Since 25 May 25 2018, credit institutions have had to appoint a Personal Data Protection Officer (DPO[1]) to comply with the European Regulation on the Protection of Personal Data (GDPR)[2]. This new function is part of the rapid development of new technologies and associated usages, but also of control authority’s determination to install a central player within organizations in the implementation of the new data governance.

GDPR outlines some principles[3] concerning the designation of a DPO but does not give a standard profile. Nevertheless, European CNILs group (G29) – now the European Data Protection Committee[4] – provides some elements in its guidelines issued on April 05, 2017[5] on this new function.

A five-legged sheep?

In terms of his qualifications, the DPO must have solid legal knowledge, especially in the field of national, European and international data protection legislation, as well as knowledge of the activity sector, business and IS security.

In terms of know-how, he will be expected to have the ability to communicate well, to be a pedagogue, to have an acute sense of rigour, an analysis spirit, a great reactivity and abilities to manage a team.

His functions will be widespread and various: as part of his activities, he will have to advise, inform, organise, support, guide, process, verify, control, train, document, set up, implement, evaluate, promote, monitor, facilitate and secure.

His independence is an essential condition for him to be able to carry out his various missions within his organisation.

What positioning?

But beyond his professional expertise and skills, his main challenge will no doubt be his positioning within the structure. How will he embody his future function between the various Departments and processing officers, especially if he is an external DPO? How will he manage potential conflicts of interest? In difficult times, how should he act to exercise his missions independently and assert his authority? Will he have the necessary time to carry out his missions? Will he be able to issue alerts if he finds violations or non-compliant practices? What will be his status?

This is the whole point of this new function, which places the DPO as a true strategic “conductor” within the organisation structure and governance.

He will be able to consider himself to have successfully completed the integration once he has obtained the trust of his interlocutors and has demonstrated that data protection is not a constraint, but an opportunity.

By developing a data protection culture, the DPO, through his action, will enable the organisation to strengthen the relationship of trust with its customers and partners.

To know more about it:

To assist an organisation in appointing a data protection officer, the French Association of Data Protection Officers (AFCDP) has published on its website:

The CNIL has also published a Guide to assist processors.

[1] Data Protection Officer (DPO) – to replace the Data Protection Officer (CIL).

[2] The cases of mandatory appointment are specified in section 37 – 1 of the DGPS.

[3] Section 37-5 of the GDPR