Role, place and qualities of the DPO – Video interview with Jérôme Deroulez
Be a conductor
The real difficulty for the DPO is to succeed in setting the GDPR to music. It is necessary to have a global vision, to be able to audit different services in a company, to manage all relationships between data controller and subcontractor within the same group. The DPO must succeed in imposing himself in order to spread good practices: what can and cannot be done, in marketing, in human resources, in contracts or elsewhere. Commercial prospecting is also one of the spearheads of the Cnil program for 2022. The aim is for everyone to speak with the same voice.
We can be very inventive when it comes to awareness and education. During the incarceration, many companies wanted to set up games for employees. These games became personal data vacuums because people were chatting. Most of the time, companies did not foresee the consequences of such problems. The DPOs must put themselves in the shoes of all interlocutors, understand when a service wants to deploy a new tool, when a company wants to buy another. So he must be a good negotiator. There are sometimes negotiation logics, you have to explain and convince, sell the GDPR. Some DPOs still feel that they are seen as outsiders, as a hindrance to the company. The risk of poor data management isn’t just the punishment, though: it’s reputational damage as well.
Find his place
Where is the DPO going? The company should consider whether it chooses an in-house DPO or an outsourced DPO. Today we find all the configurations. There is the former DPO that we changed, the one that has been recruited. The profiles are often young, which can pose a legitimacy problem when it is necessary to go to an HR or an experienced DSI to tell them that the way of working needs to be changed. Ultimately, though, a company that manages its data very well can add value to it, both in reputation and for resale.
What is it like to be compliant? How to be compliant How to apply the main principles of the GDPR? All these questions run through the mind of the DPO? The GDPR does not provide a checklist, these are principles that must be implemented depending on the organization. The DPO monitors compliance with regulations, ensures good governance and the effectiveness of processes. We often notice in a company that there are many tools, privacy charters, data protection, etc. However, it does not work, no one knows who to turn to for the protection of personal data. On paper, these companies have everything, but it is not effective. Depending on the activity and size of the company, the data will be exchanged in an international context or will be sensitive data. You have to be careful on all these points.
Working with compliance
We often talk about GDPR compliance, but today it is a topic that is integrated into compliance. Job descriptions in large groups, in accordance, always include a section on data protection. Logical: we will have to ask ourselves how to escalate alerts, how to set up internal investigations, how to manage international transfers, etc. On the other hand, data protection is a more timid topic in M&A. However, these operations result in the recovery of a lot of data. Employees must be well informed about the processing that will take place. The key is not to work in silos as compliance issues come together.
When we create awareness about the security of personal data, tools and access, we create value. There is a proactive approach, which encourages us to always anticipate risks with every new project. Corporate governance is evolving, companies are understanding the issues better, especially in light of the explosion of cyber risks.
Interview by Olivia Fuentes