Be called back
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
The Data Protection Officer, created by the GDPR in 2018, is there to support you in your GDPR compliance.
Should I choose an external DPO? If so, how?
A DPO or Data Protection Officer whether internal or external assists the controller or processor in GDPR compliance. 🚀
A data controller is the person who processes personal data. Example: newsletter subscription via email ✉
The GDPR aims to frame practices to ensure respect for citizens' personal data.
The DPO (or DPD) appeared with the GDPR in 2018. His role, skills, obligations have been shaped by the GDPR. 📜
All DPOs must be registered with the CNIL (National Commission for Information Technology and Civil Liberties) on this link. The list of DPOs appointed by the CNIL (National Commission for Information Technology and Civil Liberties) is publicly available available on the CNIL (National Commission for Information Technology and Civil Liberties) website. .
Internal communication within your company (or other type of organization) is recommended.
All employees must be aware of his presence, his activities and the fact that he can be contacted for any matter concerning personal data.
🎯The DPO ensures compliance with the rules on personal data for the organization by which he or she has been appointed. The DPO's role revolves around 4 axes:
- The DPO facilitates exchanges with the CNIL (National Commission for Information Technology and Civil Liberties) , and can question it on any issue. The CNIL (National Commission for Information Technology and Civil Liberties) will refuse to respond to a data controller who has not first consulted his DPO. The DPO will be the main point of contact in the event of an inspection or complaint, but cannot represent the organization alone.
-He handles all requests. These may be requests for access rights, or any other questions they may have about their data.
4. Produce the necessary documents for GDPR compliance 📊
-Documentation is a pillar of the GDPR , enabling us to comply with the rules and prove it in the event of an audit. This is the principle of " accountability ". 🚀
-Numerous elements therefore need to be integrated into the documentation, including: the data processing register, data breach register, information notices, subcontractingcontracts, etc.
The DPO drafts all the legal documents required for the organization's GDPR compliance: privacy policies, cookie policies, GDPR contractual clauses, GDPRcharter... 🎯
There's no such thing as a typical profile, but there are a number of prerequisites. In order to fulfill their role, they need to know the following:
🗒 This is a short list of requirements, but it describes a profile that is very rarely represented in companies. In case of partial lack, the DPO can be trained. He or she can also call on internal or external expertise.
Beyond knowledge, the DPO's profile is also important: integrity, ethics. He or she must also be a good pilot capable of communicating, popularizing and convincing. ⭐
🔑 It's key for a company that its DPO also has a great openness to business. Indeed, the DPO is a pilot, integrated into the company's thinking to find solutions that respect the rules and maximize value for the company!
In some companies, there are projects necessary to the growth of the business that have been stopped for a GDPR"blockage". We need to be vigilant on this point.
🔎 Today, the professions from which DPOs come are varied: 28% technical profiles, 28% legal profiles and 44% administrative, financial or audit profiles.
There is no mandatory certification or diploma mentioned in the GDPR to be DPO. However, the CNIL (National Commission for Information Technology and Civil Liberties) may take action against the appointment of a DPO who does not have the skills required to carry out the activities of the Data Protection Officer.
A legal background in IT and/or data protection is considered necessary. A good knowledge of IT is also required to be able to orchestrate the so-called technical activities, notably for security, cookies and data deletion.
There are many GDPR training courses or certified DPO training courses, some of which are particularly recognized and a guarantee of trust, such as Afnor's certified DPO training.
In the context of an internal DPO, in addition to the DPO's skills, the conflict of interest criteria must also be respected. A company director or executive cannot take on the role of DPO, as business interests and respect for personal data may conflict.
However, many of our managers are registered with the CNIL (National Commission for Information Technology and Civil Liberties). This will be of no value in the event of an inspection by the CNIL CNIL (National Commission for Information Technology and Civil Liberties).
Your DPO must be open to business issues. In effect, the DPO is a pilot, integrated into the company's thinking to find solutions that respect the rules and maximize value for the company.
📜 There are certifications recognized by the CNIL (National Commission for Information Technology and Civil Liberties) attesting to the training followed by the external DPO: theAfnor, CESI certification, Apave certification, iapp, lsti, LCP, SGS, Bureau Veritas and PECB.
This is a sign of trust when hiring or signing a contract with a service company that provides an external DPO service.🚀
The DPO may be appointed from within the organization. He or she may also carry out other activities within the organization. 🏢
However, there must be no conflict of interest, particularly if he or she becomes responsible for processing personal data. His other activities must also leave him sufficient time to carry out his role as DPO.
The organization must also be able to prove that the employee has the necessary skills or will find the necessary support for any expertise he or she may lack.
The DPO can be called "External". He or she assumes the role, but remains external to the organization. This ensures greater independence from the organization's management.
💼 They're also DPOs whose day-to-day job it is, experienced and who can interact easily with their DPO community.
Beware, the GDPR is recent, levels of DPO training are very heterogeneous. Some DPO training courses only last a few days or weeks.
A DPO, whether internal or external, can be shared between several entities. This makes it possible to smooth out costs, standardize practices and share lessons on the subject between these entities. 📚
There are several advantages to outsourcing the DPO function:
Cost:
An employee, even part-time on this subject, will often have a higher cost than an external DPO. This advantage is highly variable, given the very wide range of rates for external DPOs or GDPR compliance.
The compliance method, skills :
The main function of an external DPO is to act as DPO. He or she is trained, certified (increasingly so) and sees many cases throughout the year. He also collaborates with other DPOs and shares the practices of his company (or association of DPOs for freelancers).
There is also a risk in outsourcing the DPO function:
The company, law firm or freelance service provider has less control. The market today is highly heterogeneous in terms of skills and reliability. It's important to do your homework and get feedback from existing clients before committing to an external DPO.
The external DPO takes charge of all DPO activities. The role of the DPO is to ensure compliance with the rules governing personal data. This mainly involves the following activities:
Ensuring compliance in all areas of the company where personal data is processed:
Day-to-day actions of the DPO :
There are several types of actors who can take on the role of external DPO for your company, association or another type of actor:
Law firms :
These are the traditional players in GDPR compliance. The lawyers' training is reputed to be of a good standard. They carry out a method based on an initial audit. Fees are high.
GDPR firms and freelancers:
They are lawyers or people who have completed training on the GDPR and the DPO profession. They also use the traditional method. These players often rely on software that mainly helps to organize the work and formalize the processing register. However, these software packages do not produce the legal documents themselves, but rather offer a generic template. The quality of this "DPO + sotfware" option is quite variable. It depends very much on the DPO you choose, and his or her training. Rates are more affordable than with a GDPR law firm, but you often have to pay for the DPO and the software.
Dipeeo :
Dipeeo brings together sofware and certified DPOs, e.g, in the same company. The software automates the low value-added parts of compliance. Dipeeo thus makes GDPR compliance simple and provides day-to-day support from a referent certified DPO.
As the DPOs are trained and rely on a proven method and software, the quality delivered is very high. The automation functions save clients a great deal of time, notably by drastically reducing auditing time. And thanks to partial automation, prices are very affordable. The whole experience of GDPR compliance is transformed.
The appointment of a data protection officer is mandatory for :
📄 The CNIL (National Commission for Information Technology and Civil Liberties) recommends a good practice: as soon as an organization encounters issues relating to the protection of personal data, the appointment of a DPO is recommended to identify and coordinate actions.
Thanks to Dipeeo, GDPR is accessible to Startups like us. Dipeeo offers a service that includes everything to do with GDPR compliance.
We know that the consequences are going to be very heavy if there is ever an inspection by the CNIL (National Commission for Information Technology and Civil Liberties) in the event of GDPR non-compliance. Dipeeo therefore helped us structure and organize the personal data we process.
Our start-up specializes in the digital sector, which is why we take GDPR seriously. Not to mention that being GDPR compliant allows us to have more trust with clients in such a way that they will feel more confident.
We are very satisfied with the quality of service provided by Dipeeo. They are always accessible and have enabled us to strengthen our brand image".