Should you entrust your compliance and DPO function to a legal or technical profile? The Data Protection Officer (DPO) is an actual Swiss Army knife. They have versatile skills, excellent communication, and diplomacy. We give you some tips for carefully choosing the profile of your referent. This is our product news of the day.
GDPR legal expertise, the essential skill of a DPO
On September 20, 2018, the CNIL published a certification framework for the competencies of a Data Protection Officer.
Without surprise, basic legal knowledge is essential:
- The obligations of protection and security of data are legal obligations (GDPR European Regulation; Data Protection Act) whose scope is interpreted in numerous legal texts (EDPS opinion, CNIL deliberations, judicial or administrative case law…);
- GDPR compliance requires reviewing subcontractors’ contractual commitments, signing standard contractual clauses, or conducting compliance audits.
In France, the DPO is often seen as the successor to the former Data Protection Officers (DPOs), a position that primarily qualifies for legal expertise.
Technical skills, the must-have for GDPR compliance
No, your DPO won’t necessarily be a lawyer.
The study “Implementing the General Data Protection Regulation,” conducted in 2019 by the DGEFP with the support of AFPA in partnership with AFCDP and CNIL, shows that if legal profiles represent more than 30% of current DPOs, the same is true for technical profiles.
Indeed, technical skills are essential to succeed in GDPR compliance:
- Protecting data is, first and foremost, about ensuring the level of security used to store it;
- You need to understand the technical architecture and the operation of tools and applications. Technical knowledge also helps better perceive the impacts of data protection measures on information systems.
Organizational skills and GDPR compliance at the heart of governance
Your DPO must know about corporate governance. After all, they advise and support developing and deploying procedures and policies.
They must also be able to conduct audits, propose and evaluate risk reduction measures and monitor their implementation.
The DPO must apply a change management plan to disseminate an IT culture and a privacy-by-design approach. In this respect, they must fight against the temptation of “everything right now.”
- The task of the DPO is immense. Wanting to comply with all existing assets at the same time is madness;
- It is better to take a progressive approach and be risk-based. Why not prioritize 20% of the most sensitive assets?
Communication and diplomacy, the strengths of your DPO’s success
Data protection is primarily about managing human relationships.
- Communication and education, anywhere, anytime. It would be best if you created a sense of ownership among services that must bring their data processing into compliance.
- Adaptability, open-mindedness, and listening skills. Your DPO will have access to all your departments and subsidiaries. To succeed, they must be accepted by each of these environments.
- A facilitator. The DPO blocks fewer projects than they accompany in their launch to secure them. You must know when not always to say no and be a force of concrete proposals to make a project compliant.
DPO – Our tips for recruiting and retaining them.
- Evaluate their autonomy. A DPO will often be alone in carrying out duties. They may need more access to senior expertise. Your DPO will need to join networks of peers to exchange information and conduct research.
- Ensure the support of top management. This must not be a cosmetic procedure.
- Please provide them with the necessary resources, including training, tools, an internal dedicated team, and external support.
- Facilitate transmitting their reporting to the highest level of the company, not just to directors.
Conclusion: The right profile is the one that meets your specific needs
While DPOs were primarily lawyers in the past, today’s DPO has a more diversified profile. They need technical expertise, organizational skills, and excellent communication abilities.
The profile to choose depends on the specificities of your company. Does your company outsource a significant part of its activities? Does it depend on an international parent company that sets internal governance to be followed, or is it a French company?
These are examples of questions to ask yourself when carefully choosing who will take up the challenge of GDPR compliance.
Fortunately, this mission can be supported by using tools that simplify the management of certain aspects of the regulation. The cookie management module from Axeptio is a good example.
