Data Protection Officer (DPO): what roles and missions?

Which organizations and companies are required to appoint a data protection officer?

Three types of institutions are required to designate a delegate. These are public bodies and establishments, structures carrying out regular and systematic monitoring of individuals as part of their day-to-day activities, and bodies that process “sensitive” data on a large scale (health status of individuals, criminal convictions, etc.).

Article 29 of the Data Protection Directive of October 24, 1995 created a group called “G29” which associates all the independent authorities of the member states of the Union, including the French Commission Nationale de l’Informatique et des Libertés(CNIL). Among other things, this group clarified the concepts of “large scale” and “regular and systematic” treatment.

The thresholds used here may refer to the number of data items processed, their level of sensitivity or their geographical scope. In addition, the G29 Working Party strongly recommends that organizations that have to process personal data but do not fall into one of the three categories listed above, still appoint a DPO.

Profile and skills required

Article 37.5 of the GDPR specifies that persons with professional qualifications and knowledge of the law and practices applicable to the processing of personal data may be appointed as DPO. In addition, the delegate must be familiar with the sector of activity concerned, the information systems deployed and the nature and sensitivity of the data processed.

He/she must also be able to lead a cross-functional network, including in the group’s subsidiaries, and be positioned internally to interact with management bodies.

Finally, the delegate exercises his or her missions in complete independence and free of any conflict of interest. There is no standard profile for a Data Protection Officer. Some have a more legal background, others more technical.

The installation of the Data Protection Officer (DPO)

The public or private organization must put in place all the necessary means at the disposal of its DPO. The delegate must have access to all relevant information and be able to intervene freely within all the group’s departments and divisions, be involved in each project that has an impact on the protection of personal data and have access to material resources.

Moreover, its independence must be guaranteed. Thus, the exercise of another mission must not place him in a position of conflict of interest. The delegate shall not be subject to any undue pressure or instruction. It is quite possible that a DPO intervenes in several companies. This will further enhance its level of specialization. Finally, the CNIL’s computer server provides interested organizations with a remote service that makes it easy to appoint a DPO. The designation will be effective the day after the online declaration.

The missions of the data protection officer

Immediately after taking office, the Data Protection Officer shall make an inventory of the data processed and assess the systems put in place by the organization and its processors. On this basis, it draws up a risk map and defines the basis of the personal data processing policy to be implemented. It mobilizes and sensitizes data processors and, if necessary, proposes the deployment of a training plan.

Once the European regulation has been implemented at the level of the organization, the data protection officer ensures compliance with the General Data Protection Regulation (RGPD) by carrying out a control mission, advising staff and management bodies, proposing impact studies and answering questions from people wishing to know and assert their rights in terms of personal data protection. While the DPO is responsible for monitoring compliance with the RGPD, he or she cannot be held liable for any lack of compliance found.

Finally, the Data Protection Officer is the privileged contact point for the supervisory authority. The organization must be able to demonstrate through documentation that the provisions of the RGPD have been complied with, upon request from the supervisory authority. This will include making available data logs or the results of impact assessments conducted. Contracts with subcontractors, as well as the information provided to users or customers about their rights and the collection of their consent, will also be subject to scrutiny.

The DPO facilitates the work of the supervisory authority by providing access to these documents and information. If necessary, he can ask the authority for advice in the performance of his duties.

Also read in our report on HR – Finance – IT issues and innovations:

• Generation Y is changing the way work is organized: an opportunity for companies!
• Candidate experience: still a central issue for HR departments in 2020
• Corporate training: a transformation in progress?
• Continuous feedback: towards a new management style?
• HR innovation: what can we expect in the coming years?
• Big data and BI: from predictive to prescriptive analysis
• Infrastructure as code: why is it a key IT issue for the future?
• IT containerization is changing application development
• Low code platform: the future of application development?
• SOA and microservices: what are the benefits for an enterprise?
• Performance management: CFOs’ priority for 2020
• The finance department is always at the heart of digital transformation
• Risk management, cash management: what challenges for CFOs in 2020?