Data protection legislation (RGPD and directive n ° 2016-680) requires a profound change in the governance of data and files: in addition to the required business formalities upstream of the deployment of general processing, companies will also have to implement "appropriate technical and organizational measures" and prove their compliance with the GDPR and the directive.
If certain formalities with national Data Protection Authorities (DPAs) might have disappeared when having a DPO, companies responsibilities (as Controllers) are reinforced in return: they have the law obligation to ensure optimal data protection and be able to demonstrate it by documenting their compliance. New obligations from the GDPR - in particular concerning the rights of individuals or the performance, in certain cases, of an impact study - weigh on any company dealing with Personal Identifiable Information.
This legislation makes the Data Protection Officer (DPO) the key player in the data governance system. In charge of data protection compliance within his or her company, the DPO is mainly responsible for:
- Informing and advising data controllers or subcontractors, and make recommendations to them.
- Monitoring compliance with the regulations and national data protection law (in this regard, it may in particular collect information enabling processing activities to be identified, then analyze and verify the compliance of processing activities).
- Advising data controllers on carrying out a data protection impact assessment (DPIA) and to verify its execution (the DPO plays an assistance role for the data controller).
- Cooperating with Data Protection Authority and to be its point of contact. Thus, the DPO facilitates the access of the supervisory authority to the documents and information necessary for the performance of his or her missions as well as the exercise of the investigative powers of the DPO function, internal power and authority to make adopt corrective measures, powers of authorization and advisory powers.
- Disseminating the information necessary in the company to become aware of the issues of data protection (in particular through training and mentoring) and foster a data protection cultural change.
Companies failing to empower their DPO face heavy sanctions under the GDPR.