search
Where Thought Leaders go for Growth
Reference a solution

DPO, a key role in personal data protection

DPO, a key role in personal data protection

By Samantha Mur

Published: October 28, 2024

Who is the DPO? Behind the acronym Data Protection Officer lies a person with a central role in data protection. As the guarantor of compliance with the General Data Protection Regulation ( GDPR ), he or she is responsible for ensuring that it is properly applied.

Responsible for personal data protection and IT monitoring within his/her organization, the DPO is a multifaceted job. What are the responsibilities of this 2.0 profile, with both legal and IT skills?

To find out more, we invite you to discover the definition of the DPO, his role, how he carries out his missions and the training courses available to become this "data champion"!

The DPO: definition

What are DPOs?

DPOs (Data Protection Officers) or DPDs (Délégués à la protection des données) are people appointed within a company or public body to ensure the compliance of its data.a public body to ensure the compliance of personal data processing with the European Data Protection Regulation, in force since May 2018.

The appointment of this "super controller" of data processing is one of the major measures included in the Regulation, aimed at organizations whose activities touch on the protection of personal data .

The position of DPO succeeds that of Correspondant Informatiques et Libertés (CIL), which sees its scope of competence broadened (particularly in terms of risk assessment). As the CNIL's point of contact, the DPO is involved in all issues relating to the protection of personal data, and has the role of facilitating the compliance of the organization's activities in this field.

Who can be a DPO?

Depending on the organization's activities and internal organization, the DPO can be :

  • a member of the organization he/she is advising (e.g. a company employee) ;
  • a person appointed on behalf of several organizations: his or her position is pooled for different structures;
  • an outside consultant or legal expert.

ℹ️ The use of one of these service providers is an interesting alternative, but is not essential if the function can be performed internally by a suitably qualified employee.

It all depends on the size and organization of your organization, the workload of the resources involved, or whether you decide to recruit the appropriate person directly.

In all cases, the DPO must be provided with the resources needed to carry out his or her mission with complete independence.

The DPO: compulsory or not?

The appointment of a Data Protection Officer by the controller and its subcontractors is compulsory under certain conditions, specified in Article 37 of the Regulation, when:

  • the processing is carried out by a public authority or body;
  • the organization's activities involve regular and systematic monitoring of individuals on a large scale;
  • the organization's activities involve large-scale processing of sensitive data (such as data relating to a person's health, religion, political life or trade union membership).

The company or organization must appoint a data protection officer, but this does not necessarily have to be done in writing. On the other hand, the supervisory authority must be informed and have easy access to the designated person's contact details.

💡 In cases where the data controller meets all the criteria for mandatory designation, the processor is not obliged to appoint a DPO, and vice versa.

What is the role of the DPO?

The DPO is the reference person in data protection matters: he/she ensures that the organization's activities comply with the RGPD and receives all requests touching closely or remotely on data protection.

His/her main roles within the company or organization to which he/she has been appointed are as follows:

  • relay all information concerning the processing of personal data to all teams;
  • verify compliance with European regulations and French data protection law;
  • advise the organization in its efforts to carry out a Data Protection Impact Assessment (DPIA), and monitor its implementation;
  • act as a point of contact for all data subjects (employees, customers, partners, etc.) in the event of questions;
  • cooperate with a national supervisory authority, such as the CNIL.

The DPO in everyday life

His or her duties can be found :

  • on the DPO job description or standard letter of assignment available to companies on the AFCDP (French Association for Personal Data) website,
  • in the guidelines published by G29, the group of European supervisory authorities.

Typical missions

The DPO performs cross-functional functions within the company, combining communication, diplomacy and project management. His or her activities revolve around three main missions:

✔︎ Information and communication

  • communicate internally on her role and status ;
  • monitor topics relating to personal data (legal, technical, sectoral, etc.) and information systems security;
  • raise awareness among data controllers, management and employees;
  • run training courses, depending on the department concerned;
  • draw up documentation.

✔︎ Process mapping

  • map processing operations;
  • assess risks;
  • establish register;
  • organize internal procedures.

✔︎ Compliance

  • coordinate compliance projects for existing processing operations;
  • monitor the execution of , or lead all actions involved in assessing the degree of compliance of personal data processing;
  • conduct audits to identify any cases of non-compliance;
  • verify compliance with the legal framework and the application of best practices in terms of personal data protection;
  • warn of data breach risks.

☝️ It should be noted that DPOs often carry out their duties on a part-time basis (only 54.8% are full-time, half-time or more).

DPO toolbox

On-line resources and documentation :

  • The General Data Protection Regulation,
  • CNIL practical information sheets,
  • Everything you need to know about the AIPD.

Software to help the DPO in his missions:

  • Adequacy,
  • DPO.run,
  • RGPD Manager.

How to become a Data Protection Officer?

DPO: training

This key corporate function, however recent it may be, can be considered a job in its own right , as 89% of DPOs believe.

DPOs can come from a variety of backgrounds, including technical, legal and risk management. They are mainly IT specialists (34.9%) or legal experts (31.1%), with a diversity of other profiles (34%) (according to a study by AFPA for the French Ministry of Labor).

To be able to perform their duties, DPOs need specialized knowledge of data protection law, as well as a solid grounding in IT.

It goes without saying that the DPO needs to have a thorough understanding of the organization in which he/she works and its internal procedures, in relation to the various departments involved: marketing, HR, product, legal, business, etc.

Aspiring DPOs can take part in a number of training courses, including :

  • a specialized Master's degree, such as the one offered by ISEP Management et Protection des Données Personnelles, the first long DPO training course in Europe,
  • certification based on CNIL standards,
  • recognized training in Data Processing and Liberties or RGPD,
  • industry-specific training.

The AFCPD website provides a more exhaustive list of diploma courses leading to this profession. It should be noted that the French Ministry of Labor is still working to professionalize this function.

DPO: salary

As this is still a new profession, salary levels are relatively variable. According to the AFCDP, the gross monthly salary ranges from €2,500 to €4,000. This obviously varies according to the size of the company, the responsibilities entrusted to the DPO, and the degree of risk involved.

At the service of your cybersecurity

While some companies are obliged to appoint a Data Protection Officer, it is also possible to do so voluntarily, even if the criteria for compulsory appointment are not met. The benefits are many:

  • You guarantee the legal security of your activities, and reduce the risk of contractual, legal or administrative disputes.
  • You strengthen IT security and make better strategic decisions, while consolidating your internal data protection procedures.
  • You can reassure your customers, partners, suppliers and other stakeholders that you are handling data responsibly.

Remember that the DPO is first and foremost an internal coordinator and an external relay with the supervisory authority and data subjects, and is not responsible for RGPD compliance in place of the controller or processor. His role is above all strategic.

And you, have you chosen your data protection officer?

Article translated from French