to Data Subject Access Requests and incidents. As a results, the client often has little understanding of the work the DPOaaS does and relies on regular reporting.

The key point is that effort that the DPOaaS has to spend on a collaboration project is much lower than the effort spent on a servicing project.


Since the two types have vastly different efforts attached to them, it is essential that they are priced differently in order to make sense from a business perspective.

Keep in mind that wrong pricing will eventually lead to dissatisfaction. If the client got a bargain deal by obtaining a servicing project for the price of collaboration, the DPOaaS will eventually cancel the project, because it is not worth it, essentially leaving the client with nothing at all. If on the other hand the client feels that he is overpaying for the DPOaaS services, this can result in either nagging client behaviour trying to squeeze out more from the DPO or a cancellation of the project at the next opportunity.

With regards to the pricing for collaboration, we see extremely competitive pricing focusing on scalability on the DPOaaS side. The DPOaaS will try to minimize his effort while maximizing the number of clients. If you are offering collaboration projects, make sure to highlight the limits of your services while offering optional hourly rates for special requests and emergencies. For the client this means that he receives basic service at a small financial risk with some pricey upgrade options.

If you are offering servicing projects, this can be considered premium and should be priced as such. (Note: Make sure to emphasize the difficulty of the work to the client. Since he will not see most of it, it is important that he still understands the effort behind it.) Whereas collaboration pricing requires expertise in acquiring clients in large numbers, servicing requires you to be good at estimating the difficulty of projects. If you get this estimate wrong, you might be spending too much time on the client and will have a hard time renegotiating terms.

How we support you

ECOMPLY supports both of these business models with two operating modes.

In collaboration mode, you provide the client with a data protection management system where he can do all of the work on his own and you can regularly check on it. You can put remarks where necessary and assign tasks. The entire system is the shared space between you and the client. Your benefit is that the system guides the client and you can focus on checking the work he has done.

In servicing mode, you provide the client with a minimal access to the ECOMPLY platform (i.e. the dashboard) where he receives the results of your work. This is extremely convenient to the client because he wants to have simple access to results in one place. The convenience on your end resides in all the efficient tools that ECOMPLY brings to you to make sure you have repeatable processes from client to client. 

Do you want to know more? Reach out today!

ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.

Hauke Holtkamp, CEO ECOMPLY GmbH