DPO or data protection officer: role, competence, appointment

What is a DPO, or data protection officer?🤔

A DPO or data protection officer assists the controller or processor in GDPR compliance. 🚀

A data controller is the person who processes personal data. Example: newsletter subscription via email ✉

The GDPR aims to frame practices to ensure respect for citizens' personal data.

The DPO (or DPD) appeared with the GDPR in 2018. His role, skills, obligations have been shaped by the GDPR. 📜

What is the role of the data protection officer?🔒

🎯 The DPO ensures compliance with the rules on personal data for the organization by which he or she has been appointed. The DPO's role revolves around 4 axes:

1. Advising and supporting: providing expertise and disseminating RGPD📜 culture and compliance.
2. Control: the DPO may check personally or commission an external audit to ensure compliance. ⚖
3. The organization's point of contact for all matters relating to the protection of personal data:

• With the CNIL (National Commission for Information Technology and Civil Liberties) :
  • The DPO facilitates exchanges with the CNIL (National Commission for Information Technology and Civil Liberties) , and can question it on any issue. The CNIL (National Commission for Information Technology and Civil Liberties) will refuse to respond to a data controller who has not first consulted his DPO. The DPO will be the main point of contact in the event of an inspection or complaint, but cannot represent the organization alone.
• With the persons whose personal data are processed:
  • He handles all requests. These may be requests for access rights, or any other questions they may have about their data.

4. The DPO ensures the documentation of data processing 📊

Documentation is a pillar of the GDPR , making it possible in particular to be able to comply with the rules and prove it in the event of an audit. This is the "accountability" principle 🚀

Numerous elements must therefore be integrated into the documentation, including: the data processing register, data breach register, information notices, subcontracting contracts, etc.

The DPO ensures that this documentation is kept, the main purpose of which is to steer compliance. 🎯

Is the appointment of a DPO mandatory?

The appointment of a data protection officer is mandatory for :

• public authorities or bodies (with the exception of courts in the exercise of their jurisdictional functions);
• organizations whose core activities require them to carry out regular and systematic monitoring of individuals on a large scale;
• organizations whose core business involves large-scale processing of sensitive data or data relating to criminal convictions and offenses.

📄 The CNIL (National Commission for Information Technology and Civil Liberties) recommends a good practice: as soon as an organization encounters issues relating to the protection of personal data, the appointment of a DPO is recommended to identify and coordinate actions.

Data protection officer: internal or external👀

Internal

The DPO may be appointed from within the organization. He or she may also carry out other activities within the organization. 🏢

However, there must be no conflict of interest, particularly if he becomes responsible for a processing operation or type of processing. His other activities must also leave him sufficient time to carry out his role as DPO.

External

The DPO can be shared between several organizations, or "external". This ensures greater independence from the organization's management.

💼 They are also DPOs whose day-to-day job it is, experienced and who can easily interact with their DPO community. Beware, however, as the GDPR is recent, the levels of DPO training are very heterogeneous. Some DPO training courses only last a few days or weeks.

Shared

A DPO, whether internal or external, can be shared between several entities. This makes it possible to smooth out costs, standardize practices and share lessons on the subject between these entities. 📚

What skills and certifications are needed to become a data protection officer?💼

There's no such thing as a typical profile, but there are a number of prerequisites. In order to fulfill their role, they need to know the following:

• Legal and technical expertise on data protection
• Knowledge of the organization's business sector, industry regulations and the organization itself
• processing operations, information systems and the organization's data protection and security requirements

🗒 This is a short list of requirements, but it describes a profile that is very rarely represented in companies. In case of partial lack, the DPO can be trained. He or she can also call on internal or external expertise.

Beyond knowledge, the DPO's profile is also important: integrity, ethics.

He must also be a good pilot able to communicate, popularize and convince. ⭐

🔑 It's key for a company that its DPO is also open to business.

In effect, the DPO is a pilot, integrated into the company's thinking to find solutions that respect the rules and maximize value for the company!

In some companies, there are projects necessary to the company's growth that have been stopped for a GDPR"blockage". We need to be vigilant on this point.

🔎 Today, the professions from which DPOs come are varied: 28% technical profiles, 28% legal profiles and 44% administrative, financial or audit profiles.

 The following certifications are recognized by the CNIL (National Commission for Information Technology and Civil Liberties) and attest to the training received by the DPO:Afnor, CESI certification, Apave certification, iapp, lsti, LCP, SGS, Bureau Veritas and PECB.

This is a sign of trust when hiring or signing a contract with a service company that provides an outsourced DPO service.🚀

What are the data protection officer's responsibilities?🔑

🏹 The DPO is not responsible for non-compliance with the GDPR within the organization that appointed him. It is the controller who is responsible. In the same way, the processor is responsible for compliance with its obligations vis-à-vis the GDPR.

However, he may be held criminally Accountability if he intentionally violates the criminal provisions, or as an accomplice if he helps the controller or processor to violate these criminal provisions. ❌

The DPO is bound by professional secrecy or an obligation of confidentiality. This must be written into his or her contract or into the service contract.

Designation of the DPO 🏆

The choice of DPO must take into account all the points mentioned above, so that he or she can fulfill his or her role to 100%.

⭐ For the success of his missions, it is important to formalize the Data Protection Officer's activities in a mission letter for an internal DPO or a service provision contract in the case of an external DPO.

Communication must take place within the organization to inform of the appointment (email, intranet, posters, etc.). Every employee/member must understand the role of the DPO and be aware that a policy on the subject is in place. He or she must also be identified and contactable. 💻

The DPO must be appointed by the CNIL (National Commission for Information Technology and Civil Liberties) ) via the CNIL (National Commission for Information Technology and Civil Liberties) 's dedicated " online appointment " space if the organization is located in France, otherwise by the competent supervisory body. The list of DPOs and the organization to which they are attached is available on the CNIL (National Commission for Information Technology and Civil Liberties) website " Organizations that have designated a data protection officer (DPD/DPO) - data.gouv.fr". 

Download the GDPR practical guide for data protection officers :

GDPR Practical Guide - Data Protection OfficersCNIL (National Commission for Information Technology and Civil Liberties).fr)

Dipeeo' s GDPR compliance service includes the appointment of a dedicated DPO for each of our clients, Afnor certified and appointed with the CNIL (National Commission for Information Technology and Civil Liberties), in charge of all GDPR compliance and single point of contact on the subject