The Data Protection Officer (DPO) is the person in charge of personal data protection in public or private organisations. This function existed in few companies but the GDPR enshrines it, makes it mandatory in certain cases and provides a framework.
For organizations where such designation is mandatory, the DPO would be the advisor and privileged intermediary with the CNIL in order to manage compliance with the GDPR.
Moreover, an assessment that was made after one year of application of the GDPR shows that VSEs/SMEs are increasingly using the DPO function to protect themselves from the risks and constraints imposed by the GDPR.
Indeed, appointment of an internal collaborator to carry out this function is a good practice, if not a sine qua non condition for ensuring compliance management and avoiding financial penalties.
What are the missions of the DPO
The DPO ensures data protection compliance within his or her organization. As such, the DPO must:
Inform and advise the organization in which he or she works and the organization’s employees.
Check compliance with the regulation and national law on the protection of personal data.
Propose to its organisation to establish a data protection impact assessment and ensure its execution.
Be available to answer questions from the data subjects.
Ensure cooperation with the local supervisory authority.
The DPO is therefore an essential and highly recommended function to enable an organisation processing personal data to ensure that it complies with the applicable regulations on the protection of personal data.
DPO Mandatory or not ?
Not all organisations, private or public, are obliged to appoint a Data Protection Officer within their structure. However, the DPO is strongly recommended by the CNIL. It has the role of advisor and allows you to manage your GDPR compliance.
Section 37.7 of the GDPR provides for the designation of an DPO in 3 specific cases:
When the processing is carried out by a public authority or body.
When the main activities of the controller and the processor involve regular large-scale monitoring of the data subjects by the processing operations.
When the main activities of the controller and the processor involve large-scale processing of categories of sensitive data (health data, biometric data, etc.) or personal data relating to criminal convictions and offences.
The skills and means to exercise the DPO profession
Before designating a DPO, it must be ensured that the DPO meets the following three conditions:
1. He must have the skills required to perform the DPO function (in-depth knowledge of legislation, a good knowledge of the internal organisation and the needs of the organisation, a good knowledge of information systems).
2. It must have sufficient resources to carry out the DPO function (accessibility to useful information; availability; sufficient time to carry out its missions; adequate material and human resources).
3. He must act in complete independence (there must be no conflict of interest in the event of cumulation of DPO functions with another function, no sanctions in the context of his DPO activity, no hierarchical instruction in the case of his DPO activity,…).
Finally, it is necessary to declare your DPO to the competent supervisory authority. For France, the CNIL has created an online declaration.