DPO profile: Laure Cartigny, Risk Mapping Manager and Deputy DPO of the Bolloré Group

We had the chance to interview Laure Cartigny who shared with us her background, her organization and her vision of the DPO profession within the Bolloré Group.

— How is the dual role of DPO and risk mapping manager an asset on a daily basis?

— Faced with varied activities and therefore with diversified personal data issues, how to make all the entities of a group like Bolloré aware of the challenges and impacts of the RGPD?

— What is his vision of the future of the DPO profession and, more generally, of the organization of companies in terms of compliance?

Because the experience of a Data Protection Officer can inspire others, because we believe that sharing best practices allows organizations to save time and compliance to gain ground, every month, we give the floor to one of them.

‍

Can you look back on your career and what led you to become a DPO within the Bolloré Group?

‍

I joined the Bolloré Group in 2001. Originally attached to the Legal Department, my training as a corporate lawyer allowed me to quickly understand the legal challenges of a very diversified group like ours. I was then attached to the General Secretariat, one of whose missions concerned the implementation of the Group's Ethics and CSR strategy.

So I had the chance to participate in the development of the company's social, environmental and ethical policy. It is in this context that we started to take into account the protection of personal data more closely, even before the entry into force of the General Data Protection Regulation (GDPR).

I then became an IT and Civil Liberties Correspondent for several Group entities and then responsible for risk mapping attached to the Financial Department and DPO of several Group entities including Bolloré SE and Deputy Group DPO. This double “risk/data protection” hat is very useful to me on a daily basis. In particular, it allows me to more easily balance the risks for the company and the risks for natural persons.

‍

In terms of organization: how did you identify your internal partners, how do you mobilize them, coordinate them in a structure of your size?

‍

Of course, in a group like Bolloré, it is unthinkable to rely on a few people within the Holding to comply with the GDPR. It was therefore essential to mobilize the entire Group in order to define relays in the divisions (transport & logistics, communication and electricity storage).

As such, I am supported by a person, holder of a master's degree in cyberintelligence, cyber defense, cybersecurity, with both legal and technical skills necessary to carry out DPO missions. So we started by raising awareness among senior management about the challenges and potential impacts of the GDPR. We then mobilized the various departments within the Group's divisions.

The objective was to bring this subject to the attention of management, to show them in a concrete way what the impacts could be on their activities. We therefore relied on division directors to help us identify and name people who could be DPOs (when these designations were mandatory) or data protection officers. We have also asked the transversal departments dealing with personal data on a large scale, whether of employees, customers or suppliers, in order to designate relays who can communicate with DPOs and referrals. 117 DPOs and RGPD referents have been appointed to date within the Group. They are mainly present in Europe. However, referrers and DPOs are beginning to be appointed internationally.

These appointments follow the emergence of foreign legislation on this subject. We have created a steering committee dedicated to data protection, which brings together all of our DPOs, the RGPD referents from the HR and Purchasing departments, but also members of the IT Department and the IT Security Department as well as the legal department.

This committee meets regularly and defines priority and transversal projects, validates procedures related to these projects and constitutes a valuable time for exchange between DPOs and representatives of transversal functions.

It seems to me that one of the essential qualities of a DPO is to have good interpersonal skills, which makes it possible to federate the teams in charge of data protection and facilitates interactions with the “business”. Indeed, a thorough knowledge of the company's activities helps to fully understand the issues related to personal data.

This global knowledge seems particularly important to me in a group like ours whose jobs — and therefore questions relating to personal data — are very diverse. Finally, in addition to technical skills, relating to the security of information systems, or legal skills, one of the keys to success is knowing who to contact to obtain the information you need.

‍

What obstacles did you encounter and how did you overcome them?

‍

Like any new legislation, the RGPD was perceived as a new layer of constraints, reinforcing the obligations of an already existing law — in France the Data Protection Act — and bringing its share of additional difficulties for companies.

To remove this obstacle, as I already did during the emergence of other laws, it was important to recall the normative context in which this text is part. Why was the GDPR implemented and what are the risks for the company if it does not comply? A reminder of the significant administrative and financial sanctions (up to 4% of global turnover!) , not to mention the risks in terms of image and reputation, underlined the direct impacts of the European regulation (which are quite similar to what a company may incur under the Sapin 2 law or on the duty of vigilance) and thus to draw the attention of our interlocutors.

“The amount, the increasing frequency of fines and the fact that the supervisory authorities no longer hesitate to impose significant sanctions helped our interlocutors to become aware of the importance of complying. Indeed, the risks involved are the same as in terms of compliance or CSR.”

Another obstacle concerned more particularly the newly appointed DPOs who were wondering if they would have sufficient skills to deploy this new European legislation and how to assess the risks for natural persons.

To remove this obstacle, we support each of our DPOs through monthly or weekly meetings that we organize, in order to help them take office. We guide them in this perpetual search for a balance between the risks incurred by natural persons and the interest of the company in implementing data processing. Finally, this change of perspective is not so complicated to make.

“The two notions — risk for the individual and for the company — are not contradictory, quite the contrary. As soon as we reduce the risks for individuals, we ultimately reduce them for the company.”

‍

Why did you choose the Adequacy solution?

‍

First of all, it is important to specify that the DPO Group management did not impose Adequacy on the members of the steering committee. We asked several volunteers on this committee to test different solutions and then present them to the whole team.

Adequacy was acclaimed. The ease of handling, the constant online help and the possibility of calling on the Infhotep team at any time were particularly appreciated. We have developed a relationship of trust with our Adequacy interlocutors, which allows us to transmit to the teams in charge of the tool our requests for evolution and improvement.

Thus, we were beta-testers of the latest version V5.0 released in May 2021. Feedback from users has been very positive about this simplified version of the tool.

‍

What is your vision of the DPO profession and of the future challenges concerning the compliance of organizations?

‍

It is clear that today's DPO has nothing to do with yesterday's CIL!

It seems to me that the function of DPO, just like that of Information System Security Manager, will increasingly be at the heart of the company and its management. Whether for new applications or new services, everything, more or less, will revolve around information systems and new technologies.

The role of the DPO will be strengthened, to frame the use of personal data from the first reflections initiated around a project or a service evolution, but also, increasingly, to challenge the CISO.

“I think that an organization's compliance will be evaluated more and more globally. Companies will therefore have to evolve by setting up, for example, a governance committee that will not only be composed of general management, financial and legal directors, etc., but will integrate (if this is not already the case) the DPO, the CSR director, the CSR director, the Compliance Officer, the CIO, the CISO.”

Together, these players will play a key role in supporting the growth of the company and its adaptation in the face of technological developments that are sure to follow one another.

‍

We thank Laure Cartigny for this interview and for her passionate vision of the DPO profession within the Bolloré Group. You can follow and contact Laure on her Linkedin account.