DPO profile: Johanna Périer, outsourced DPO at GIP Recia

We had the pleasure of interviewing Johanna Périer who shared with us her background, her actions and her vision of the outsourced DPO profession for GIP Recia.

Why use an outsourced DPO for the protection of your data?

Why is GDPR compliance software essential to the DPO profession, and especially for an outsourced DPO?

Outsourced DPO: a job with a future?

2 years after the implementation of the GDPR, we see that there is not only one possible strategy for GDPR compliance. Identifying and adapting what is being done elsewhere can be a good way to continue to comply over time.

‍

Can you look back on your career, which led you to be an outsourced DPO at GIP Recia today?

‍

Throughout my university career in public law, I have always had a keen interest in what is called “the general interest”, which has translated for me into the desire to participate in the implementation of public policies. In 2018, I started writing a final thesis on the dematerialization of public services and the impact of this dematerialization on them.

At the same time, the GDPR is coming into force and I can, at that moment, understand all the implications it has for public structures. I then had the chance to do a double internship at the Deux-Sèvres Departmental Council where I work both in the legal field, with the DPO of the structure and on questions of dematerialization of administrative services.

This experience reinforces my desire to become a DPO in the public sector, a job in creation that involves both legal and IT aspects, but also aspects related to the evolution of practices and to the very concept of public service.

In 2019, I joined the public interest group Recia as an outsourced DPO. The GIP Recia, which has existed since 2003, aims to support public entities in the Centre Val de Loire region in their approaches related to information technology and the evolution of practices. I did not hesitate to move and change regions to take up this position, which fully met my expectations and deep beliefs.

What advantage can working within a team of outsourced DPoS bring?

‍

Working within the shared DPO team at GIP Recia is a real advantage. We are a team of 5 DPOs, with multiple skills. Each of us has specific skills in various fields, law, IT, knowledge of the institutions we support, communication, etc.

While we are each responsible for our portfolio, we work in synergy with each other. This is an undeniable asset: we can discuss the various issues, compare our points of view, which allows us to have a more global vision and to provide quality answers. This is the spirit carried by GIP Recia, based on our team relationship, we are able to work on several fronts at the same time.

Thus, we are always in a position to provide permanent and adapted support to our partners. Being a team also allows GIP Recia to be represented in the various data protection working groups, whether local or national.

What is your vision of the outsourced DPO profession, and especially in the public sector? What are the keys to success? What skills and qualities do you think are essential?

‍

I avoid making a distinction between outsourced DPO and internal DPO for the simple reason that we face the same problems. We are both in a mission to support the data controller, to raise awareness among services and to participate in various projects that involve issues related to data protection.

Beyond taking charge of administrative procedures, we also have a role in supporting change and sometimes even as a “whistleblower” in the sense that the GDPR can be seen as an additional constraint imposed on local authorities. We must then make our interlocutors understand, with patience, listening and diplomacy, the importance of involving the DPO in all procedures.

On the keys to success, I will list, in my opinion, 4 fundamental ones:

— listening: let's never forget that agents are the ones who have all the data in their hands. If we don't listen to them, if we don't understand how they work, we won't be able to improve the level of data protection.

— adaptation: we are dealing with human beings, so it is necessary to adapt to the skills of each person, to their sensitivity. For example, the same problem will not be resolved in the same way between two structures, or even between two agents.

— support: long-term support is necessary to implement actions continuously and especially to perpetuate new reflexes.

— finally, the ability to put what we say into perspective, to include it in a more general and human context, to talk to agents about themselves, about their family, about their use of the Internet, makes it possible to raise their awareness in a concrete way.

The DPO must have both a good knowledge of the legal environment as a whole to optimally support structures, but also in information technology to deal with the dematerialization of services, the growth of new technologies and all issues related to sovereignty, security and data confidentiality.

As a lawyer by training, I have the instinct to keep myself regularly up to date with legal developments and case law. For IT issues, GIP Recia is fortunate to have highly qualified employees in this field and our regular exchanges allow me to quickly increase my skills. Curiosity can of course be considered as an essential quality of our job.

What relationship do you have with your customers? Who are your internal relays? What difficulties do you have to face?

‍

At GIP Recia, we are not in the logic of “customer-supplier”, and we prefer to speak of “partner” or “member”. Our objective is to enable territorial structures that sometimes have few resources, human or financial, to implement their regulatory obligations, such as the appointment of a DPO or the maintenance of the treatment register, and thus to continue to best ensure their public service missions.

Our internal relays may vary from one structure to another, since we support municipalities, communities of municipalities, unions or even communal social action centers at the same time. We ask each supported entity to designate a lead agent to manage administrative and decision-making issues. They are directors of information systems or directors general of services for the largest entities, municipal secretaries in smaller communities and sometimes also elected officials, proof that the latter are taking up these problems.

We are also in direct contact with all agents who deal with personal data, since as we have seen, they are the ones who are at the heart of the compliance process; they can contact us directly, as soon as they have questions, which allows us to gain efficiency and value them in their efforts. In general, public structures and the agents that make them up, striving to serve the general interest, are already aware of the importance of the data they have in their hands. Proof of this is the fact that at the beginning of 2021, we are working with nearly 400 entities, a number that is growing rapidly. Finally, it is perhaps the citizens who are the least aware of the GDPR today...

The main difficulty we encounter, within GIP Recia, lies in the fact that the reference agents already have many missions in their daily work. The risk is that the link may be broken, often due to lack of time, during the renewal of municipal council for example. Our role is then to maintain this link and to reassure them without overloading them with work. Each request from them for compliance is for us a great satisfaction and a recognition of our job as DPO.

Why did you choose Adequacy and how does this solution help you on a daily basis in your business?

‍

Our DPO team is currently working with nearly 400 partners. In this context, using a software solution for a structure like ours, which uses pooling, seemed essential to us in order to save time and increase efficiency.

The Adequacy Solution helps us manage each structure independently while allowing us to move from one community to another easily. In addition, this tool offers us the possibility to collaboratively create a common work base. In this way, we harmonize our substantive work on the one hand and we specify our work for each community on the other hand. Having business software is really a plus in our business. Depending on their wishes and possibilities, we offer access to some of our beneficiaries, but this is not systematic. We also work together with the Adequacy teams to develop the tool. For example, we have worked a lot together on the register of processing activities so that it is as clear, accessible and attractive as possible for our beneficiary entities.

What future vision do you have for the outsourced DPO profession?

‍

My vision concerning the future of the DPO profession is a bit biased because, within public structures, using a DPO is a regulatory obligation. So I tend to say that my job is going to last as long as the GDPR remains in force! In the public sector, the function of shared DPO is tending to develop, especially in small and medium-sized administrations, which do not always have sufficient resources and skills in terms of data protection.

In general, and even if done so, the GDPR is taking up more and more space in both the public and private sectors. Data is increasing in value, and questions about its protection are becoming crucial. In this context, the profession of data protection officer can only be strengthened, since he is the human being behind the texts, guaranteeing respect for our fundamental freedoms.

We thank Johanna Périer for this interview and for her passionate vision of the DPO profession. You can find all the information about GIP RECIA on its website and contact Johanna on her Linkedin account.