DPO Profile : Régis Ghozlan, DPO at UFC Que Choisir

We thank Régis Ghozlan for having kindly answered our questions about his job as DPO at UFC-Que Choisir.

— How is the GDPR compliance organized for an association of 135 people that also federates 140 local associations?

— Why is the management of personal data a particularly strong challenge for UFC-Que Choisir?

— How to fight against the loneliness of the DPO and improve the link with the supervisory authorities?

Because the experience of a Data Protection Officer can inspire others, because we believe that sharing best practices allows organizations to save time and compliance to gain ground, every month, we give the floor to one of them.

‍

Can you look back on your background and what led you to be the DPO of your organization?

‍

I joined UFC-Que Choisir in 2005 as CIO. My first mission was to stabilize the association's IT, especially with regard to hosting platforms. I then moved on to the organization of projects with the aim of professionalizing a certain number of association processes. I took advantage of this activity to become a Correspondent Informatique et Libertés (CIL) in 2014. Indeed, I felt at the time that data and the protection of personal data were going to become very important and this position of CIL allowed me to know all the projects dealing with personal data. In 2018, I was therefore naturally appointed DPO.

‍

In terms of organization, how were you able to identify and mobilize internal relays?

‍

The UFC-Que Choisir is composed of two main divisions: a publishing section produces the famous magazines QueChoisir.org and the QueChoisir.org website and a political section that meets the mission of the association.

The UFC-Que Choisir has long campaigned for the protection of personal data, so I work in an environment that is very favorable to this problem. So I did not need to convince or fight to raise awareness among the teams on the subject. On the other hand, coming from the IT department and the organization of projects, I had in mind the mapping of all the IT elements. People naturally came to me for questions about personal data, whether from a purely legal point of view or for project or IT issues. I finally had a global vision without the need for relays and I was lucky enough to benefit from the total support of Jérôme Franck, the CEO of UFC-Que Choisir, who is a lawyer and sensitive to this subject.

With regard to local associations, we used Gestal, an ERP-type application that allows you to manage all memberships and members, to deploy the personal data protection part locally. Gestal relays have for the most part also become DPO referents and it is on them that we have relied on to harmonize our practices.

‍

What obstacles did you encounter and how did you overcome them?

‍

As we are a consumer association that has always advocated the right to data protection, I was dealing with teams who told me they had “good intentions”. However, in data protection, it's not just intentions that count! It is good to take into consideration everyday practice and sometimes, this practice was not in accordance with the GDPR. So I had to harmonize the ways of doing things within the federation, in the different departments (distribution, marketing etc...). This was not always easy because changing a number of practices can cost money and subscribers.

It was then necessary to carry out this harmonization work within local associations. Indeed, the UFC-Que Choisir is perceived as a single entity, but in reality it is composed of 140 local associations that are independent of each other.

“The GDPR forced us to take over the database and restructure ourselves from an administrative and contractual point of view.”

This aspect was cumbersome to manage but, in the end, it was very useful, well beyond the GDPR.

‍

Do you think that you had a particular challenge, as a consumer association, in being exemplary on this issue of personal data?

‍

Indeed, as UFC-Que Choisir, we must be, I would say, “whiter than white”.

It is therefore necessary to manage this “schizophrenia” on a daily basis between marketing needs and the political part of UFC-Que Choisir.

When it comes to marketing, I try to reassure them by explaining to them that everything is not forbidden and by showing them what can be done. We work together to find out what they need.

For the political part, I make them aware that we must be careful, when they make statements about personal data, not to be too extreme so as not to have an impact on us at the operational level. I admit that it is not always easy to manage. Thanks to my field experience, I try to keep a critical eye on the application of the RGDP, and to share it with our legal department, which works in close proximity with the CNIL. In the end, I am constantly the shepherd who takes care of the goat and the cabbage.

‍

Why did you choose the Adequacy solution?

‍

To deal with the multiplicity of treatments to be managed and the impact analyses to be carried out, I needed a tool that would put a lot of work into my work and that would provide me with real assistance in creating the register. I looked at several solutions, and noticed that many of them wanted or pretended to do everything. When the law firm that accompanied us told us about the Adequacy solution, I asked for a demonstration and was simply amazed. Adequacy has very well understood the issues related to the DPO profession. Coming from the IT world, I really appreciate the quality of the interface.

Once we understand that the initial configuration takes time, but saves a lot of time later, the tool is easy to use.

For the moment, I am the only one who has access to Adequacy with my team. Now that we are aligned from a contractual point of view, the next step is to open access to the RGPD referents of local associations.

‍

What is your vision of the DPO profession and the future challenges concerning the compliance of personal data?

‍

Historically, it seems to me that the implementation of the GDPR is similar to the implementation of finance and tax laws in France. This gave birth to accountants, auditors... The DPO finally resembles these jobs. It is essential, it is he who ensures the company's responsibility in terms of personal data.

However, unlike finance, nothing is yet standardized in this area. The GDPR is a text subject to numerous interpretations and the DPO is confronted with sudden decisions by supervisory authorities, which sometimes make him lose his credibility. In the end, the DPO is quite alone and, contrary to what existed at the time of the CIL, there is no longer any training, no more forums or access to the CNIL.

For the future, it is essential to recreate a stronger link between DPOs and supervisory authorities. Some associations such as AFCDP try to fill this gap by setting up an annual forum, for example, but they have no real power. Finally, there should perhaps be consumer associations within the CNIL...

“We are in a phase of brush cutting, let's hope that this phase does not last too long. ”

It is up to the CNIL to trace the route for us, and not to lead us into dead ends!

Personally, I think, for example, that the current interpretation of the RGPD by the CNIL, which makes everything based on consent, is not the right one. For me, this principle makes anything and everything possible once the consumer has given their consent. But in reality, the consumer is completely lost! In my opinion, it would have been simpler and more effective to create a code of law that would have defined what you actually have the right to do with this personal data.

In summary, I think that the GDPR has raised awareness and that is very good, I am more circumspect about how it is implemented and how all this will stabilize in the future.

‍

We thank Régis Ghozlan for the interview he gave us. You can follow and contact Régis on his Linkedin account.