What is the role of a DPO?

Linkedin logo

Published on 15 March 2024

In the digital age, where personal data has become the new black gold, a new figure is emerging within companies: the Data Protection Officer (DPO ).

In this article, delve into the heart of the DPO’s job, a role as strategic as it is indispensable, and discover how it orchestrates the security of personal data.

The Data Protection Officer (Délégué à la Protection des Données ) is a recent profession which covers several activities and has a transversal role within a company. Its role is to have a complete overview of personal data processing within a company. The challenge, of course, is to control the risks associated with such processing, and to educate everyone involved (project managers, consultants, etc.) in good data protection and confidentiality practices.

But what does the DPO actually do?

It all starts with an understanding of the company’s organization and the specifics of each business line. HR and finance departments do not handle the same data. As for IT services, they are essential to the smooth running of our teams, manage a considerable amount of data.

Mapping personal data processing

To obtain an exhaustive overview of processing operations, the DPO draws up a map of personal data processing operations.


As I regularly remind you, all you need to process personal data is a first and last name, or just an e-mail address.


For a company like SQORUS, personal data processing is identified for all cross-functional functions (HR, Marketing, Administrative…), but also within each consultant division. Personal data is processed as part of fixed-price projects and Application Management. But it is also essential to identify the personal data processing operations carried out by third-party consultants on behalf of their customers.

    Risk control and crisis management

    This mapping is important for several reasons:

    Firstly, it identifies the risk associated with each treatment. For example, the risk is rather low when processing is carried out directly on a customer’s computer, within its own secure systems, with no possibility of transferring data to a third-party system.

    However, when sensitive data is processed, or when it is necessary to transfer data to a third-party system for processing, it is crucial to secure the processing of sensitive data. An action plan must then be put in place to secure all stages, both organizationally and technically. It’s at times like these that the interweaving of personal data processing and cybersecurity comes into sharp focus. The DPO is the CISO ‘s partner in securing information and data.

    Secondly, this mapping is very important for crisis management, in the event of a cyber attack or data breach. As we can see, solid, certified companies are under attack. If, during an attack, we identify a vulnerability that has corrupted one of our personal data processing operations, we must contact the data controller as soon as possible.

    In the mapping, we therefore also need to include the crisis contact for each processing operation, and keep in mind the contractual and regulatory deadlines for declaring the data breach to the CNIL and/or filing a complaint.

    Impact analysis and risk management

    As the company evolves and so do its tools, we process personal data in our internal projects. GDPR compliance is an integral part of benchmarking when choosing a new application or partner.

    Upstream, it is important to carry out an impact analysis, or AIPD. During this analysis, we need to check the security of the software (authentication, data retention, etc.), the tool’s certifications, the purpose of each processing operation we wish to implement, etc. The depth of the analysis obviously depends on the complexity of the internal project.

    Training and support for GDPR compliance

    Another role of the DPO is to ensure that all employees are trained in the issues surrounding the processing of personal data. This training is provided in a number of ways: through access to mandatory e-learning training, and through one-off training sessions on compliance news, to explain the latest CNIL sanctions and the impact of new regulations on day-to-day work.

    On the contractual side, the role of the DPO is to support the company in rereading the GDPR aspects, but also to provide support so that each player completes the annexes dedicated to the subject. The Data Protection Officer has a good overview of the contractual, regulatory and operational aspects. It’s a key element in risk management in three ways.

    Cyber security awareness

    Finally, the role of the DPO is to emphasize the importance of good cybersecurity practices.
    Indeed, effective protection of personal data cannot be dissociated from a global security policy.

    Cybersecurity rests on three fundamental pillars: people, software and hardware.
    At the heart of this triad, the human element is the first line of defense.

    It’s crucial to adopt a cautious attitude, especially to thwart phishing and phishing attempts, which represent the most common threats.
    It is also imperative to install software protections such as virtual private networks (VPNs) and antivirus software, not forgetting to carry out the necessary updates on a regular basis.
    Finally, vigilance regarding hardware is essential: it should be secured when not in use, and reliable, secure Wi-Fi connections should be preferred.
    It is important to stress that these measures, while essential, do not constitute an exhaustive list of actions to be taken to guarantee optimum IT security.

    How do you become a DPO?

    According to the latest AFCDP barometer, 53% of DPOs come from a legal or IT background. The remaining 47% come from administrative and financial functions, quality or compliance-audit.
    Rigor is essential in this role. Nevertheless, it’s essential to recognize that every career path is unique and has its own strengths to build on.

    Conclusion on the role of a DPO

    As you can see, the Data Protection Officer must have a good knowledge of the company’s various departments.
    He or she must understand the challenges and processes of each department, and be able to work closely with the company’s senior management. Its recommendations will have an impact on the organization’s overall strategy.

    The DPO ‘s versatility doesn’t stop there.
    He or she must also have a thorough knowledge of data protection legislation, and be able to understand and interpret laws and regulations and apply them to the company.

    Finally, the DPO must have project management skills. He or she must be able to plan and manage the company’s data protection initiatives, monitor their progress and ensure that they are carried out successfully.
    He or she must also be able to manage data security incidents and coordinate the company’s response.
    .

    All about IT project governance

    Discover the roles and responsibilities of key profiles, as well as best practices in governance and technological development, to ensure the success of your digital transformation projects.

    Contact

    A project? A request?A question?

    Contact us today and find out how we can work together to make your company’s digital future a reality.

    Additional articles

    SQORUS logo

    To make sure you don’t miss out, sign up for our newsletter!

    Our mission

    Discover the strengths of the SQORUS strategy

    We have been able to adapt to new digital challenges, the arrival of the Cloud and changes in working methods. We have succeeded in forging strong partnerships with the main publishers in the market and in attracting business and technical experts.

    Our strength: over 300 talented people dedicated to the success of your projects and sharing strong values: diversity, commitment and solidarity, which represent real value for the company and its customers.

    Great Place to Work for 10 consecutive years, SQORUS is sensitive to the personal development of its Sqorusien.ne.s, their career development and their training in future-oriented solutions.

    SQORUS specializes in digital and business transformation for HR, Finance and IT functions. For over 30 years, our consultants have been working with major corporations on strategic, international information systems projects: development strategy, selection assistance, integration, Business Intelligence, Data Management, support and change management, as well as on Cloud and Artificial Intelligence issues.