The DPO of tomorrow

Which DPO are you?

Like the General Data Protection Regulation, the function of data protection officer requires a transversal of skills. Whether legal, organizational, relating to logical and physical security, in light of the projects to be carried out, they now appear to be essential to meet the challenges of this function.

Regulation 2016/679, known as the General Data Protection Regulation (GDPR), established the profession of Data Protection Officer (DPD) or Data Protection Officer (DPO) within the European Union (EU).

Considered a new profession, it should nevertheless be remembered that the “Datenschutzbeauftragter” was, as early as 1977 in Germany, a mandatory function for organizations with more than ten employees.

Directive 95/46/EC of 24 October 1995 then allowed this function to become widespread within the European Union, opening the possibility for public and private organizations to designate a person responsible for the protection of personal data (DCP). Transposing this directive in 2004 into the Data Protection Act, France created the function of Data Protection Correspondent (CIL), whose designation was optional.

At the time, the law provided that the correspondent was a person who” had the qualifications required to carry out its missions.”, with no further details. These skills should relate both to information technology and new technologies as well as to regulations relating to the protection of personal data. They should also relate to the field of activity in which he worked.

“In December 2020, the Data Protection Officer job ranked first among the most sought-after jobs on LinkedIn”

Enshrined in the RGPD, which regulates its designation, functions, missions and certification, the profession of DPO is now considered to be a profession of the future. Indeed, in December 2020, the job of Data Protection Officer rose to the first place of the most sought-after jobs on LinkedIn in France with 32 times more professionals listed on this professional social network than in 2015.

Paradoxically, the resources relating to the expected skills remain sketchy. The guide for data protection officers published by the Cnil in November 2021 mentions legal and technical expertise in data protection as well as knowledge of the sector of activity, sectoral regulations and the organization of the structure for which they are appointed.

The delegate must also have the personal qualities necessary for this function such as integrity, a high level of professional ethics, and an ability to communicate, to popularize and to convince.

Since 2016, many leaders have asked themselves the same question. What profile do you need to have to be a DPO?

According to the study carried out by Afpa's Business Foresight Department, at the request of the Ministry of Labor, Employment and Inclusion (DGEFP), in partnership with the Cnil and the AFCDP in 2020, around 28% of DPOs have an IT profile, and the same percentage a legal profile, and the same percentage a legal profile, the remaining 43% come from administrative, financial, compliance, audit, etc. functions.

Presented as a conductor, the DPO must, as part of a compliance process, inexorably be in a position to manage a portfolio of projects.

This first skill brings us to the next question. Which DPO are you?

There are three types of DPO: the DPO “who does instead”, the DPO “who makes do with” and the DPO “who makes do it”.

Besides the fact that the former is the one that will run out the fastest, our Good Samaritan will miss the main objective. Indeed, the job of DPO is also synonymous with leadership; it must succeed in involving the various departments in their own compliance process. The main objective is to launch a dynamic within the organization that appointed it until the professions can be autonomous on the subject.

The DPO “who deals with it”, popularizes, raises awareness, maintains a supportive posture and can, once the subject is mastered within the services, “do it” in order to ensure compliance is maintained over time.

In any event, regardless of the position adopted by the DPO, he must, at the very least, be in a position to ensure the smooth running of the various projects necessary to meet the expectations of the regulatory framework.

Indeed, for the DPO, the path to compliance can be similar to a form of pilgrimage towards Adequacy (the adequacy of privacy).

Starting a responsible approach often starts with an inventory in order to define a road map. For this exercise, the Ebios method now seems to be the approach to cover the broadest spectrum and the most adapted to the problem.

In fact, the Ebios method (Expression of needs and identification of security objectives) is a method for evaluating risks in computer science, developed in 1995 by the Central Directorate for Information Systems Security (DCSSI) and maintained by the National Agency for Security of Information Systems (ANSSI), which succeeded it in 2009.

This method has been adapted to the context of Information Technology and Freedoms by the CNIL in order to structure the Data Protection Impact Assessment (AIPD) process.

For the DPO, Ebios is like a common thread, all the control points relating to the various possible measures to ensure compliance that meets expectations are covered by the approach. Legal, organizational, relating to logical and physical security measures, these measures make it possible to affect all subjects, from fundamental principles to the security of the data concerned.

Adapted to carry out an inventory, these measures also make it possible to harmonize the process ofAccountability when mapping processing activities and capitalizing on this census for data protection impact assessments.

At Infhotep, we believe that the DPO of tomorrow could have a legal profile with an excellent understanding of computer security issues or an IT profile that masters the legal principles inherent in the field. Whatever happens, he will have to have several strings to his bow.

He must have speaking skills to raise awareness, leadership and patience to create the register of processing activities, an analytical vision to document all the necessary procedures, a mastery of risk management to ensure the verification of the smooth running of data protection impact assessments, situation intelligence to ensure the legal security of his organization in the context of contract review and, failing that, be a talented negotiator to obtain the Budget allowing it to combine all of these skills.