DPO support and outsourcing of the function: a new market in France.

06.08.19

The challenges of the DPO role: hybrid skills and permanent availability

The recent study by AFPA[1] in collaboration with the AFCDP[2] and CNIL[3] on the initial results of the DPO function, 1 year on from the GDPR[4], addressed the typical profile of today’s DPO: 33% are engineers by training and 31% have a legal background. “Two areas of expertise for the DPO role that are difficult to find in a single person, given the disparity between the educational requirements“, states Nicolas Courtier, a lawyer specialising in technology and information law and contributor to the GDPR practice of DPOSystem (see article). Before hybrid training programmes are developed, public and private sector organisations will be facing recruitment issues. Even subsequently, the DPO will remain isolated in most organisations.

Large groups are obviously in an advantageous position. If they have an in-house compliance team with a variety of profiles they will be able to meet their legal obligations internally. Conversely, smaller organisations and local authorities face greater difficulties adapting to the regulatory requirements.

Another challenge is that of continuity. How to ensure the responsiveness of the DPO in the event of an IT systems crash or an unannounced audit by CNIL? Once again, large groups with a large team will be able to cope, which may not be the case for smaller organisations.

A developing market: DPO support and outsourcing.

In the face of these two challenges (hybrid competencies and a high level of responsiveness), a new market is emerging in France: DPO assistance and outsourcing, incorporating different types of support.

  • Establishing GDPR compliance. This step consists of auditing the different departments of the organisation in order to identify the various forms of personal data processing including the related risks, notably via a mapping exercise covering processing and applications. During such audits, particular attention is paid to the existing security mechanisms employed to protect personal data. The gap analysis conducted on the current vs target situation leads to the production of a roadmap which can be adapted to the company’s own pace, incorporating the legal, technical and organisational measures to be implemented. Once compliance has been established, the DPO must ensure that it is maintained.
  • DPO support. The current DPO of the organisation requires legal, technical or methodological support in the day-to-day performance of their functions. The Support Team will provide assistance in the required areas where the DPO’s skills may be lacking such as impact studies, support during CNIL audits, responses to any demands for rights to be exercised, etc. Regarding complex legal issues, the DPOSYSTEM Service Centre works with specialist legal firms.
  • Outsourcing, where the organisation has no designated DPO. DPOSYSTEM is able to assume the role of DPO in all its diversity.

[1] French national agency for ongoing adult training

[2] French association of data protection officers

[3] French data protection authority

[4] https://afcdp.net/media/documents/RGPD-metier-DPO-premiers-resultats-Valid-_.pdf