search
Where Thought Leaders go for Growth
Reference a solution

Oodrive: when the DPO relies on Privacy Champions

Oodrive: when the DPO relies on Privacy Champions

By Grégory Coste.

Published: 12 November 2024

The Data Protection Officer (DPO) is the original institution that is one of the events of the entry into force of the RGPD, the famous regulation that everyone has been talking about for many months, which regulates the processing of personal data throughout the European Union.

The Data Protection Officer (DPO) is the orchestrator of the RGPD. In plain English, the successor to the Correspondant Informatique et Libertés or CIL, swallowed up by the RGPD, is the controller of the correct application of the Regulation. In much the same way as an auditor is the controller of a company's accounts.

SUMMARY :

When the DPO plays a central role

The appointment of a Data Protection Officer is compulsory for public authorities or bodies and for private-sector organisations that regularly and systematically monitor individuals on a large scale, in particular through profiling, or that process sensitive data on a large scale, such as health data.

In all other cases, the DPO is optional but recommended. This new institution will inform and advise data controllers and processors on the application of the Data Protection Act to personal data and its development.

With regard to employees in particular, the DPO assumes his or her advisory role, recognised by the Community text. He or she is therefore required to be easily contactable by all employees.

This central role with regard to personal data is to be found at all levels of the regulations, not just with regard to in-house staff.

When it comes to adopting the right approach

For example, when a data controller becomes aware of a personal data breach, the RGPD now requires it to notify the CNIL, and even the people affected by the breach, on pain of a penalty that can amount to up to 2% of the company's turnover.

As part of this notification, the data controller must communicate the DPO's contact details to the CNIL and to the people affected by the breach.

One of the clear challenges of the RGPD is to turn regulatory constraints into a business advantage.

This transformation means instilling the 'personal data' reflex throughout the company and getting all employees on board.

Why not rely on the DPO for this purpose?

When you need to identify your in-house Privacy Champions

With this in mind, Oodrive, a group with almost 400 employees whose main activity is the secure management of sensitive data in the sovereign Cloud, offering professionals solutions for sharing, backing up and signing electronically, has put in place an original practice.

The DPO appointed internally by Oodrive, who is none other than its Group CISO, has appointed Privacy Champions from within the organisation and from among its employees.

With this in mind, the DPO asked the heads of each department to identify suitable candidates, not only for their in-depth knowledge of their respective business processes, but also for their ability to act as relays and their legitimacy in relation to their colleagues.

These candidates proved to be highly motivated, in line with Oodrive's missions and values.

When the guardian angels of privacy protection spread their wings

It is these Privacy Champions that the DPO, the "orchestra conductor" for the implementation of the GDPR, will be relying on.

They were given a half-day awareness-raising training course by two specialist lawyers, culminating in a 20-question quiz covering all the topics covered by the Regulation and constituting a self-assessment.

Once they have returned to their posts, they coordinate their work through a regular Privacy Circle, and are kept regularly informed of developments in the company's RGPD compliance process, to which they make a tangible contribution.

When a company's compliance takes off smoothly

In each department, the Privacy Champions are their colleagues' first point of contact for any questions relating to the RGPD, in coordination with the DPO.

As a stakeholder in each business line, they fill in the register of personal data processing operations, and if necessary coordinate the PIA (Privacy Impact Assessment).

As we can see, the RGPD is also clearly an opportunity for a number of companies to overhaul certain organisational structures and make the most of talent for the benefit of the organisation and its customers.

Oodrive's original initiative is clearly in line with this objective.

Article co-authored by :

  • Olivier Iteanu, Cabinet Iteanu Avocats ;
  • François-Xavier Vincent, Group CISO & DPO Oodrive.

Article translated from French