TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to 'industrialize' the data protection officer role Related reading: Top 10 operational impacts of the GDPR: Part 2 - The mandatory DPO

rss_feed

""

As most companies operating in Europe should by now be aware, there will from May 2018 be a requirement for many firms to have a data protection officer.

For small companies that nonetheless handle a lot of personal data, the sensible option may be to bring in an external DPO. There's likely to be a flurry of activity in the next couple of years, and one privacy professional who's definitely looking forward to the shake-up is Xavier Leclerc, the vice-president of the French association of data protection officers (AFCDP) and president of a company called Privacil.

Leclerc introduced the concept of a "mutualized DPO" to France several years ago, when he was effectively the external DPO for the members of the association of French notaries. By mutualisation, he broadly means trade associations setting up an external DPO for their members. In 2011, the French data protection authority, CNIL, gave its approval to the procedures Leclerc and his team had formulated for dealing with the needs of thousands of notaries' offices.

Xavier Leclerc

Xavier Leclerc

Since then, Leclerc has adapted these procedures to suit the specific needs of other vertical industries, and founded Privacil to dispense his toolkit to a variety of external DPOs. With business set to boom, it's no wonder that he describes himself as "very happy" with the General Data Protection Regulation.

"For large companies, there's no way to appoint an external DPO. You need to have an internal DPO because it's essential, it's strategic," Leclerc said. "But for small or medium-sized businesses or public sector organizations, I believe mutualization will be the only way because of two things. First, they don’t have the right person internally and it's a full-time job."

Currently, Leclerc said, many French companies appoint internal DPOs who are "security people, legal people" – employees with other roles who seemed appropriate for the DPO position. But especially in smaller companies or public sector organizations, he warned, such people will be too busy in those other roles to truly pay attention to what being a DPO will require. The GDPR was designed to tackle big companies, he notes, and many smaller operations will find it "very difficult" to comply.

Leclerc's second reason for recommending mutualization is cost. In the example of the French notaries, the national council of notaries funded the ADSN's data protection department. As a result, small companies only had to pay around 350 euros a year for the mutualized DPO's services, medium-sized companies had to pay around 500 euros and large companies around 800 euros per year.

"Mutualization is the only way to put down the prices," Leclerc said, adding that the mutualized DPO will need strict procedures to manage all the offices they cover. "To be able to deal with that number of companies, you have to put together many processes, many tools which I created to 'industrialize' the DPO," he said. "Without tools you cannot put together even 200 annual reports by the end of the year."

So how does this all work in practice?

The procedure greenlit by CNIL involved separating the notaries' offices out into three categories: small, medium and large. Leclerc started out by visiting examples of each office type, to create references of their typical data processes. (The resulting procedures do not cover the very small offices in rural areas that only fulfil local legal functions, rather than handling much personal data. They are given a best-practices guide and told how to declare their own processes to the authorities.)

The process covers a three-year cycle. In the first year, the external DPO does an "initial review of conformity" – for small and medium offices, that means a one-to-two-hour phone review; for larger companies, an on-site visit. In the second year, the DPO has to submit an annual activity report: for small offices, this means another phone call; for medium and large offices, an on-site visit. Year three brings a full-scale audit, with an on-site visit for all businesses. 

"To be able to do that, I put [together] a team of legal people and auditors and two types of auditors – field and phone auditors," Leclerc said.

By the time Leclerc moved on in 2011, this process was being used to handle around 3,000 notaries' offices of varying sizes. Now, with some judicious tweaking, he's applying the same principles to other fields in the public and private sectors – social housing, healthcare, legal. He's even the external DPO for 150 professional genealogists.

However, Leclerc stressed that there always needs to be a "privacy link" within the company or organization itself. "I train one person inside just to give him the basics of the privacy law," he said. "Even with mutualization, you always have to train one person inside the organization to be the link with the external DPO."

So, back to boom time. With the GDPR's mandatory-DPO effect looming, Leclerc is preparing to have his vertical-specific tools translated into "five or more languages" to be used across the EU.

"I was waiting for that European regulation because now, in all the countries, the main problem at the moment is we have the same directive, but in some countries it was [inconsistently applied]. With the regulation, it will be the same all over the 27 countries. The job will be the same," he said.

"A data breach will always be a data breach … A privacy impact assessment is the same methodology you can apply with a tool. It will not be different in France and Bulgaria and Poland and Estonia."

photo credit: Wrenches via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Aurelie Pols • Aug 28, 2016
    Yes, I love the concept and can't help wonder how this could also bring about industry best practices: sharing how issues have been solved, setting up workgroups that focus on burgeoning topics, moving beyond compliance to define the acceptable and viable threshold of ethical data uses...