Who are Data Protection Officers (DPOs)? Appearing in 2018 with the implementation of the General Data Protection Regulations (GDPR), in the footsteps of the former IT and freedoms correspondents (CIL), they play a central role in the governance of companies’ personal data. While the number of DPOs is increasing year on year – from 21,000 in 2018 to nearly 29,000 in 2021 – the profiles are also more diversified.
According to a recent survey, led by the Ministry of Labor with the support of the CNIL, the DPOs are generally less specialized in IT and law than four years ago, but they come from other areas of expertise, including the administrative and financial functions and the quality function. The study also reveals an impoverishment in the training provided.
Patrick Blum, as general delegate of the French Association of Personal Data Protection Correspondents (AFCDP), tells ZDNet that there are indeed “as many DPO profiles as there are companies “. According to him, three successive waves have been observable since 2018: the first DPOs were “mainly from existing CILs”, he says. Subsequently, DPOs appointed by companies arrived, “who had the obligation to get started”, including public bodies, but also companies that process large sets of data or certain types of data deemed sensitive, comments the former DPO. From now on, “we are starting to see DPOs appear who are not necessarily appointed with the same scruples”.
A large majority of DPOs work internally
A third of the DPOs questioned in the ministry’s report say that they have not received any training in the GDPR or the Data Protection Act since 2016 (+ 7 points), even though more and more of them are neither lawyers nor computer scientists. However, data controllers and subcontractors who have appointed a DPO do indeed have an obligation to provide them with the resources necessary to maintain specialized knowledge, recalls the CNIL.
Based on this observation, Patrick Blum fears that “the DPOs lack the skills to properly understand their entire mission”. He maintains that there is a significant mass of knowledge to master. “It is essential, at the base, to understand the GDPR, but also the Data Protection Act which precedes it, with all its specificities. Besides that, a DPO must also ensure that the company’s processing is compliant. Computer skills are therefore not too much. But that’s not all, a DPO must also have important notions of know-how and interpersonal skills,” he explains.
The report shows that a large majority (72%) of DPOs perform their duties internally, as employees of an organization. For the rest, these positions can be shared for several data controllers or external, depending on the needs and profiles of the companies and public bodies that call on them. These three types of profiles are not homogeneous: the report finds that almost half of internal and shared DPOs (55%) devote only 25% or less of their working time to this function. Furthermore, 61% of them believe that they have not been followed throughout their integration process.
On the other hand, external DPOs seem on average to be better prepared for the job: 87% of them say they have mastered the GDPR and its operational translation, and 76% say they have taken IT and freedom training since 2016. External DPOs have also , followed more long training courses than the others: 24% of external DPOs took training courses lasting more than 20 days, compared to 10% of internal and shared DPOs.