search
Where Thought Leaders go for Growth
Reference a solution

DPO, a key role in the protection of personal data

DPO, a key role in the protection of personal data

By Samantha Mur

Published: 28 October 2024

Who is the DPO? Behind the acronym Data Protection Officer lies a person with a central role in data protection. As the guarantor of compliance with the General Data Protection Regulation ( GDPR ), he or she is responsible for ensuring that it is properly applied.

Responsible for personal data protection and IT monitoring within their organisation, the DPO is a multifaceted job. What are the responsibilities of this 2.0 profile, with both legal and IT skills?

To find out more, find out how they are defined, what their role is, how they carry out their duties and what training is available to become this "data champion"!

The DPO: definition

What are DPOs?

DPOs (Data Protection Officers) or DPDs (Délégués à la protection des données) are people appointed within a company or public body to ensure the compliance of the data it holds.a public body to ensure that the processing of personal data complies with the European Data Protection Regulation, which has been in force since May 2018.

The appointment of this "super controller" of data processing is one of the major measures included in the Regulation, aimed at organisations whose activities affect the protection of personal data .

The DPO is the successor to the Correspondant Informatiques et Libertés (CIL), whose remit has been extended (particularly in terms of risk assessment). As the CNIL's point of contact, the DPO is involved in all issues relating to the protection of personal data and has the role of facilitating the compliance of the organisation's activities in this area.

Who can be DPO?

Depending on the organisation's activities and internal organisation, the DPO may be :

  • a member of the organisation he is advising (e.g. an employee of the company) ;
  • a person appointed on behalf of several organisations: his/her position is pooled for different structures;
  • an external consultant or legal expert.

ℹ️ The use of one of these service providers is an interesting alternative, but is not essential if the position can be filled internally by an employee with the required qualifications.

It all depends on the size and organisation of your organisation, the workload of the resources involved, or whether you decide to recruit the competent person directly.

In all cases, the DPO must be provided with the resources needed to carry out his or her duties properly and independently.

The DPO: compulsory or not?

The appointment of a data protection officer by the controller and its processors is compulsory under certain conditions, specified in Article 37 of the Regulation, when :

  • the processing is carried out by a public authority or body;
  • the organisation's activities involve regular and systematic monitoring of individuals on a large scale;
  • the organisation's activities involve large-scale processing of sensitive data (such as data relating to a person's health, religion, political life or trade union membership, for example).

The company or organisation must appoint the data protection officer, but this does not necessarily have to be done in writing. On the other hand, the supervisory authority must be informed and have easy access to the contact details of the person appointed.

💡 In the event that the controller meets all the criteria for mandatory designation, the processor is not obliged to appoint a DPO, and vice versa.

What is the role of the DPO?

The DPO is the reference person for data protection: he or she ensures that the organisation's activities comply with the RGPD and receives all requests relating directly or indirectly to data protection.

Their main roles within the company or organisation to which they have been appointed are as follows:

  • relaying all information on the processing of personal data to all teams ;
  • checking compliance with European regulations and French data protection law;
  • Advise the organisation on its data protection impact assessment (DPIA) and monitor its implementation;
  • acting as the point of contact for all data subjects (employees, customers, partners, etc.) in the event of any queries;
  • cooperate with a national supervisory authority, such as the CNIL.

The DPO in everyday life

His or her duties can be found :

  • on the DPO job description or the standard letter of assignment made available to companies on the website of the AFCDP (French Association for Personal Data),
  • in the guidelines published by G29, the group of European supervisory authorities.

Typical tasks

The DPO performs cross-functional functions within the company, combining communication, diplomacy and project management. His or her activities revolve around three main tasks:

✔︎ Information and communication

  • communicating internally on his/her role and status ;
  • monitoring topics relating to personal data (legal, technical, sectoral, etc.) and information systems security;
  • raise awareness among data controllers, management and employees;
  • run training courses, depending on the departments concerned;
  • drawing up documentation.

✔︎ Process mapping

  • Mapping processing operations;
  • Assessing risks;
  • set up the register;
  • organise internal procedures.

✔︎ Compliance

  • coordinating the compliance of existing processing operations;
  • monitoring the implementation of or managing all actions involved in assessing the degree of compliance of personal data processing;
  • conducting audits to identify any cases of non-compliance;
  • checking compliance with the legal framework and the application of best practice in terms of personal data protection;
  • warn of the risks of data breaches.

☝️ It should be noted that DPOs often carry out their duties on a part-time basis (only 54.8% are full-time, half-time or more).

DPO toolbox

On-line resources and documentation :

  • The General Data Protection Regulation,
  • CNIL practical information sheets,
  • Everything you need to know about the AIPD.

Software to help the DPO in his tasks:

  • Adequacy,
  • DPO.run,
  • RGPD Manager.

How to become a Data Protection Officer?

DPO: training

This key corporate function, however recent it may be, can be considered a job in its own right , as 89% of DPOs believe.

DPOs can come from a variety of technical, legal and risk management backgrounds. They are mainly IT specialists (34.9%) or legal experts (31.1%), with a diversity of other profiles (34%) (according to a study by AFPA for the French Ministry of Labour).

To be able to carry out their duties, DPOs must have specialist knowledge of personal data protection law, as well as a solid grounding in IT.

It goes without saying that the DPO needs to have a thorough knowledge of the organisation in which he or she works and its internal procedures, in relation to the various departments involved: marketing, HR, product, legal, business, etc.

Aspiring DPOs can take part in a range of training courses, including :

  • a specialised Master's degree, such as that offered by ISEP Management and Protection of Personal Data, the first long DPO training course in Europe,
  • certification based on the CNIL standards,
  • recognised training in Data Processing and Civil Liberties or RGPD,
  • specific industry or sector training.

The AFCPD website provides a more exhaustive list of diploma courses leading to this profession. It should be noted that the Ministry of Labour is still working to professionalise this function.

DPO: salary

As this is still a new profession, pay levels are relatively variable. According to the AFCDP, the gross monthly salary is between €2,500 and €4,000. This obviously varies according to the size of the company, the responsibilities entrusted to it and the degree of risk involved.

At the service of your cyber security

While some companies are obliged to appoint a Data Protection Officer, it is also possible to do so voluntarily, even if the criteria for compulsory appointment are not met. There are many benefits to doing so:

  • You guarantee the legal security of your activities, and reduce the risk of contractual, legal or administrative disputes.
  • You strengthen IT security and make better strategic decisions, while consolidating your internal data protection procedures.
  • You can reassure your customers, partners, suppliers and other stakeholders that you are handling data responsibly.

Remember that the DPO is first and foremost an internal coordinator and an external relay with the supervisory authority and data subjects, and is not responsible for compliance with the RGPD in the place and stead of the controller or processor. Their role is primarily strategic.

Have you chosen your data protection officer?

Article translated from French