By Blandine CORDIER-PALASSE, Revue RH&M n°68
The General Regulation on the Protection of Personal Data "RGPD" comes into force on 25 May 2018. Are you ready? Over 60% of companies are looking to recruit a DPO.
This regulation stipulates that a " The Data Protection Officer shall be appointed on the basis of his or her professional qualities and, in particular, his or her specialist knowledge of data protection law and practice, and his or her ability to perform the duties referred to in Article 39″..
What are the duties of the DPO?
The DPO must advise the Group on the laws and regulations relating to personal data. He or she must take into account the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing. Next, he or she must map the data. His role is to analyse the risks and impact. Finally, it must put in place the tools and processes needed to ensure compliance with best practice. The aim is to adapt the organisation to the challenges of the RGPD. The Data Protection Officer must also raise awareness among employees and become the main point of contact for the CNIL.
The risk of non-compliance?
Extremely heavy penalties:
- 10m / 2% of worldwide sales in the event of non-compliance with the GDPR
- increased to €20m fine or 4% of worldwide turnover for failure to respect people's rights (access rights, the right to be forgotten...)
How are Human Resources Departments affected?
They are at the heart of the issues surrounding the processing of data - particularly employee data. According to the CNIL, 14 % of complaints at 2016 concerned human resources.
What is the profile of the ideal DPO?
The candidates we recruit for our clients often have a legal background. They specialise in information and communication technologies (ICT). Sometimes it's an engineer specialising in technical data processing who knows the regulations inside out. Finding the right profile will be one of the challenges for HR in 2018.
The CIL was effectively responsible for these tasks. The DPO will also have to be able to interpret the texts and translate them into operational action plans. He or she will have to map the risks associated with processing operations, analyse their impact and carry out audits. He or she will also have to manage change within the organisation.
While it's easy enough to list the technical prerequisites - even if some, such as knowledge of international data transfer protection and cyber security, are specific - we think it's just as important to emphasise the human qualities.
These assignments require a strategic, pragmatic and business vision, as well as excellent project management skills. It also requires you to be agile, an excellent communicator and a good teacher. The aim is to interact with both internal teams and the authorities.
Time to recruit your DPO
The processing of personal data is an element of strategy and will play an increasingly important role in enhancing the value of a company: the DPO represents the emergence of a whole ecosystem.
It has been estimated that 28,000 DPOs will be needed to ensure that regulated organisations comply with the RGPD.... The race for the best profiles has already begun!
Career history: Blandine Cordier-Palasse is President and Founder of BCP Executive Search, a recruitment consultancy specialising in strategic protection functions such as directors, governance, general secretariat, legal and tax, risk management and compliance - after having been a lawyer and then a legal director and board secretary in listed groups. She also holds a doctorate in law and is co-founder and Vice-President of the Cercle de la Compliance.