DPO profile : Agnès Peria, DPO from Vallée Sud

We had the pleasure of interviewing Agnès Peria. Together we looked back on his career and his actions as DPO of Vallée Sud-Grand Paris.

Why is perfect knowledge of the workings of the organization an asset for the DPO? How to properly initiate the GDPR compliance project? How can you maintain your skills on the many topics related to data protection??

2 years after the implementation of the GDPR, we see that there is not only one possible strategy for GDPR compliance. Identifying and adapting what is being done elsewhere can be a good way to continue to comply over time.

In this inspiring exchange, you will undoubtedly find some good practices that will nourish your thoughts.

‍

Can you look back on your career and what led you to become a DPO at Vallée Sud?

‍

A lawyer by training, I have carried out missions for more than 25 years in the service of assemblies, within municipalities and then within an urban community. I was also responsible for public procurement and legal affairs. I really appreciated the transversality of these missions, which allowed me to fully understand the organization that is at the heart of the functioning of the community.

In 2016, following the NoTre law, Vallée Sud Grand Paris, a new territorial public establishment, was born from the merger of two agglomeration communities and a community of municipalities. I then want to evolve and, with the arrival of the RGPD, my director general offers me to take charge of this problem and to become a Data Protection Delegate.

Data protection has an impact on all sectors and activities in the community

My legal experience, my in-depth knowledge of the community and my ability to look at it in a transversal way, as a whole, were assets in taking on this new responsibility. Indeed, data protection has impacts in all sectors and all activities of the community, and it was therefore necessary to have this ability to understand the community as a whole.

‍

In terms of organization: how did you manage to identify and then mobilize internal contacts to ensure the compliance of your organization?

‍

As soon as I became a DPO in April 2018, I made an appointment with the directors and heads of departments of the community, in particular those who were the most impacted by the new regulations, such as HR for the internal part, or sectors related to the population (media libraries, conservatories, swimming pools, household waste, etc.).

We then did a mini-audit in each sector to identify the treatments in progress, the existing problems, the organization to be improved... This first contact allowed me to identify people who were sensitive to the subject, on whom I subsequently relied and with whom I am still in contact.

Once the audit phase was over, we moved on to the action plan, taking on the projects one after the other. On a daily basis, I see that the various departments are gradually taking up the subject.

In terms of organization, I depend on a Deputy General Manager who reports directly to the General Director of Services. Both understood the challenge of the GDPR and gave me the means to start the process.

The growing media coverage of this subject, the increased awareness of the population and the multiplication of cyberattacks are promoting internal awareness.

Thus, they accepted support from an external firm and the recruitment of an intern. Clearly, the growing media coverage of this subject, the increased awareness of the population and the multiplication of cyberattacks — which are being talked about more and more — are promoting internal awareness. The community has understood that the RGPD and, more generally, the management of personal data is becoming an issue of trust for citizens. My hierarchy also understood that as DPO, I was there to protect the data controller, namely the President. For its part, the latter is attentive to the fact that the community manages personal data ethically, securely and in accordance with the RGPD.

‍

What is the challenge that you are particularly proud to have overcome?

‍

I am particularly happy to have succeeded in raising awareness among the whole community about the GDPR. We were going a long way! Indeed, we were a brand new community that had just experienced an administrative upheaval, linked to the merger. Taking into account the GDPR could seem like an additional difficulty. The fact that I know the workings, the organization and the agents well helped me meet the challenge. With the support of my hierarchy, I had the opportunity to participate in “executive” meetings in the presence of directors and heads of departments to explain the challenges of this new regulation and detail what we were going to put in place.

What do I enjoy the most? When agents turn to me because they understood that there was an issue of personal data protection. This was the case recently concerning the observation books made available to the public in town halls as part of the consultation of the population on PLUs. I then tell myself that all the awareness-raising efforts carried out have indeed borne fruit.

‍

What did you wish you had known when you took up your position as DPO?

‍

From my experience, I had a solid legal knowledge but I would have undoubtedly liked to have been better equipped on the technical and IT side. However, I am learning this dimension as I go, in particular by participating in a steering committee every month alongside the IT department. This allows me to increase my skills in these technical and security aspects.

‍

Thanks again to Agnès Peria for the time she devoted to us and her speech on the subject of GDPR compliance.