Described as a “conductor” by the French data protection authority (CNIL), the DPO, or Data Protection Officer, is responsible for protecting the personal data held by public and private organizations.
The concept of DPO was established on May 25, 2018, in the General Data Protection Regulation (GDPR), which governs their appointment, duties, responsibilities, and certification in Chapter 4.
There is nothing new about naming a person to ensure proper management of personal data in a company. The position already existed: it was called the “Data protection correspondent” (CIL in french), but it was not mandatory and, therefore, peripheral.
For organizations that are required to appoint a DPO, the latter is the adviser and key contact for the CNIL as the person who oversees GDPR compliance. In an organization, the DPO is also the point person for all personal data issues, whether originating in-house or from a data subject whose data is processed by the organization. Hence, the DPO manages data subject requests (DSR).
After one year of applying the GDPR, the findings show that small and medium-sized businesses increasingly use DPOs to help them deal with the risks and constraints relative to the GDPR.
Appointing a DPO from among the employees increasingly represents a good option for many companies and is sometimes necessary to manage their compliance and avoid fines.
However, the role of DPO can also be performed by an external provider if it is not feasible or appropriate to appoint an employee. Outsourcing DPO is becoming an increasingly popular solution that will continue to grow in the coming years. After more than 5 years of the GDPR, the Data Protection Officer job ranks Number 1 for the most in-demand jobs on LinkedIn in France.
What are the DPO’s responsibilities?
The DPO ensures that their organization complies with personal data protection regulations. They must, therefore:
Inform and advise the organization for which they perform their duties and its employees. They manage the in-depth changes in how the organization uses and handles data
Monitor compliance with the regulation and with national laws on personal data protection, especially regarding the purposes of processing and the protection of data subjects’ rights
Prioritizing the actions required to protect the data according to the situation and related risks
Organizing internal procedures designed to manage personal data processing, data subject requests, and data breaches
Documenting the organization’s compliance so that it can easily demonstrate its compliance with applicable regulations in the event of an audit
To simplify all these processes, the DPO can use GDPR compliance software.
DPO: are they mandatory?
Formerly optional under the law of 78, it is now mandatory to appoint a DPO in several cases. Not all organizations are required to have a DPO. However, having a DPO is strongly recommended by the CNIL. They play the role of adviser and manage your GDPR compliance.
Article 37.7 of the GDPR provides for the appointment of a DPO in three specific cases:
If the personal data processing is performed by a public authority or body, except for jurisdictions acting within the terms of their jurisdictional function
If the main activities of the data controller and processor involve the regular, systematic, and large-scale tracking of the persons concerned by the processing operations (video surveillance, geolocation, banking communications, processing of large numbers of customers: any processing involving a significant number of data subjects, etc.)
If the main activities of the data controller and processor involve large-scale processing of sensitive data categories (health data, biometric data, etc.) or personal data relating to criminal convictions and offenses
The Article 29 Working Party specified that private companies that perform public service missions are not held to this obligation. However, the G29 once again recommends appointing a DPO.
In the event of an audit, the CNIL will ask you to justify the lack of a DPO. Therefore, your documentation must support your main justifications for not appointing a DPO. The central point is that by appointing an in-house DPO or a DPO shared with another entity, you give your organization a single contact for guaranteeing end-to-end GDPR compliance.
Our partners, external DPOs or law firms, can guide you in achieving compliance and maintaining it over time. If you don’t have the internal resources or prefer to get professional expert advice, find the perfect partner, no matter the size of your company or its field of activity.
We’ll help you find your partner for GDPR compliance, regardless of the size of your company or its field of activity.
Before appointing a DPO, check that they satisfy the following three conditions:
They must have the expertise required to perform the duties of DPO (in-depth knowledge of legislation, solid knowledge of the organization’s structure and needs, familiarity with its information systems and the data collected, etc.). The DPO must keep their skills current (through training, etc.)
They must have sufficient resources to do the job (access to helpful information, availability, enough time to handle their responsibilities, and sufficient material and human resources).
They must be completely independent (no conflict of interest if the DPO holds another position, no sanctions ever levied for their DPO activities, and no instructions for the DPO from management). And while the DPO must be independent, they may not be held liable if the organization is deemed non-compliant and/or is sanctioned by the competent oversight authority.
The DPO is also held to an obligation of secrecy concerning its responsibilities.
Lastly, your DPO must be declared to the competent oversight authority. In France, the CNIL has set up an online declaration form.
Whether you’re an in-house or an outsourced DPO, Data Legal Drive will help you successfully achieve compliance for your entity or your clients. Please find out how our software can help you daily.
In 2018, the CNIL proposed a frame of reference designed to ensure that the large numbers of DPOs entering the market will be qualified through certification to identify a DPO’s expertise, skills, and know-how.
The certification is optional to hold the job of DPO. You can apply for DPO certification even if you are not a DPO.
This certification, first issued in July 2019, consists of an examination of expertise. It is not a diploma.
The CNIL’s DPO certification, which remains valid for three years, is organized by CNIL-approved certification agencies (list).
It consists of roughly 100 multiple-choice questions, some involving case studies. The questions cover three areas (description in the appendix of approval frame of reference). They are designed to test the 17 types of expertise and know-how listed in the certification frame of reference (e.g., identify the legal basis of processing activity or how to develop and implement personnel training and awareness programs).
Passing the test requires 75% of correct answers (50% of the answers in each area must be correct).
Differences with former “Data protection correspondent” (CIL)
Initially tasked with ensuring compliance with the Data Protection Act of 1978 in companies, the role of a CIL (data protection correspondent) has completely changed since the implementation of the GDPR. The name has changed, too, to DPO.
Among the many changes to the position:
A DPO is mandatory in some cases, whereas a CIL was always optional
Data processors are also required to appoint one if they meet specific criteria established by the GDPR
The DPO’s contact details must be publicly available on the CNIL website
An external DPO can be appointed with no restrictions; several organizations can share this DPO
The DPO must be registered with the oversight authority (the CNIL in France)
The DPO also has new responsibilities in companies established by the GDPR:
Regularly and systematically conduct PIAs (GDPR Privacy Impact Analyses) for projects liable to impact personal data protection
Guarantee the company’s accountability to demonstrate its compliance with the GDPR
Ensure the company applies the principles of Privacy by Design and Privacy by Default
Manage personal data breaches and report them to the CNIL and data subjects
Replace their CIL with a DPO, who can be the same person (on condition that they meet the requirements of the position)
Appoint a DPO to replace the CIL
Keep their initial CIL and a DPO appointed per the GDPR