What is a DPO?

Before the GDPR, the “Data Protection Correspondent” was the one in charge of data protection in the company. However, starting the 25th may of 2018, the Data Protection Officer is created. He is the one in charge of ensuring GDPR compliance in the organisation.

What are his missions?

As Anthony Coquer said he is « the pilot of the plane who will lead the CISO, the business departments and the audit. »

His missions are to inform and advise the data controller or processor, as well as their employees, monitor compliance with the Regulation and with national data protection law, advise the organization on the performance of a data protection impact assessment and verify its execution, cooperate with the supervisory authority and be the contact point for the supervisory authority.

Being the contact point for the supervisory authority means he must facilitate access by the authority to documents and informations in the context of the exercise of the authority’s missions and powers. For example, whenever there is an investigation of a complaint, or an inspection by the authority.

The DPO’s obligation of confidentiality or professional secrecy must not prevent him or her from seeking advice from the authority on any subject, if necessary. Moreover, he is not personally liable for his or her organization’s non-compliance with the regulations.

A DPO is an important actor in the organization, and as such it is essential that there is good communication in the organization and the various members cooperate. This will ensure that the compliance process goes smoothly. Nominating a DPO is not always an obligation for companies, however it is in some cases. When does the organisation need a DPO ?