DPO profile: Cécile Degeorge, DPO at Bouygues Immobilier

We had the chance to interview Cécile Degeorge. Together we looked back on his career and his actions as DPO of Bouygues Immobilier.

Is there an advantage to having a background as a Digital Manager to be a DPO?

What is the ideal Task Force to successfully implement GDPR compliance?

How can employees be made aware of this objective?

2 years after the implementation of the GDPR, we see that there is not only one possible strategy for GDPR compliance. Identifying and adapting what is being done elsewhere can be a good way to continue to comply over time.

In this exchange, you will undoubtedly find some good practices that will inspire you.

‍

Can you look back on your career and what led you to become a DPO at Bouygues Immobilier?

‍

After 10 years at Bouygues Telecom in the marketing department, in particular as manager of the management of the client website, I became the digital service manager at Bouygues Immobilier, in charge of commercial prospecting via the web. I was then given a mission on Big Data, as part of the “digital booster” initiative, which aimed to bring out new subjects in the company.

I then saw the RGPD arrive, which interested me and so I asked to become the group's DPO. Thanks to my background in Digital, I had a very good knowledge of operational issues and risky subjects, especially in relation to prospects and customers. On the other hand, I had to acquire the regulatory and technical part and to this end I followed a training course as a certified DPO at the Technological University of Troyes, in partnership with PWC.

‍

In terms of organization: how did you manage to identify and then mobilize internal contacts to ensure the compliance of your organization?

‍

When I became DPO in March 2018, the subject of the GDPR was a priority for the company: it was sponsored by my manager at the time, the director of digital transformation, who was at Comex. With Delphine Poppe, the CISO and a person from the legal department, we formed a trio fully mobilized to move forward hand in hand on this subject of compliance. Steering committees were organized every month, followed by production committees that took place every week at the start of the project. The involvement of the various actors was strong, also facilitated by the presence of an MOA project manager who in particular asked the professions to establish the expressions of need.

Undeniably, my background and my good knowledge of the fabric of the company have been an asset in mobilizing the various actors, such as sales managers in the regions. It also seems to me that my approach has made things easier: I have always tried to be supportive rather than constrained. I have always considered the DPO profession as a “business partner” who seeks solutions with the professions to comply with the GDPR.

“A digital background and a good knowledge of the business fabric are an asset in mobilizing the various players”

Another important point in our organization was the professional complicity that developed with Delphine Poppe, with whom we share the same vision and the same desire to help the trades to do things right. This tandem, this complementarity, this strong availability, this shared operational approach to the subject and the emphasis given to support rather than coercion have helped us a lot, and continue to be very useful.

Now that compliance is under way, the organization is evolving: I am now attached to the legal department within the General Secretariat and we are in the process of setting up monitoring committees to be able to anchor the project in the long term. We still organize very regular meetings with the subsidiaries for which I am DPO and I continue to report to management on essential topics.

‍‍

What is the main difficulty encountered by a DPO?

‍

Despite our educational efforts and the intensive exchanges that I can have with the professions, the appropriation of this regulation by employees who are focused on pure business, far from regulatory constraints, sometimes remains difficult.

While the RGPD is well regarded as an important subject in the group, with a great deal of commitment from management, its consequences do not always seem clear for operational staff, who find it difficult to take ownership of the regulation and to understand the importance of implementing certain types of compliance, such as monitoring contracts, for example.

“The appropriation of the GDPR by employees focused on pure business is sometimes difficult”

As a result, it is sometimes complicated to get them to join, participate, and play their role. We have already set up e-learning modules, we work with management and regularly deploy awareness-raising actions, which we have made mandatory for all employees in contact with customers and prospects. But educational work must continue to make everyone aware that data protection concerns us all.

‍

Thanks again to Cécile Degeorge for the time she devoted to us and her speech on the subject of GDPR compliance. For those who want to talk directly with her. Cécile Degeorge is present on LinkedIn.