Digital Transformation: Privacy as an Opportunity of Success

Preamble

Companies’ digital transformation has taken place without anyone fully being prepared for it or even realizing it was taking place. A start-up offers an idea, digital marketing grows, more developers are hired in the IT department and the legal department that used to handle commercial contracts now has to negotiate IT contracts and then protect the employee, customer and supplier data.

Are companies equipped to deal with the real issues?

Do the management teams even really know what the challenges are? 

These are the questions raised by the definition of the key role of the Data Protection Officer or DPO, created by the EU General Data Protection Regulation. If a company today wishes to be in compliance with the GDPR, or with any of the 130 other data protection regulations that have come into force since 2016, it must be able to succeed in this digital transformation and therefore its recruitment of the right DPO.

I. What is a DPO?

A.  The DPO has strong powers

According to the GDPR, a DPO benefits from professional secrecy and independence. He/She reports to the highest level of management in the group, manages an independent budget in relation with the risks he/she has to manage and has the proper resources to monitor the risks and guaranteeing that sufficient organizational and technical security measures are in place to protection the personal data controlled and/or processed by the Company.

B.  The DPO is Protected from Termination

In addition to such high-level benefits, which make him/her a member of the company executive committee, he/she is protected against termination of contract caused by performing these duties. And, he/she cannot be delegated any powers or liability in connection with data protection as this is to remain the only responsibility of the Controller, i.e., the Company management to make the decisions that will in the end entail or protect the Company from the financial or criminal sanctions involved by the various legislation in force.

What does the DPO do to deserve such a favorable treatment? Basically, he/she is the representative of the governmental/supervisory privacy authority within your company. An independent monitor of sort that companies are compelled to appoint notwithstanding any legal sentence for lack of compliance.

II. What Does a DPO do?

A. A Metamorphic role

The DPO is an expert in data protection, which does not say much.  He/she may have a legal or IT background.

• The DPO is also able to identify the risks and have them mapped like a compliance officer.
• The DPO is delivery manager, a team leader and a project manager.
• The DPO is a contract negotiator and must know how to draft policies that are both flexible and simple.
• The DPO must train and raise awareness about data privacy within the company.
• The DPO monitors regulatory changes inside and outside the EU as the regulation protects people not countries.
• The DPO manages claims from data subjects and make sure their claims are addressed in due time.
• The DPO makes sure that organizational and technical cybersecurity measures are in place to protect personal data.
• The DPO annually audits the organization compliance with the regulations it must comply with from a data protection perspective.
• The DPO is the natural contact of the governmental or supervisory privacy authority.

B.  A Transversal Role

Companies seem to have failed to take into account the size and significance of the missions assigned to the DPO.

DPOs I have met are generally IT or commercial lawyers who have taken on the role and navigate it with the support of outside consultants and lawyers.  Some are CISO with a project management and compliance background, mostly in US companies.

To properly accomplish these missions, the DPO must be both a people and a paper person. He/she must be autonomous and not afraid to take positions that may not please the business.

The people person role will help the DPO to work with the various functions involved in the data protection: Human Resources, Information Technologies, Marketing are the obvious ones. But Sales and Retails directions, sustainability, finance and innovation must also be involved.

The paper person role will manifest in the policies that should be applicable without having to be explained and flexible enough to adapt to the various changes the company will have to make along the year for compliance with laws and for business security.

Conclusion

There is one professional that is independent, autonomous, a project manager, a people and paper person, used to professional secrecy and naturally protected from termination. There is a professional who has long been working along the parameters of what the GDPR prescribed.

The independence of this professional may however come into conflict with the need to actually be within the company, to work in it, with its many directions and services and not monitor from afar.

A Privacy Lawyer who would be seconded in the company first as a project manager, then as a DPO and who could have someone from his/her firm monitor and follow-up any privacy issue, used to negotiate contracts and to have technical discussions with experts as well as working in an international environment and governmental authorities.

In the same way as the regulator he/she represents, the DPO will determine for each company, a referential corresponding to each data processing and based on each data processing purpose: e.g., Human Resources Management, Customers Management, Suppliers Management.

For each data processing which meets the conditions set in the corresponding referential, and provided other conditions set by applicable local legislation are met as well, no specific privacy impact assessment will be needed, only basic details for data mapping. For all others, a Data Protection Impact Assessment will be implemented.

This process, this DPO, this Privacy Professional is the key to successfully accompany your business and the management into its digital transformation.