DPO profile: Jean-Paul Chavant, DPO and CISO at Egis

We had the pleasure of interviewing Jean-Paul Chavant who shared with us his background, his organization and his vision of the DPO profession within the Egis Group.

— Are DPO and CISO complementary jobs within a large Group?

— How is GDPR compliance organized in an entity of 15,000 people and 270 legal entities?

— What are the next steps in compliance management in a mature organization like Egis?

Because the experience of a Data Protection Officer can inspire others, because we believe that sharing best practices can save organizations time and compliance can gain ground, every month, we give the floor to one of them.

‍

Can you look back on your career and what led you to become a DPO within the Egis Group?

‍

I trained in telecom system engineering and computer networks. After several years in the field of system deployment, I turned to cybersecurity. In 2015, I joined the Egis Group CIO as Group CISO and then in 2018, a few months before the GDPR came into force, it was quite natural that I proposed my application to also become the Group's DPO.

I say “naturally” because we did not wait for the GDPR to manage personal data, and, as CISO, I already managed all the treatments implemented in the IT department. In addition, the detail of the European regulation showed a lot of similarities with the CISO job (for example for the risk analysis part, or for the techniques and methods to protect personal data, which were similar to the 27001 standard on which the CISO job is based).

By taking on the role of DPO, I was able to bring my technical expertise and governance as CISO to the GDPR part, while the GDPR part allowed me to improve my knowledge of the Group and all functions in the company, to acquire a 360 knowledge of it, and allowed me to work hand in hand with lawyers in an even more automatic way than we could previously.

‍

In terms of organization: how do you work with, in particular, the legal department and the business departments? Who are your internal relays, how do you mobilize them, coordinate them in a structure of your size?

‍

The DPO function is attached to the Legal Director and Secretary General. Having an initial background in engineering and SSI, I wanted to be supported by a lawyer to understand and learn all regulatory aspects and also issues relating to contract clauses.

In terms of internal organization, within an entity like Egis composed of 15,000 people and nearly 270 legal entities, a single DPO cannot manage everyone.

“The conditions for the success of the GDPR depend on the efficiency of the organization put in place.”

We therefore made the choice, in the second half of 2017, to create an office dedicated to data protection, which manages the entire organization of GDPR compliance. This office, which meets monthly, is composed of the DPO, a member of the DSI, a member of the legal department and the audit department. Professionals are also invited to attend according to the problems they encounter.

Beyond our monthly points, which are scheduled, we of course also organize steering points as often as necessary, or according to specific problems that may emerge.

The office also relies on 17 GDPR correspondents who have been appointed within each Business Unit (BU) and support functions (HR, finance, IT department, etc.). These correspondents have all been trained beforehand and they are the ones who make the link with their profession. The DPO, in his capacity as pilot, is at least informed of all subjects. As soon as a situation escapes the profession or the person corresponding to the profession, it naturally goes back to the office, which will be able to react as an “expert”.

“Confronting ideas makes it possible to move the lines.”

We don't decide alone in our money round. The professions are involved in discussions to find the best possible solution for them. It is in fact a question of finding the right balance between “collegial” and “corporate”. Thus, when a Group policy has been defined on a given subject, after having been carefully considered and justified, we are intractable and refuse derogations; for example, we had decided at the Group level that we would impose standard contractual clauses on any company that presented itself with Privacy Shield. We did not want to derogate from it, despite the insistence of certain businesses or subsidiaries. The sequel proved us right!

It seems to me that the conditions for the success of the GDPR are not linked to regulatory, legal or technical issues but depend on the efficiency of our organization, our capacity for discussion and the fluidity of communication.

Confronting ideas makes it possible to move the lines and above all to acculturate people to the protection of information in the broad sense. To do this, we organize training sessions for 3 or 4, very interactive during which participants could ask questions at any time. These sessions are adapted according to the activity of the participants. On specific projects, contract negotiations for example, we will raise awareness among Business Unit GDPR correspondents, contract holders or even business owners, by explaining to them that they have a responsibility by virtue of their function, and that they must become GDPR evangelists among their teams.

‍

When did you choose to implement the Adequacy tool within Egis? How do you work with stakeholders on a daily basis? Were you able to find satisfactory solutions together that were adapted to your organization?

‍

In a Group as big as Egis, taking a tool and twisting the organization to get into that tool doesn't work!

On the contrary, we wanted a tool that adapted to the organization that we had thought out and put in place beforehand. As Adequacy is native to RGPD and compliant with the principles of the French CNIL, this made possible the way we wanted to move forward.

What was decisive in our choice was the availability and listening of the Infhotep teams, who draw on user feedback to guide the development of the solution and make it evolve, in particular by adding new functionalities. This was not the case with the other tools on the market that we encountered. In fact, each new version of Adequacy — and this was again the case with V5 at the end of May — goes in the right direction, and brings real benefits to its customers.

‍

What do you think are the essential qualities of a DPO?

‍

Patience and pedagogy because you have to know how to face the obstacles of people who must comply with their treatment!

My role as DPO is to indicate whether the treatment is compliant but not to bring it into compliance myself. It is therefore necessary to work on the received ideas and beliefs of each person to get them on the right path. My goal is to make internal managers and treatment managers switch from their usual functioning to understanding the role they have to play in protecting the entire system, beyond the business and individuals.

They must be made to move from a vision of what is forbidden (regulations in general are seen as an impediment to work) to an obligation to do things the right way. I do not forbid them to use personal data, on the contrary, I authorize them to do so, as long as they do so in a way that is respectful of people.

Over the past 3 years, I have noticed a change in perception, an evolution in the majority of people who contribute to compliance. All that remains is to make them real promoters of the GDPR around them! Important educational work is still necessary to involve those who have not yet understood that this subject must be understood, no longer only from a technical or legal point of view, but also in a logic of risk culture, a field for which appetite is quite poorly developed in France.

‍

What are the challenges related to compliance in a company like Egis and what is your vision of the evolution of the DPO profession?

‍

Within Egis, we have reached a first level of maturity in terms of compliance. Now we have to reach the second level, which consists of going from “build” mode to “run” mode. To achieve this, we are thinking of setting up operational DPOs in each BU.

Step 3, which we are conducting in parallel, concerns the international dimension. We have implemented our compliance organization and policy in the same way all over the world, including in countries where there are no regulations in place. Our aim is to continue to make teams in these countries understand that as a European Group, we have a responsibility in terms of data protection. Significant educational efforts have been made and continue to be necessary, with, moreover, taking into account the language barrier. In the same way as for European BUs, we are thinking of developing the concept of operational DPOs in international BUs as well.

In the long term, I think that companies will have a “Security” or “Information Protection” department in the broadest sense, which will bring together profiles with complementary skills: CISOs, lawyers, DPO, people safety managers... All aspects related to security would thus be grouped together in the same direction, for more efficiency, since in the end, everything is linked!

‍

We thank Jean-Paul Chavant for this interview and for his passionate vision of the DPO profession within the Egis Group. You can follow and contact Jean-Paul on his Linkedin account.