In the list of new professions that have emerged with the emergence of data, we were familiar with the Data Scientist and Data Engineer duo or the unchanging Data Analyst.
But for some time now, particularly with the implementation of the GDPR in May 2018, it has become essential to coordinate a company’s actions in terms of data management and processing to align with national regulations.
It is with this new constraint that the profession of data protection officer (DPO) has become well-known.
In fact, although this role is currently only compulsory in the civil service, it is a safe bet that it will soon become mandatory for all companies.
With this in mind, almost all companies with more than 300 employees are already equipped. Let’s take a closer look at this job of the future, straddling the worlds of law and data.
What does the Data Protection Officer do?
The data protection officer is responsible for guaranteeing the protection of an organization’s data. His or her roles are very clearly set out in Article 39 of the RGPD. They can be summarized in 5 points:
- Accompany companies on GDPR compliance at the start of its integration.
Inform, advise and raise awareness among the data controller or processor as well as employees who carry out data processing about their obligations. - Monitor compliance with the rules of the GDPR and other regulations in force at French (such as the Loi Informatique et Liberté) and EU level. As such, he must carry out a complete inventory of the data processed within his company, to ensure compliance.
- At the same time, he or she must also put in place procedures to define data retention periods, set adequate security measures or oversee information transfers.
- Cooperate and act as a point of contact for the supervisory authority on data processing issues.
- Assist members of the management team in making decisions that have a potential or actual impact on the protection of personal data.
In addition to these various tasks, the DPO must also keep a constant watch on legal and technological developments, so as to keep abreast of the latest developments.
Why is the DPO so important?
The DPO is mandatory in many organizations
The General Data Protection Regulation very clearly states the mandatory appointment of a DPO for public authorities and bodies (such as ministries, local authorities, public establishments, …). But the data protection officer may also be mandatory for certain private sector companies. Indeed, Article 37 of the GDPR provides for two other hypotheses:
- The company’s core activities involve regular and systematic monitoring of individuals on a large scale.
- This concerns, among others, insurance companies, banks, telephone operators, companies specializing in video surveillance or internet service providers.
- Core activities involve large-scale processing of so-called “sensitive” data, such as biometric and genetic data, political opinions, trade union membership, information relating to criminal convictions, etc.
In view of this extremely broad definition of the obligation to appoint a DPO, many companies seem to be concerned. In any case, the majority of large groups, but also smaller companies (such as SMEs) with e-commerce activities.
And even if a company’s activity does not fall within the above-mentioned hypotheses, the CNIL strongly encourages the use of a DPO.
Good to know: even if the expertise of the Data Protection Officer is mandatory in certain organizations, he or she need not be a member of staff. He or she can also be a subcontractor. So if you’re interested in becoming a DPO, you can very well do the job in-house at the company, but also externally, as GDPR consultant.
How do you become a DPO?
As the role of DPO is a very recent one, there is as yet no “standard career path” for accessing this position.
The need for a certain mastery of data/IT as well as law does, however, make it somewhat selective.
In concrete terms, a solid legal background is required. Our observations among our large group customers (Allianz, LVMH BNP Paribas, etc. )show that very few DPOs currently in post have less than a Master in law.
Combining this with a specialization in IT/data/technology or multimedia seems, for the time being, to be the royal road. Finally, knowledge of the tools used by IT teams is also proving increasingly necessary.
How much does a DPO earn?
In France, the median salary for a data protection officer is €54,250 per year, or €4,521 per month. However, there is also a wide range of realities, depending on the number of years of experience, geographical location or geographical sector.
Generally speaking, we can see from the DPO job descriptions available that a Junior profile will earn between €35 and €50k a year.
This will depend in particular on the number of employees and data processed by the company (proportional to the DPO’s responsibility).
Would you like to make your management teams aware of the challenges of Data?
We’ve created the Data Science for managers course just for that!
