GDPR roles: to whom should they be assigned?

Captivea LLC, Sébastien RISS

The GDPR (General Data Protection Regulation) is everybody's business. On the one hand, because it relates to our personal data as a citizen, on the other hand, as professionals, it will profoundly change the way we do business. From accounting and finance to marketing and sales, all employees are affected and must be made aware of the changes. Nevertheless, some people will have a more strategic role to play: I am referring to the Data Protection Officer and the Data Controller. As such, who should be entrusted with these new roles? What do they involve? 

Excellent questions, my dear Watson... 


The DPO (Data Protection Officer)

For your compliance project, you will need a true conductor to lead the orchestra, as CNIL, the French Data Protection Regulator, puts it. This person will be in charge of navigating the entire GDPR program as well as ensuring that procedures are followed at a later stage. The DPO's roles and responsibilities will, therefore, be highly variable.

Initially, it will be a question of advising and updating. The DPO will be the reference point for GDPR for the Data Controller, employees, and subcontractors. During the second phase, the DPO will be responsible for ensuring that the regulations are complied with. The Data Processor will need to verify this compliance on a regular basis. In the third phase, the DPO will act as an adviser to the organization who employs him or her, carrying out impact assessments relating to data protection. The DPO will also need to ensure that these impact assessments have been carried out and implemented. Finally, the DPO will act as a point of contact between the regulator and the business.

When you look at these roles and responsibilities, you'll recognize tasks that are already assigned to the CIL - the existing role with responsibility for data processing and personal freedom. It's true that the DPO's role is similar to that of the CIL, but the responsibilities go further. The changes introduced by the GDPR have deep repercussions throughout the business, and your current CIL may not have either the time or the bandwidth to take everything on. So, who should you appoint? 

We recommend that you appoint someone external to take on the strategic role of the Data Protection Officer: a service provider who will successfully challenge you from an objective stance (and to whom you can easily provide feedback in the event of any issues). Indeed, appointing your CIO or CFO to the role is not a good idea. First of all, because there would be a conflict of interest, and secondly because your CIO or CFO will not have the skills needed to manage personal data policies. By choosing an external service provider, you can avoid all bias. If, nevertheless, you wish to assign the role of DPO to someone internal, or wish to recruit specifically to fill this position, ensure that the DPO has free rain to operate and that he or she is as independent as possible within the management structure.

The Data Processor

Let's address the role of the Data Controller from a personal perspective, without assigning a name. What is the role of the Data Controller? What responsibilities does it involve? Well, the Data Controller is "quite simply" the person, the public authority, agency or other body which, " alone or jointly with others, determines the purposes and means of the processing of personal data in accordance with this Regulation."1 By "this Regulation" we obviously mean GDPR. In principle, therefore, it is the legal entity embodied by its legal representative.

The Data Processor must, in particular, maintain a good record of the processing activities performed for which he or she is responsible. This register must contain a number of pieces of information: the name and contact details of the Data Controller, the outcome of the processing, a description of the category of persons affected and a description of the categories of personal data, and more... For full details, you can refer to Article 30 of the GDPR The Data Processor. Obviously, a number of intermediate roles will also apply. The larger your business, the more your employees will need to become involved. To start, in agreement with the DPO and the Data Controller (if that's not you), you can appoint an IT manager to handle the entire operational aspect. Also, make use of the right service providers to guide you in this task. 

Discover our white paper GDPR