search
Where Thought Leaders go for Growth
Reference a solution

Oodrive: when the DPO relies on Privacy Champions

Oodrive: when the DPO relies on Privacy Champions

By Grégory Coste.

Published: November 12, 2024

The DPO is the original institution that constitutes one of the events of the entry into force of the RGPD, the famous regulation that everyone has been talking about for many months, which regulates the processing of personal data throughout the European Union.

This Data Protection Officer, better known by its English acronym DPO, is the conductor of the RGPD. In plain English, the successor to the Correspondant Informatique et Libertés or CIL swallowed up by the RGPD, is the controller of the proper application of the Regulation. A bit like an auditor is the controller of a company's accounts.

SUMMARY:

When the DPO plays a central role

The appointment of the DPO is compulsory for public authorities or bodies, and for private-sector organizations that regularly and systematically monitor individuals on a large scale, in particular through profiling, or process sensitive data such as health data on a large scale.

In all other cases, the DPO is optional but recommended. In fact, this new institution will inform and advise the data controller and processor on the application of the Data Protection Act and its evolution.

With regard to employees in particular, the DPO assumes his or her advisory role, as recognized by the Community text. As such, he or she must be easily accessible to all employees.

This central role with regard to personal data is to be found at all levels of regulation, not just internally.

When it comes to adopting the right reflex

For example, when a data controller becomes aware of a personal data breach, the RGPD now requires it, on pain of a penalty that can amount to up to 2% of the company's sales, to notify this breach to the CNIL, and even to the people affected by the breach.

As part of this notification process, the data controller must communicate the DPO's contact details to the CNIL and to the persons concerned by the violation.

One of the clear challenges of the RGPD is to transform regulatory constraints into a business advantage.

This transformation requires instilling the "personal data" reflex throughout the company, and getting all employees on board.

Why not rely on the DPO for this purpose?

When you need to identify your in-house Privacy Champions

With this in mind, Oodrive, a group of nearly 400 employees whose main activity is the secure management of sensitive data in the sovereign Cloud, offering professionals solutions for sharing, backing up and electronic signature, has put in place an original practice.

Oodrive's internally-appointed DPO, none other than its Group CISO, has designated Privacy Champions from within the organization and among its employees.

With this in mind, the CISO asked the heads of each department to identify suitable candidates, not only for their in-depth knowledge of their respective business processes, but also for their ability to act as relays and their legitimacy vis-à-vis their colleagues.

These candidates proved to be highly motivated, and in line with Oodrive's missions and values.

When privacy angels spread their wings

Thus, it is on these Privacy Champions that the DPO, the "conductor" of the GDPR implementation, will mainly rely.

These received a half-day awareness-raising training session by two specialist Lawyers, culminating in a 20-question quiz covering all the themes of the Regulation and constituting a self-assessment.

Back at their posts, they coordinate through a periodic Privacy Circle, and are regularly kept informed of developments in the company's RGPD compliance approach, to which they make a concrete contribution.

When corporate compliance takes off, very smoothly

In each department, the Privacy Champions are in fact their colleagues' first point of contact for any questions relating to the RGPD, in coordination with the DPO.

As a stakeholder in each business line, they fill in the personal data processing register, and coordinate PIAs (Privacy Impact Assessment = privacy risk analysis) where necessary.

As we can see, the RGPD is also clearly an opportunity for a number of companies to overhaul certain organizations and leverage talent for the benefit of the organization and its customers.

Oodrive's original initiative is clearly in line with this objective.

Article co-written by :

  • Olivier Iteanu, Cabinet Iteanu Avocats ;
  • François-Xavier Vincent, Group CISO & DPO Oodrive.

Article translated from French