The Data Protection Officer (DPO) is the person in charge of personal data protection within public or private organisations.
The notion of DPO was enshrined on 25 May 2018, by the General Data Protection Regulation (GDPR) which regulates the appointment, functions, missions and certification in its chapter 4.
Appointing a person in charge of the proper management of personal data within companies is not new. The function existed in a rather marginal and non-mandatory way in companies, under the name of Data Protection Correspondent.
For organisations whose designation is compulsory, he or she will be the CNIL’s advisor and privileged intermediary in order to manage compliance with the GDPR. Within the organisation, the DPO will also be the privileged interlocutor for all questions relating to personal data, whether they are internal or emanate from a person concerned by a processing carried out by the organisation. Thus, the DPO will be in charge of managing requests to exercise rights.
The assessment made after one year of application of the GDPR shows that VSEs/SMEs are increasingly using the function of DPO to protect themselves from the risks and constraints imposed by the GDPR.
Indeed, the appointment of an internal employee to embody this function is increasingly a feasible project for many of them, if not a sine qua non condition to ensure compliance management and avoid financial penalties.
However, the DPO function can also be performed by a service provider external to the organisation, if the allocation of an internal resource is not feasible and/or relevant. The role of external DPO has therefore taken on a certain importance, which will increase in the coming years. In fact, after more than two years of application of the GDPR, the job of Data Protection Officer has risen to first place among the most sought-after jobs on LinkedIn in France. According to LinkedIn, the profession has 32 times more professionals than in 2015.
What are the tasks of the DPO?
The DPO ensures the compliance of his organisation with the applicable regulations on the protection of personal data. In this respect, he/she must :
- Inform and advise the organisation within which he/she performs his/her duties as well as the employees of this organisation. He/she accompanies in depth the change in the use of data within the company
- Monitor compliance with the Regulation and with national law on the protection of personal data, in particular with regard to the purposes of the processing carried out and respect for the rights of the persons concerned
- Propose to his organisation to draw up a data protection impact assessment and ensure that it is carried out.
- Be available to answer questions from data subjects
- Cooperate with the local supervisory authority
The DPO may also, with the help of controllers and processors, maintain the organisation’s record of processing activities.
The DPO is therefore an essential and highly recommended function to enable an organisation processing personal data to ensure that it complies with the applicable regulations on the protection of personal data and privacy.
The DPO assists the organisation in achieving and maintaining compliance over time. This involves :
- helping the organisation to map its processing operations ;
- prioritising the actions to be taken in terms of data protection according to the context and the associated risks
- organising internal procedures to manage the processing of personal data, possible requests to exercise rights and breaches;
- document the organisation’s compliance, so that in the event of an audit, it can easily demonstrate its compliance with the applicable regulations.
To simplify all of these processes, the DPO can use GDPR compliance software.
DPO: mandatory or not?
The appointment of a DPO is mandatory in a certain number of cases. Indeed, not all companies are concerned by the obligation to have a Data Protection Officer within their structure. However, the DPO is strongly recommended. He has the role of adviser and allows you to manage your GDPR compliance.
Article 37.7 of the GDPR provides for the appointment of a DPO in 3 specific cases:
- Where the processing of personal data is carried out by a public authority or body, with the exception of courts acting in the exercise of their judicial function.
- When the main activities of the controller and the processor involve regular and systematic monitoring on a large scale of the persons concerned by the processing operations (video surveillance, geolocation, processing of bank transactions, processing of a large number of customers: any processing operation involving a significant number of data subjects, etc.)
- When the main activities of the controller and the processor involve large-scale processing of sensitive data categories (health data, biometric data, etc.) or personal data relating to criminal convictions and offences.
It should be noted that the Article 29 Working Party has clarified that private companies carrying out public service missions are not bound by this designation obligation. However, the G29 again recommends this designation.
In the event of an inspection, the CNIL will ask you to justify the absence of a DPO, so it will be essential to justify in your documentation the arguments that were decisive in your choice not to appoint one. In the end, appointing an internal DPO or a shared DPO with another structure means ensuring a single contact person to guarantee end-to-end GDPR compliance.
The skills and means to exercise the profession of DPO
Before appointing a DPO, it must be ensured that the latter fulfils the following three conditions:
- He or she must have the skills required to perform the function of DPO (in-depth knowledge of legislation, a good knowledge of the internal organisation and the needs of the body, a good knowledge of information systems, of the data collected, etc.). The DPO must also ensure that he or she maintains his or her skills over time (training, etc.)
- He/she must have sufficient resources to carry out the function of DPO (accessibility to useful information, availability, sufficient time to carry out his/her tasks, adequate material and human resources).
- He/she must act in complete independence (there must be no conflict of interest if he/she combines the function of DPO with another function, there must be no sanctions in the context of his/her activity as DPO, there must be no hierarchical instruction in the context of his/her activity as DPO). It should be noted that even though he/she must be independent, the DPO cannot be held responsible in the event of non-compliance by the organisation and/or a sanction by the competent supervisory authority.
The DPO is also bound by an obligation of confidentiality with regard to his tasks.
Finally, it is necessary to declare the DPO to the competent supervisory authority.
Certification of the DPO
In 2018, the french authority (CNIL) proposed a reference framework to ensure that the DPOs arriving on the market in large numbers are qualified by a certification in order to clearly identify the nature of the DPO’s expertise, skills and know-how.
As a reminder, certification is not compulsory to exercise the profession of Data Protection Officer. Conversely, it is not required to be designated as a Data Protection Officer in order to be a candidate for the DPO skills certification.
Issued since July 2019, this certification consists of a skills test and not a diploma.
The CNIL DPO certification, issued for 3 years, is organised by certification structures approved by the supervisory authority.
It is obtained by means of a multiple choice test consisting of around 100 questions, some of which are practical cases. The questions cover three areas (details in the appendix to the approval reference framework) and are designed to test the 17 skills and know-how listed in the certification reference framework (for example, knowing how to identify the legal basis of a processing operation or knowing how to draw up and implement staff training and awareness programmes).
The test is passed if at least 75% of the answers are correct (including 50% correct answers in each of the areas).