The DPMR (European General Regulation on Data Protection) will enter into force on 25 May. This new European provision implies the creation of a new position in companies and organisations that collect personal data: the Data Privacy Officer (DPO). There are already today "Data Protection Correspondents". 5,000 of them act for 18,000 legal entities. It will be necessary to multiply their number by ten to be in compliance with the DPO. While waiting for universities to graduate the first DPOs, it is necessary to define the scope of action of this key position by promoting its access to information, its independence and its authority. What will be the place of the DPO in the company? How will he or she be trained? What will be the best organization to ensure an optimal role for him/her? A number of questions that still remain unanswered.
Expert opinion
Data Privacy Officer: the guarantor of data protection in the company
Designed to be the safeguard of data protection within companies, the DPO will have to concretely ensure the proper application of the regulations internally. This presupposes a fairly broad role in the company, encompassing both informational and supervisory objectives. The DPO therefore embodies a point of contact, an intermediary with the authorities. He is the guarantor of the protection of personal data in the company.
However, the DPO does not apply to all companies. Article 37 of the Regulation provides for the obligation to appoint a DPO for companies executing "... the DPO shall be appointed by the competent authority...". large-scale processing of regular and systematic monitoring of individuals or sensitive data ». The DPO will thus be mandatory for all companies in the data sector in the broadest sense, but also for companies that process the personal data of their consumers on a large scale. This will concern for example companies that collect transactional data from their customers (potentially the entire retail sector) but also those that track visits to their websites by name (such as the media). However, all companies processing personal data are advised to appoint a DPO.
Beyond a technical role, the DPO will serve as a model for democratizing the importance of personal data protection. By establishing this position without being legally constrained to do so, companies are showing that they are putting the protection of personal data at the centre of their concerns. Through the DPO, the need to protect data becomes visible within the company.
Once in place, one of its missions will be to raise internal awareness of this importance and to promote good practices to ensure it.
The job of DPO does not yet exist: what profile to embody it?
A DPO must mobilize a great deal of knowledge. He or she must know the law, but does not necessarily have a legal background. He or she must have a fairly detailed knowledge of data security without necessarily being a cyber security expert. However, while a certain tension already exists in companies at this level, the DPO's main talent is not so much hard skills as soft skills, and therefore pedagogy.
This new position crystallizes a position of counter-power in front of managers and boards of directors: it is his ability to federate teams around data protection that will make a good candidate for this position.
In spite of masters courses integrating "data protection" curricula, DPO profiles are still very rare, or still in the process of being developed. This raises the question, for companies, of whether to internalise or externalise the position.
Towards an outsourcing of the DPO
While all companies that process sensitive personal data or use their massive analysis must have a Data Privacy Officer on their team, the DPMR does not require a minimum working time. Indeed, the position is negotiated according to the size and needs of the company, which may require a part-time, full-time or even multiple DPOs. Outsourcing the function to a third party (e.g. consultants or law firm) is possible.
Although outsourcing is a solution for companies that cannot afford to hire a full-time person and whose workload does not justify it, it has real drawbacks. It can be difficult to make an outsider the flagship of privacy policy.
Moreover, the cost is not to be neglected. Indeed, given the fees of specialized firms, the in-house DPO may ultimately prove to be more economical.
Moreover, internalizing the position is preferable because of its fundamental role of allowing privacy to be taken into account in the company.
Nevertheless, despite all the benefits that synergy and knowledge of work habits can offer, giving this new responsibility to an employee already present in the company can cause tensions with management and place the DPO in a delicate situation. This can potentially undermine the inseparable independence of the position.
Each solution has advantages and disadvantages, but there is no ideal solution at the moment. For companies, the key lies in the audit: the best option is still the one that will best meet the needs of a given company.
Marc DésenfantManaging Director ACTITO France
Anything to add? Say it as a comment.
