What is the role of a DPO?

In the digital age, where personal data has become the new black gold, a new figure is emerging within companies: the Data Protection Officer (DPO).

In this article, delve into the heart of the DPO’s job, a role as strategic as it is indispensable, and discover how it orchestrates the security of personal data.

Stratégie IT


Consultant PMO and DPO SQORUS

Le Délégué à la Protection des Données est un métier récent qui recouvre plusieurs activités et a un rôle transversal au sein d’une entreprise. Son rôle est d’avoir une vision complète des traitements de données personnelles au sein d’une entreprise. L’enjeu est bien sûr de maîtriser les risques liés à ces traitements et d’acculturer chaque acteur (chef de projet, consultant..) aux bonnes pratiques de protection des données et de confidentialité.

Mais concrètement, que fait le DPO ?

Tout commence par comprendre l’organisation de l’entreprise et les spécificités de chacun des métiers. En effet, les services RH et les services financiers ne manipulent pas les mêmes données. Quant aux services IT, pilier essentiel au bon fonctionnement des équipes, gèrent une quantité considérable de données.


Mapping personal data processing

To obtain an exhaustive overview of processing operations, the DPO draws up a map of personal data processing operations.

As I regularly remind you, all you need to process personal data is a first and last name, or just an e-mail address.

For a company like SQORUS, personal data processing is identified for all cross-functional functions (HR, Marketing, Administrative…), but also within each consultant division. Personal data is processed as part of fixed-price projects and Application Management. But it is also essential to identify the personal data processing operations carried out by third-party consultants on behalf of their customers.


Risk control and crisis management

This mapping is important for several reasons:

Firstly, it identifies the risk associated with each treatment. For example, the risk is rather low when processing is carried out directly on a customer’s computer, within its own secure systems, with no possibility of transferring data to a third-party system.

However, when sensitive data is processed, or when it is necessary to transfer data to a third-party system for processing, it is crucial to secure the processing of sensitive data. An action plan must then be put in place to secure all stages, both organizationally and technically. It’s at times like these that the interweaving of personal data processing and cybersecurity comes into sharp focus. The DPO is the CISO ‘s partner in securing information and data.

Secondly, this mapping is very important for crisis management, in the event of a cyber attack or data breach. As we can see, solid, certified companies are under attack. If, during an attack, we identify a vulnerability that has corrupted one of our personal data processing operations, we must contact the data controller as soon as possible.

In the mapping, we therefore also need to include the crisis contact for each processing operation, and keep in mind the contractual and regulatory deadlines for declaring the data breach to the CNIL and/or filing a complaint.


Impact analysis and risk management

As the company evolves and so do its tools, we process personal data in our internal projects. GDPR compliance is an integral part of benchmarking when choosing a new application or partner.

Upstream, it is important to carry out an impact analysis, or AIPD. During this analysis, we need to check the security of the software (authentication, data retention, etc.), the tool’s certifications, the purpose of each processing operation we wish to implement, etc. The depth of the analysis obviously depends on the complexity of the internal project.


Training and support for GDPR compliance

Another role of the DPO is to ensure that all employees are trained in the issues surrounding the processing of personal data. This training is provided in a number of ways: through access to mandatory e-learning training, and through one-off training sessions on compliance news, to explain the latest CNIL sanctions and the impact of new regulations on day-to-day work.

On the contractual side, the role of the DPO is to support the company in rereading the GDPR aspects, but also to provide support so that each player completes the annexes dedicated to the subject. The Data Protection Officer has a good overview of the contractual, regulatory and operational aspects. It’s a key element in risk management in three ways.


Cyber security awareness

Finally, the role of the DPO is to emphasize the importance of good cybersecurity practices. Indeed, effective protection of personal data cannot be dissociated from a global security policy.

Cybersecurity rests on three fundamental pillars: people, software and hardware. At the heart of this triad, the human element is the first line of defense.

It’s crucial to adopt a cautious approach, especially to thwart phishing and phishing attempts, which represent the most common threats. It’s also imperative to install software protections such as VPNs and antivirus software, not forgetting to carry out the necessary updates on a regular basis.
Finally, it’s essential to be vigilant when it comes to your equipment: secure it when it’s not in use, and opt for reliable, secure Wi-Fi connections. It is important to emphasize that these measures, while essential, do not constitute an exhaustive list of actions to be taken to guarantee optimum IT security.


How do you become a DPO?

According to the latest AFCDP barometer, 53% of DPOs come from a legal or IT background. The remaining 47% come from administrative and financial functions, quality or compliance-audit.
Rigor is essential in this role. Nevertheless, it’s essential to recognize that every career path is unique and has its own strengths to build on.


Conclusion on the role of a DPO

As you can see, the Data Protection Officer needs to have a good knowledge of the company’s various departments. He or she must understand the challenges and processes of each department, and be able to work closely with the company’s senior management. Its recommendations will have an impact on the organization’s overall strategy.

The DPO ‘s versatility doesn’t stop there. He or she must also have a thorough knowledge of data protection legislation, and be able to understand and interpret laws and regulations and apply them to the company.

Finally, the DPO must have project management skills. He or she must be able to plan and manage the company’s data protection initiatives, monitor their progress and ensure that they are carried through to a successful conclusion. He or she must also be able to manage data security incidents and coordinate the company’s response..



À lire également dans notre dossier “gouvernance projet IT ” :

Share This