DPO : Définition
Described as a “conductor” by the French data protection authority (CNIL), the DPO, or Data Protection Officer, is in charge of protecting the personal data held by public and private organizations.
The concept of DPO was established on May 25, 2018, in the General Data Protection Regulation (GDPR) which governs their appointment, duties, responsibilities and certification in Chapter 4.
There is nothing new about naming a person to ensure proper management of personal data in a company. The position already existed: it was called the “Data protection correspondent” (CIL) but it was not mandatory and therefore peripheral.
For organizations that are required to appoint a DPO, the latter is the adviser and key contact for the CNIL as the person who oversees GDPR compliance. In an organization, the DPO is also the point person for all personal data issues, whether originating in-house or from a data subject whose data is processed by the organization. Hence the DPO is in charge of managing data subject requests (DSR).
After one year of applying the GDPR, the findings show that small and medium-sized businesses are increasingly using DPOs to help them deal with the risks and constraints relative to the GDPR.
Appointing a DPO from among the employees increasingly represents an interesting option for many companies, and is sometimes a necessary condition to manage their compliance and avoid fines.
However, the role of DPO can also be performed by an external provider if it is not feasible or appropriate to appoint an employee. In fact, outsourcing DPOs is becoming an increasingly popular solution that will continue to grow in the coming years. After more than two years of the GDPR, the job of Data Protection Officer ranks Number 1 for the most in-demand jobs on LinkedIn in France. According to LinkedIn, the number of professionals holding this job has increased 32-fold since 2015.
What are the DPO’s responsibilities?
The DPO ensures that their organization is compliant with the regulations applicable to personal data protection. They must therefore:
- Inform and advise both the organization for which they perform their duties, and its employees. They manage the in-depth changes in the way the organization uses and handles its data.
- Monitor compliance with the regulation and with national laws pertaining to personal data protection, especially regarding the purposes of the processing and the protection of data subjects’ rights.
- Propose that their organization conduct a privacy impact analysis relative to data protection, and ensure it is completed.
- Be available to answer the questions of data subjects.
- Ensure cooperation with the national oversight authority.
The DPO can also maintain the organization’s record of processing activities, with the help of the data controllers and processors.
The job of DPO is therefore essential and strongly recommended to allow an organization that processes personal data to satisfy the regulations concerning protection of personal data and privacy.
The DPO guides the organization in achieving compliance and maintaining it over time. This involves:
- helping the organization to map its processing activities;
- prioritizing the actions required to protect the data according to the situation and related risks;
- organizing internal procedures designed to manage personal data processing, data subject requests and data breaches;
- documenting the organization’s compliance so that it can easily demonstrate its compliance with applicable regulations in the event of an audit.
To simplify all these processes, the DPO can use GDPR compliance software.
DPO: are they mandatory?
Formerly optional under the law of 78, it is now mandatory to appoint a DPO in a number of cases. Not all organizations are required to have a DPO. However, having a DPO is strongly recommended by the CNIL. They play the role of adviser and manage your GDPR compliance.
Article 37.7 of the GDPR provides for the appointment of a DPO in three specific cases:
- If personal data processing is performed by a public authority or body, except for jurisdictions acting within the terms of their jurisdictional function.
- If the main activities of the data controller and processor involve the regular, systematic and large-scale tracking of the persons concerned by the processing operations (video surveillance, geolocation, banking communications, processing of large numbers of customers: any processing involving a significant number of data subjects, etc.)
- If the main activities of the data controller and processor involve large-scale processing of sensitive data categories (health data, biometric data, etc.) or personal data relating to criminal convictions and offenses.
The Article 29 Working Party specified that private companies that perform public service missions are not held to this obligation. However, the G29 once again recommends appointing a DPO.
Our recommendation
In the event of an audit, the CNIL will ask you to justify the lack of a DPO. It is therefore crucial that your documentation support your main justifications for not appointing a DPO. The central point is that, by appointing an in-house DPO or a DPO shared with another entity, you give your organization a single contact for guaranteeing end-to-end GDPR compliance.
Our partners — who are either external DPOs or law firms — are available to guide you in achieving compliance and maintaining it over time. If you don’t have the internal resources or you prefer to get professional expert advice, find the perfect partner, no matter what the size of your company or its field of activity.
Expertise and resources needed to be a DPO
Before appointing a DPO, check that they satisfy the following three conditions:
- They must have the expertise required to perform the duties of DPO (in-depth knowledge of legislation, solid knowledge of organization’s structure and needs, familiarity with its information systems and the data collected, etc.). The DPO must keep their skills up to date (through training, etc.)
- They must have sufficient resources to do the job (access to useful information, availability, enough time to handle their responsibilities, sufficient material and human resources).
- They must be completely independent (no conflict of interest if the DPO holds another position, no sanctions ever levied for their DPO activities, no instructions for the DPO from management). And while the DPO must be independent, they may not be held liable in the event that the organization is deemed non-compliant and/or is sanctioned by the competent oversight authority.
The DPO is also held to an obligation of secrecy with regard to their responsibilities.
Lastly, your DPO must be declared to the competent oversight authority. In France, the CNIL has set up an online declaration form.
Whether you’re an in-house or an outsourced DPO, Data Legal Drive will help you successfully achieve compliance for your entity or those of your clients. Find out how our software can help you on a daily basis.
DPO Certification
In 2018, the CNIL proposed a frame of reference designed to ensure that the large numbers of DPOs entering the market will be qualified through certification in order to clearly identify a DPO’s expertise, skills and know-how.
The certification is not required to hold the job of DPO. Inversely, you can apply for DPO certification even if you are not a DPO.
This certification, which was first issued in July 2019, consists in an examination of expertise. It is not a diploma.
The CNIL’s DPO certification, which remains valid for three years, is organized by CNIL-approved certification agencies (list).
It consists of roughly 100 multiple-choice questions, some of which involve case studies. The questions cover three areas (description in appendix of approval frame of reference) and are designed to test the 17 types of expertise and know-how listed in the certification frame of reference (e.g. know how to identify the legal basis of a processing activity, or know how to develop and implement personnel training and awareness programs).
Passing the test requires 75% of correct answers (50% of the answers in each area must be correct).
Differences with former “Data protection correspondent” (CIL)
Initially tasked with ensuring compliance with the Data Protection Act of 1978 in companies, the role of a CIL (data protection correspondent) has completely changed since the implementation of the GDPR. The name has changed too, to DPO.
Among the many changes to the position:
- A DPO is mandatory in some cases, whereas a CIL was always optional
- Data processors are also required to appoint one if they meet certain criteria established by the GDPR
- The DPO’s contact details must be publicly available on the CNIL website
- An external DPO can be appointed, with no restrictions; this DPO can be shared by several organizations
- The DPO must be registered with the oversight authority (the CNIL in France)
The DPO also has new responsibilities in companies, established by the GDPR:
- Regularly and systematically conduct PIAs (GDPR Privacy Impact Analyses) for projects liable to impact personal data protection
- Guarantee the company’s accountability, in order to demonstrate its compliance with the GDPR
- Ensure the company applies the principles of Privacy by Design and Privacy by Default
- Manage personal data breaches and report them to the CNIL and to data subjects
Companies can:
- Replace their CIL with a DPO, who can be the same person (on condition that they meet the requirements of the position),
- Appoint a DPO to replace the CIL
- Keep their initial CIL, in addition to a DPO appointed per the GDPR.