External DPO: the right choice to ensure GDPR compliance

The Data Protection Officer, created by the GDPR in 2018, is there to support you in your GDPR compliance.

Should I choose an external DPO? If so, how?

What is an external DPO?

A DPO or Data Protection Officer whether internal or external assists the controller or processor in GDPR compliance. 🚀

A data controller is the person who processes personal data. Example: newsletter subscription via email ✉

The GDPR aims to frame practices to ensure respect for citizens' personal data.

The DPO (or DPD) appeared with the GDPR in 2018. His role, skills, obligations have been shaped by the GDPR. 📜

Appoint your external DPO at the CNIL (National Commission for Information Technology and Civil Liberties))

All DPOs must be registered with the CNIL (National Commission for Information Technology and Civil Liberties) on this link. The list of DPOs appointed by the CNIL (National Commission for Information Technology and Civil Liberties) is publicly available available on the CNIL (National Commission for Information Technology and Civil Liberties) website. . 

Internal communication within your company (or other type of organization) is recommended.

All employees must be aware of his presence, his activities and the fact that he can be contacted for any matter concerning personal data.

Find out more about the role of external DPO

🎯The DPO ensures compliance with the rules on personal data for the organization by which he or she has been appointed. The DPO's role revolves around 4 axes:

1. Advising and supporting: providing expertise and disseminating RGPD📜 culture and compliance.
2. Control: the DPO may check personally or commission an external audit to ensure compliance. ⚖
3. The organization's point of contact for all matters relating to the protection of personal data:

• With the CNIL (National Commission for Information Technology and Civil Liberties) :

- The DPO facilitates exchanges with the CNIL (National Commission for Information Technology and Civil Liberties) , and can question it on any issue. The CNIL (National Commission for Information Technology and Civil Liberties) will refuse to respond to a data controller who has not first consulted his DPO. The DPO will be the main point of contact in the event of an inspection or complaint, but cannot represent the organization alone.

• With the persons whose personal data are processed:

-He handles all requests. These may be requests for access rights, or any other questions they may have about their data.

4. Produce the necessary documents for GDPR compliance 📊

-Documentation is a pillar of the GDPR , enabling us to comply with the rules and prove it in the event of an audit. This is the principle of " accountability ". 🚀

-Numerous elements therefore need to be integrated into the documentation, including: the data processing register, data breach register, information notices, subcontractingcontracts, etc. 

The DPO drafts all the legal documents required for the organization's GDPR compliance: privacy policies, cookie policies, GDPR contractual clauses, GDPRcharter... 🎯

What skills and certifications are needed to become an external DPO? 💼

There's no such thing as a typical profile, but there are a number of prerequisites. In order to fulfill their role, they need to know the following:

• Legal and technical expertise on data protection
• Knowledge of the organization's business sector, industry regulations and the organization itself
• processing operations, information systems and the organization's data protection and security requirements

🗒 This is a short list of requirements, but it describes a profile that is very rarely represented in companies. In case of partial lack, the DPO can be trained. He or she can also call on internal or external expertise.

Beyond knowledge, the DPO's profile is also important: integrity, ethics. He or she must also be a good pilot capable of communicating, popularizing and convincing. ⭐

🔑 It's key for a company that its DPO also has a great openness to business. Indeed, the DPO is a pilot, integrated into the company's thinking to find solutions that respect the rules and maximize value for the company!

In some companies, there are projects necessary to the growth of the business that have been stopped for a GDPR"blockage". We need to be vigilant on this point.

🔎 Today, the professions from which DPOs come are varied: 28% technical profiles, 28% legal profiles and 44% administrative, financial or audit profiles.

Who can become an external DPO?

External DPO certification

There is no mandatory certification or diploma mentioned in the GDPR to be DPO. However, the CNIL (National Commission for Information Technology and Civil Liberties) may take action against the appointment of a DPO who does not have the skills required to carry out the activities of the Data Protection Officer.

External DPO skills

A legal background in IT and/or data protection is considered necessary. A good knowledge of IT is also required to be able to orchestrate the so-called technical activities, notably for security, cookies and data deletion.

There are many GDPR training courses or certified DPO training courses, some of which are particularly recognized and a guarantee of trust, such as Afnor's certified DPO training.

No conflict of interest

In the context of an internal DPO, in addition to the DPO's skills, the conflict of interest criteria must also be respected. A company director or executive cannot take on the role of DPO, as business interests and respect for personal data may conflict.

However, many of our managers are registered with the CNIL (National Commission for Information Technology and Civil Liberties). This will be of no value in the event of an inspection by the CNIL CNIL (National Commission for Information Technology and Civil Liberties).

Openness to operations

Your DPO must be open to business issues. In effect, the DPO is a pilot, integrated into the company's thinking to find solutions that respect the rules and maximize value for the company.

What is the profile of an external DPO?

📜 There are certifications recognized by the CNIL (National Commission for Information Technology and Civil Liberties) attesting to the training followed by the external DPO: theAfnor, CESI certification, Apave certification, iapp, lsti, LCP, SGS, Bureau Veritas and PECB.

This is a sign of trust when hiring or signing a contract with a service company that provides an external DPO service.🚀

Choosing an external or internal DPO? 👀

Internal

The DPO may be appointed from within the organization. He or she may also carry out other activities within the organization. 🏢

However, there must be no conflict of interest, particularly if he or she becomes responsible for processing personal data. His other activities must also leave him sufficient time to carry out his role as DPO. 

The organization must also be able to prove that the employee has the necessary skills or will find the necessary support for any expertise he or she may lack.  

External

The DPO can be called "External". He or she assumes the role, but remains external to the organization. This ensures greater independence from the organization's management.

💼 They're also DPOs whose day-to-day job it is, experienced and who can interact easily with their DPO community.

Beware, the GDPR is recent, levels of DPO training are very heterogeneous. Some DPO training courses only last a few days or weeks.

Shared

A DPO, whether internal or external, can be shared between several entities. This makes it possible to smooth out costs, standardize practices and share lessons on the subject between these entities. 📚

Why outsource the DPO function?

There are several advantages to outsourcing the DPO function:

Cost:

An employee, even part-time on this subject, will often have a higher cost than an external DPO. This advantage is highly variable, given the very wide range of rates for external DPOs or GDPR compliance.

The compliance method, skills :

The main function of an external DPO is to act as DPO. He or she is trained, certified (increasingly so) and sees many cases throughout the year. He also collaborates with other DPOs and shares the practices of his company (or association of DPOs for freelancers).

There is also a risk in outsourcing the DPO function:

The company, law firm or freelance service provider has less control. The market today is highly heterogeneous in terms of skills and reliability. It's important to do your homework and get feedback from existing clients before committing to an external DPO.

What services does the external DPO provide and what are the associated deliverables?

The external DPO takes charge of all DPO activities. The role of the DPO is to ensure compliance with the rules governing personal data. This mainly involves the following activities:

Ensuring compliance in all areas of the company where personal data is processed:

• application, digital platform
• website
• structural compliancee.g HR policy, commercial prospecting)
• compliance of technical service providerse.g audit of technical service providers)
• conformity of the structure as a processor e.g DPA integrated into the GTC)
• compliance of transfers outside the EUe.g standard contractual clauses)
• team awareness-raisinge.g quizzes, information sessions)
• register of processing activities
• drafting of all necessary legal documentse.g privacy policy, cookies policy, registers, etc.)

Day-to-day actions of the DPO :

• Answers to GDPR questions from employees, clients, complaints. Drafting of documents containing GDPR clauses such as calls for tender, contracts, etc.
• contingency managemente.g : piracy, new products, development, new service providers, etc.)
• it is the contact point for the CNIL (National Commission for Information Technology and Civil Liberties) ) on all matters relating to personal data

Key points to check when selecting your external DPO :

1. Check the training of the external DPO who will be working with you on a daily basis. Don't rely solely on the expert or manager you meet during an interview.
2. Check the scope of intervention. Partial compliance is pointless; it's important to check that all aspects of GDPR compliance are present. processors Is the external DPO appointed by the CNIL (National Commission for Information Technology)? CNIL (National Commission for Information Technology and Civil Liberties) What legal documents are delivered? Do I have to pay for each new document requested?
3. Ask several GDPR questions related to your context to fully understand how the topics are handled.Ask to contact one of the company or law firm's clients . If one of the two subjects turns out to be complex, beware!

Who can become your external DPO?

There are several types of actors who can take on the role of external DPO for your company, association or another type of actor:

Law firms :

These are the traditional players in GDPR compliance. The lawyers' training is reputed to be of a good standard. They carry out a method based on an initial audit. Fees are high.

GDPR firms and freelancers:

They are lawyers or people who have completed training on the GDPR and the DPO profession. They also use the traditional method. These players often rely on software that mainly helps to organize the work and formalize the processing register. However, these software packages do not produce the legal documents themselves, but rather offer a generic template. The quality of this "DPO + sotfware" option is quite variable. It depends very much on the DPO you choose, and his or her training. Rates are more affordable than with a GDPR law firm, but you often have to pay for the DPO and the software.

Dipeeo :

Dipeeo brings together sofware and certified DPOs, e.g, in the same company. The software automates the low value-added parts of compliance. Dipeeo thus makes GDPR compliance simple and provides day-to-day support from a referent certified DPO.

As the DPOs are trained and rely on a proven method and software, the quality delivered is very high. The automation functions save clients a great deal of time, notably by drastically reducing auditing time. And thanks to partial automation, prices are very affordable. The whole experience of GDPR compliance is transformed.

Is the appointment of an external DPO compulsory?🔥

The appointment of a data protection officer is mandatory for :

• public authorities or bodies (with the exception of courts in the exercise of their jurisdictional functions);
• organizations whose core activities require them to carry out regular and systematic monitoring of individuals on a large scale;
• organizations whose core business involves large-scale processing of sensitive data or data relating to criminal convictions and offenses.

📄 The CNIL (National Commission for Information Technology and Civil Liberties) recommends a good practice: as soon as an organization encounters issues relating to the protection of personal data, the appointment of a DPO is recommended to identify and coordinate actions.

Testimonial from a customer assisted by Dipeeo's external DPO

Thanks to Dipeeo, GDPR is accessible to Startups like us. Dipeeo offers a service that includes everything to do with GDPR compliance. 

We know that the consequences are going to be very heavy if there is ever an inspection by the CNIL (National Commission for Information Technology and Civil Liberties) in the event of GDPR non-compliance. Dipeeo therefore helped us structure and organize the personal data we process. 

Our start-up specializes in the digital sector, which is why we take GDPR seriously. Not to mention that being GDPR compliant allows us to have more trust with clients in such a way that they will feel more confident. 

We are very satisfied with the quality of service provided by Dipeeo. They are always accessible and have enabled us to strengthen our brand image".