The DPO is the internal contact person in charge of supporting the GDPR compliance of your company. He/she has a key role: he/she is an advisor, an expert, a project manager and a contact point with the regulatory authority. When choosing a DPO, it is therefore best to look for a profile able to responding to various types of missions.
Head down to the article below to know more about the DPO role and his/her necessary skills.
What is a DPO?
The DPO is the Data Protection Officer. The Data Protection Officer is an absolutely essential function in your organisation. The DPO is a facilitator of the GDPR compliance of your activities.
As such, the DPO is a central figure, in contact with all departments that may be required to handle personal data:
- Marketing management, sales management, whether they address B2C or B2B audiences;
- Internal business departments: HR, payroll, finance, legal, operations, etc;
- Technical management, information systems management;
- Communication department;
- etc.
What are the tasks of the DPO?
The DPO carries out various types of missions:
- Informing and advising your organisation and teams. The DPO can for example be consulted in order to know how to make your websites, your mobile applications or your computer applications GDPR compliant.
- Contribute to the spreading of a culture of data protection within the company. The DPO helps to train staff on the obligations to be respected. More generally, the DPO accompanies change management in the way personal data is used.
- Monitoring compliance with legal obligations in terms of personal data protection. This includes conducting audits or even mock controls within the company.
- Recommending, when necessary, that a data protection impact assessment (DPIA) be carried out and ensuring that it is done.
- Cooperate with the regulatory authority. The DPO will also be the company’s point of contact, particularly in the event of inspections or requests for observations.
Supporting your company’s compliance procedures, for example in e-commerce, or in a real estate agency, means that the DPO’s responsibilities include, but are not limited to, the following:
- Helping your organisation to map out the data processing activities in place, including the purposes of all processing activities, which must be made public on request.
- Prioritise the actions to be taken in terms of data protection.
- Organising the internal procedures made necessary by the GDPR. Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information.
- Documenting and educating your company and employees on important compliance requirements;
- Conducting audits to ensure compliance and address potential issues proactively.
What is the responsibility of the DPO?
The DPO is never the data controller who determines the purposes for which and the means by which personal data is processed. His/Her role is rather that of an advisor.
The responsibility that the data processing complies with the legal requirements is handle by your company:
- for data processing carried out internally by your various departments and services;
- for data processing carried out by subcontractors on behalf of your organisation.
This responsibility is not delegated to the DPO. This means that the legally responsible person for your organisation assumes any consequences of non-compliance with the legal obligations.
In this context, the DPO helps in particular to control this compliance risk by creating a plan of priority actions to be taken, by making recommendations and advise the controller or processor accordingly. However, the DPO is not personally liable for noncompliance, as overall responsibility lies with the data controller.
Similarly, when you outsource a service to a subcontractor, you never delegate the responsibility for handling the data on your behalf.
What skills should your DPO absolutely have?
In October 2018, the CNIL published a certification scheme of DPO skills and knowledge.
This document will be of great help to you in choosing your DPO. You need a professional who is capable of integrating into your company’s culture and understanding its activities in order to provide the best possible support.
DPOs can come from a variety of backgrounds:
- from legal backgrounds;
- technical departments; and
- other backgrounds.
What are the skills identified by the CNIL in its reference framework?
- Know and be able to understand the principles of lawfulness of processing, of purpose limitation, of data minimisation, of data accuracy, of storage limitation, of integrity, confidentiality and accountability.
- Identify the legal basis of a processing.
- Know how to determine which measures are appropriate and which information content should be provided to data subjects.
- Know how to establish procedures to receive and manage requests to exercise rights made by data subjects.
- Know the legal framework relating to subcontracting of personal data processing.
- Identify the existence of data transfers outside of the European Union and to determine which legal transfer instruments are likely to be used.
- Develop and implement a policy or internal rules on data protection.
- Organise and take part in data protection audits.
- Be aware of the content of the record of processing activities, the record of categories of processing activities, and of the documentation on data breaches and the documentation necessary to prove compliance with data protection regulations.
- Identify data protection measures by design and by default that are suited to the risks and the nature of processing operations.
- Be able to take part in identifying security measures that are suited to the risks and the nature of the processing operations.
- Identify personal data breaches requiring notification to the supervisory authority and those requiring communication to the data subjects.
- Determine whether or not it is necessary to perform a data protection impact assessment (DPIA) and is able to monitor its performance.
- Provide advice on data protection impact assessment (in particular on the methodology, on any possible outsourcing, on the technical and organisational measures to adopt).
- Oversee relations with supervisory authorities, by answering their requests and by facilitating their action (in particular, through the handling of complaints and investigations).
- Establish, implement and provide training and awareness programmes on data protection to staff and to governing bodies.
- Ensure the traceability of his/her actions, particularly through monitoring tools or annual report.
How to appoint your DPO?
There are several options for appointing your DPO.
Depending on your needs, you can recruit a DPO in-house, or an external employee of your company who must have specialised knowledge of law and practice in the field of data protection, although it is not required to be certified.
In some cases, this will be a full-time position, but for many entities, the DPO will only be part-time.
The DPO may be shared, for example, between the various subsidiaries of your organisation.
Conclusion: the DPO, pillar and driver of your GDPR compliance
The DPO works in supporting your company in its efforts to comply with the GDPR.
His/Her functions will lead him/her to rely on dedicated solutions that will take care of specific issues. For example, you can rely on Admeet’s solutions to meet your website’s transparency obligations.
Moreover, the presence of a DPO strengthens your image and increases trust with your customers, who will feel secure knowing their data is collected in compliance with their rights, and the GDPR.
Don’t miss the must-attend event for all those involved in data protection, the Printemps des DPO, which takes place every year in Paris!