What is the role of a DPO?

In the digital age, where personal data has become the new black gold, a new figure is emerging within companies: the Data Protection Officer (DPO ).

In this article, delve into the heart of the DPO’s job, a role as strategic as it is indispensable, and discover how it orchestrates the security of personal data.

The Data Protection Officer (Délégué à la Protection des Données ) is a recent profession which covers several activities and has a transversal role within a company. Its role is to have a complete overview of personal data processing within a company. The challenge, of course, is to control the risks associated with such processing, and to educate everyone involved (project managers, consultants, etc.) in good data protection and confidentiality practices.

But what does the DPO actually do?

It all starts with an understanding of the company’s organization and the specifics of each business line. HR and finance departments do not handle the same data. As for IT services, they are essential to the smooth running of our teams, manage a considerable amount of data.

Mapping personal data processing

To obtain an exhaustive overview of processing operations, the DPO draws up a map of personal data processing operations.

As I regularly remind you, all you need to process personal data is a first and last name, or just an e-mail address.

For a company like SQORUS, personal data processing is identified for all cross-functional functions (HR, Marketing, Administrative…), but also within each consultant division. Personal data is processed as part of fixed-price projects and Application Management. But it is also essential to identify the personal data processing operations carried out by third-party consultants on behalf of their customers.

Risk control and crisis management

This mapping is important for several reasons:

Firstly, it identifies the risk associated with each treatment. For example, the risk is rather low when processing is carried out directly on a customer’s computer, within its own secure systems, with no possibility of transferring data to a third-party system.

However, when sensitive data is processed, or when it is necessary to transfer data to a third-party system for processing, it is crucial to secure the processing of sensitive data. An action plan must then be put in place to secure all stages, both organizationally and technically. It’s at times like these that the interweaving of personal data processing and cybersecurity comes into sharp focus. The DPO is the CISO ‘s partner in securing information and data.

Secondly, this mapping is very important for crisis management, in the event of a cyber attack or data breach. As we can see, solid, certified companies are under attack. If, during an attack, we identify a vulnerability that has corrupted one of our personal data processing operations, we must contact the data controller as soon as possible.

In the mapping, we therefore also need to include the crisis contact for each processing operation, and keep in mind the contractual and regulatory deadlines for declaring the data breach to the CNIL and/or filing a complaint.

Impact analysis and risk management

As the company evolves and so do its tools, we process personal data in our internal projects. GDPR compliance is an integral part of benchmarking when choosing a new application or partner.

Upstream, it is important to carry out an impact analysis, or AIPD. During this analysis, we need to check the security of the software (authentication, data retention, etc.), the tool’s certifications, the purpose of each processing operation we wish to implement, etc. The depth of the analysis obviously depends on the complexity of the internal project.

Training and support for GDPR compliance

Another role of the DPO is to ensure that all employees are trained in the issues surrounding the processing of personal data. This training is provided in a number of ways: through access to mandatory e-learning training, and through one-off training sessions on compliance news, to explain the latest CNIL sanctions and the impact of new regulations on day-to-day work.

On the contractual side, the role of the DPO is to support the company in rereading the GDPR aspects, but also to provide support so that each player completes the annexes dedicated to the subject. The Data Protection Officer has a good overview of the contractual, regulatory and operational aspects. It’s a key element in risk management in three ways.

Cyber security awareness

Finally, the role of the DPO is to emphasize the importance of good cybersecurity practices.
Indeed, effective protection of personal data cannot be dissociated from a global security policy.

Cybersecurity rests on three fundamental pillars: people, software and hardware.
At the heart of this triad, the human element is the first line of defense.

It’s crucial to adopt a cautious attitude, especially to thwart phishing and phishing attempts, which represent the most common threats.
It is also imperative to install software protections such as virtual private networks (VPNs) and antivirus software, not forgetting to carry out the necessary updates on a regular basis.
Finally, vigilance regarding hardware is essential: it should be secured when not in use, and reliable, secure Wi-Fi connections should be preferred.
It is important to stress that these measures, while essential, do not constitute an exhaustive list of actions to be taken to guarantee optimum IT security.

How do you become a DPO?

According to the latest AFCDP barometer, 53% of DPOs come from a legal or IT background. The remaining 47% come from administrative and financial functions, quality or compliance-audit.
Rigor is essential in this role. Nevertheless, it’s essential to recognize that every career path is unique and has its own strengths to build on.

Conclusion on the role of a DPO

Also in our “IT project governance” issue

• Revolutionize your applications with the new APEX 23.2 features
• Simplify your validation processes with APEX 23.1
• The PMO, a role emerging with the transformation of organizations
• What new features does Oracle Integration Cloud Gen3 offer?
• How do you do complex integrations with Workday?
• Lowcode platform: the future of application development?
• The use of UIPATH as an RPA solution
• Project comitology: the governance bodies of an IT project and their roles
• Steering and governance of a Finance IS project: which profiles should be involved?
• Steering and governance of an IT project: which profiles should be involved?
• Project governance: what role for the steering committee?
• The actors of a project team: organization, role and skills
• The IS manager at the heart of the development and evolution of systems
• HRIS Manager: what role in the evolution of HR Information Systems?
• IS project manager: what role and responsibility in an IS project?
• Functional consultant: a role close to the business processes
• Technical consultant: a profession at the heart of technological development
• Solution architect: a profession that manages development and deployment
• DevOps Consultant: role, missions and development skills
• Data Protection Officer (DPO): what roles and missions?
• CISO: a key job within the business for system security
• The service delivery manager at the heart of team management
• Scrum master, a key profession for Scrum project management
• Data scientist: a strategic profession at the service of management
• MOA / MOE: how are the roles divided on a project of implementation of an information system?