Le Cercle K2 n'entend donner ni approbation ni improbation aux opinions émises dans les publications (écrites et vidéos) qui restent propres à leur auteur.
Companies’ digital transformation has taken place without anyone fully being prepared for it or even realizing it was taking place. A start-up offers an idea, digital marketing grows, more developers are hired in the IT department and the legal department that used to handle commercial contracts now has to negotiate IT contracts and then protect the employee, customer and supplier data.
Are companies equipped to deal with the real issues?
Do the management teams even really know what the challenges are?
These are the questions raised by the definition of the key role of the Data Protection Officer or DPO, created by the EU General Data Protection Regulation. If a company today wishes to be in compliance with the GDPR, or with any of the 130 other data protection regulations that have come into force since 2016, it must be able to succeed in this digital transformation and therefore its recruitment of the right DPO.
A. The DPO has strong powers
According to the GDPR, a DPO benefits from professional secrecy and independence. He/She reports to the highest level of management in the group, manages an independent budget in relation with the risks he/she has to manage and has the proper resources to monitor the risks and guaranteeing that sufficient organizational and technical security measures are in place to protection the personal data controlled and/or processed by the Company.
B. The DPO is Protected from Termination
In addition to such high-level benefits, which make him/her a member of the company executive committee, he/she is protected against termination of contract caused by performing these duties. And, he/she cannot be delegated any powers or liability in connection with data protection as this is to remain the only responsibility of the Controller, i.e., the Company management to make the decisions that will in the end entail or protect the Company from the financial or criminal sanctions involved by the various legislation in force.
What does the DPO do to deserve such a favorable treatment? Basically, he/she is the representative of the governmental/supervisory privacy authority within your company. An independent monitor of sort that companies are compelled to appoint notwithstanding any legal sentence for lack of compliance.
A. A Metamorphic role
The DPO is an expert in data protection, which does not say much. He/she may have a legal or IT background.
B. A Transversal Role
Companies seem to have failed to take into account the size and significance of the missions assigned to the DPO.
DPOs I have met are generally IT or commercial lawyers who have taken on the role and navigate it with the support of outside consultants and lawyers. Some are CISO with a project management and compliance background, mostly in US companies.
To properly accomplish these missions, the DPO must be both a people and a paper person. He/she must be autonomous and not afraid to take positions that may not please the business.
The people person role will help the DPO to work with the various functions involved in the data protection: Human Resources, Information Technologies, Marketing are the obvious ones. But Sales and Retails directions, sustainability, finance and innovation must also be involved.
The paper person role will manifest in the policies that should be applicable without having to be explained and flexible enough to adapt to the various changes the company will have to make along the year for compliance with laws and for business security.
There is one professional that is independent, autonomous, a project manager, a people and paper person, used to professional secrecy and naturally protected from termination. There is a professional who has long been working along the parameters of what the GDPR prescribed.
The independence of this professional may however come into conflict with the need to actually be within the company, to work in it, with its many directions and services and not monitor from afar.
A Privacy Lawyer who would be seconded in the company first as a project manager, then as a DPO and who could have someone from his/her firm monitor and follow-up any privacy issue, used to negotiate contracts and to have technical discussions with experts as well as working in an international environment and governmental authorities.
In the same way as the regulator he/she represents, the DPO will determine for each company, a referential corresponding to each data processing and based on each data processing purpose: e.g., Human Resources Management, Customers Management, Suppliers Management.
For each data processing which meets the conditions set in the corresponding referential, and provided other conditions set by applicable local legislation are met as well, no specific privacy impact assessment will be needed, only basic details for data mapping. For all others, a Data Protection Impact Assessment will be implemented.
This process, this DPO, this Privacy Professional is the key to successfully accompany your business and the management into its digital transformation.