Since the entry into force of the General Data Protection Regulation (GDPR ) on May 25, 2018, the role of Data Protection Officer (DPO, or more generariquement DPO, acronym for "Data Protection Officer" which will be used below throughout this article) has become crucial for organizations subject to European law and which process personal and/or sensitive data.

However, the function of DPO already existed before the RGPD came into force, particularly in security-critical IT projects that requireda specific level of clearance (right to know), during certification audits on high-level security operations (eg: EAL4+) or to manage the protection of strategic information assets. As a simpler example, Singapore made the appointment of a DPO mandatory as early as 2012 in its local Personal Data Protection Act (PDPA).

Like a veritable conductor of an entity's personal data management, whether internal, external or mutualized, the DPO is the central pillar of data governance, ensuring compliance of data processing and acting as the point of contact for all RGPD-related issues.

The DPO's main missions are to:

• advise and support the organization
• monitor the effectiveness of data protection rules, particularly with regard to RGPD-related obligations
• ensure exhaustive documentation of data processing carried out by the entity that has appointed him/her

In addition, he or she plays a key role in raising awareness and training employees, and must be involved from the earliest stages of any data processing project.

The appointment of a DPO must be made with care, taking care to choose a profile suited to the complexity and volume of data processing, while avoiding any conflict of interest.

Finally, it is essential to identify that, in the context of the RGPD:

• the DPO must be able to exercise his or her functions in complete independence
• unlike the data controller, the DPO cannot be held liable if the entity fails to comply with RGPD compliance
• the DPO is subject to an obligation of confidentiality and must be able to communicate directly with the highest levels of management
• the DPO's hierarchical position and the resources that must be made available to him or her must perfectly reflect the DPO's central role in the organization

N.B. : This article, focusing mainly on the requirements for the DPO as specified by the RGPD, is heavily inspired by the CNIL dossier "Le guide du délégué à la protection des données" dated 06/04/2022 which is much more detailed and comprehensive.

The role of the DPO

The tasks that the DPO must carry out as part of his or her entity's compliance process (in the short, medium and long term) make him or her a central player in the school's personal data governance system. We will review the various prerogatives associated with the DPO function, starting with the requirements of the RGPD.

Advising and supporting

The DPO has an advisory and support role at several levels:

• he/she provides his/her expertise to management so that it can ensure data processing compliance
• disseminating the culture and rules of data protection to all those who process personal data within the organization.

In this way, the DPO can identify and formalize the key moments at which he or she wishes to be systematically involved or present, for example, at each :

• any decision to create or modify an existing processing operation (in order to ensure compliance with data protection principles at the design stage and by default)
• examination of the need to carry out a data protection impact analysis, and its actual implementation
• drafting or maintaining a register of processing activities
• drafting and updating internal data protection rules or policies
• breach of personal data, in order to advise on the measures to be taken, as well as on notification to the authorities and to the persons concerned.

The DPO raises awareness and provides support to all those involved in your organization's data processing activities:

• by ensuring that everyone adopts a corporate culture refocused on "personal data protection" (for example, by organizing regular in-house training sessions to review or reto review the main principles of personal data protection and data governance more generally)
• carrying out communication and awareness-raising campaigns on subjects relevant to the organization
• by presenting itself as the internal point of contact for all data protection issues, and if necessary by means of intermediaries.

The DPO's primary mission is to provide information, advice and control. He is, however, in a position to be a key player whose skills will be very useful to the data controller in helping him to comply with his obligations.

Checking the effectiveness of the rules

This task may take the form of verifications organized by the DPO (external audit or internal relay), or carried out by the DPO personally, in collaboration with the other key functions of the departments involved in information systems management, and in particular their security. It must be accompanied by a follow-up of the corrective and evolutionary action plan. Depending on priorities, the purpose of these controls or audits may include :

• verifying the accuracy of the information contained in the organization's data processing register (inventory of processing activities, scope of purposes, data subjects, nature of data, etc.).s, data subjects, nature of data processed, recipients and any transfers outside the European Union, retention periods, security measures)
• compliance checks on the most sensitive processing operations, taking into account the impact analyses carried out (particularly with regard to the implementation of measures designed to reduce the likelihood and seriousness of risks)
• the implementation of tools to monitor and control the use of processing (log analysis, detection of prohibited data, verification of compliance with retention periods, etc.)
• a check on the effectiveness of the technical and organizational data protection measures that the organization has undertaken to implement.

To sum up :

Ensure documentation of data processing

Documentation plays a key role in the RGPD's newaccountability logic. Made mandatory, it enables the data controller or processor to guarantee and demonstrate compliance with its obligations as well as the steps taken.

Numerous elements can be included in the documentation, such as the register of processing activities, impact analyses, the register of data breaches and the measures taken to remedy them, mentions ofinformation, proof of consent, procedures for exercising rights, subcontracting contracts, tools for managing transfers outside the European Union, written analysis of the absence of conflicts of interest on the part of the DPO, and so on. This list is not exhaustive, insofar as any element enabling compliance to be justified and actions to be managed can be included in the documentation.

Documentation is an essential tool for the DPO, as it enables him or her to have exhaustive knowledge of the processing operations implemented, and to plan their management. With regard to keeping a register of processing activities in the EU, Article 30 of the RGPD stipulates that the obligation to keep a register falls on the controller or processor.
However, in practice, the DPO's activities may lead him to take on this task. Keeping a register is in fact a tool for monitoring and controlling the processing operations carried out, enabling the DPO to have the most exhaustive possible knowledge of processing operations, and to propose the measures needed to supervise them. In any case, he or she must be able to consult it at any time.

Appointing the DPO

As an educational establishment, your entity collects and processes personal data. However, the obligation to appoint a DPO will depend on your situation:

• If you are located in a geographical area where European law applies, you must comply with the GDPR: your organization is concerned by the obligation to appoint a DPO.
• If you are not located in a geographical area where European law applies, but you collect and/or process data relating to European Union residents, the GDPR applies: your entity is concerned by the obligation to appoint a DPO.
• If you are not geographically located in a country subject to European law on the protection of personal data and you do not collect or process any datapersonal data from an EU resident, you should refer to the local laws of your country to check whether or not the appointment of a DPO is required. For example, if your school is located in Singapore, the local Data Protection Act (PDPA) requires the appointment of a DPO. Even if you are not required to do so by your local regulations, it is nevertheless a good idea to consider this DPO as a personal data protection referent who will ensure the school's legal compliance with its obligations regarding the processing of personal and/or sensitive data.

Eduka Suite now allows you to designate your DPO from the Configuration Module > Dashboard menu > "Data protection settings" box.

Who can be designated DPO?

Although there is no standard profile for performing the DPO function, the RGPD, for example, requires the delegate to have a certain level of expertise. The establishment must also ensure that there is no conflict of interest with other missions.

Finally, when you appoint your DPO, you must be able to prove that his or her profile meets the requirements of the RGPD (knowledge and skills, absence of conflict of interest, etc.). according to the "accountability" principle, to achieve this, you need to assemble internally a set of documents (e.g. CV, job description, any certifications, proof of absence of conflict of interest, etc.this documentation must be submitted to the supervisory authority for verification.

Knowledge and skill requirements for the DPO

The person approached for the position of DPO must have a certain level of knowledge, namely:

• legal and technical expertise in the field of data protection
• knowledge of the business sector, sector-specific regulations and the organization of the structure for which he or she is appointed
• an understanding of processing operations, information systems and the organization's needs in terms of data protection and security
• a good knowledge of the administrative rules and procedures applicable in the country or federal state administration.

If the prospective candidate does not have the required expertise before taking up the post, you will need to call on your in-house experts and develop the new DPO's knowledge in the very short term through training courses.

The candidate for the position must also possess the personal qualities required for the position (non-exhaustive list): integrity, high level of professional ethics, ability to communicate, popularize and convince...

N.B.: the level of expertise required for the position of DPO varies according to the sensitivity, complexity and volume of data processed by the establishment. This knowledge and skills can be acquired through a training program tailored to the candidate's profile.

Finally, a certification of the DPO's skills, valid for 3 years, can be issued by an EU supervisory authority (such as the CNIL).this can only be obtained after several years' experience in data protection, or after completing a specific, substantial and recognized training course.

No conflict of interest

The DPO may perform other functions within the organization, in which case he or she is referred to as a part-time DPO. The existence of a conflict of interest is assessed on a case-by-case basis. It is advisable to document the analysis leading to the exclusion of the existence of a conflict of interest for the designated DPO.

Examples of functions likely to give rise to a conflict of interest:

• DPO general services manager
• DPO Operations Director
• DPO director of information systems or IT department
• DPO finance manager
• DPO human resources manager
• DPO in charge of marketing & communication

In-house, outsourced or shared DPO?

Each establishment is free to organize the DPO function according to its needs. It is up to the entity to decide, based on the advantages and disadvantages of using an external or internal DPO, the internal services available and the organization of the structure.

Internal DPO

The delegate may be a member of the organization's staff. He or she can be full-time or part-time. Finally, he or she must be a natural person.

External DPO

The DPO function may be performed on the basis of an outsourced service contract with a natural person (e.g. consultant, employee of a group subsidiary, etc.) or legal entity (e.g. law firm, consulting firm, management center, mixed syndicate, etc.).

Shared DPO

Whether an internal or external delegate, a DPO can be mutualized, i.e. appointed for several entities.signed for several entities, provided that the DPO is easily reachable from each entity's location.

Mutualization can be a particularly suitable solution for groups of schools, or for smaller structures that see the financial benefits without losing the knowledge and skills required for the position.

How to appoint a DPO?

step 1: choose the right DPO

An external DPO can be a natural or legal person, but an internally appointed DPO can only be a natural person (an employee, for example).
The procedure for appointing a DPO internally requires prior consideration of the person proposed for the position: it is important to ask yourself the right questions in order to be able to justify your choice later on.

The choice of an in-house DPO should take into account :

• the prospective candidate's interest in the DPO's tasks, and his or her appetite for data protection issues
• his or her profile in terms of qualifications and absence of conflicts of interest
• the conditions under which the duties will be carried out

step 2: Formalize the appointment

This document can also be used to define the DPO's working methods (resources allocated, contacts identified, frequency of meetings with the organization's management and data processing departments, communication circuit, etc.), describing how the company's data protection obligations are to be met.), describing how the organization's obligations will be implemented in practice.

step 3: publicize your DPO

The appointment of a DPO should be accompanied by communication initiatives designed to raise the profile of the position and the DPO's contact details within the organization, e.g. vis-à-vis all employees, employee representative bodies, management committees or executive bodies.

Examples of communication actions: information note sent by management to all staff, internal note published on the intranet or by posting, internal presentation to management bodies, publication of the mission statement, etc. The aim of this type of action is to communicate internally on the role of the DPO, his or her status, the resources allocated to him or her and the procedures associated with carrying out his or her duties. It is also an opportunity to reiterate the importance of compliance, and to present future projects to be managed by the DPO.

note: the DPO is in constant contact with the organization's departments and divisions. This communication plan is therefore particularly important, as it ensures that the DPO has the best possible conditions in which to take up his duties.

step 4: Designate your DPO with the competent supervisory authority

First make sure you know which supervisory authority is responsible for appointing your DPO, then appoint your DPO online via the supervisory authority's teleservice of the supervisory authority (no postal mail will be processed, and it is not necessary to send any supporting documents relating to the appointment of your DPO).

Exercising the DPO function

What resources are allocated to the DPO?

The DPO must be given the resources needed to carry out his or her duties, which means that he or she must be involved in all data protection issues and have sufficient resources at his or her disposal.

Involving the DPO in all data protection issues

It is essential that the DPO or, where applicable, his or her team, be involved as early as possible in all data protection issues. Informing and consulting the DPO as soon as a processing project is envisaged will facilitate compliance with the RGPD and encourage an approach based on data protection by design. The DPO must be a natural interlocutor within the organization, for example by being involved in working groups dedicated to data processing activities within the organization.

for example, the entity must ensure that:

• the DPO is regularly invited to take part in the organization's strategic meetings, which define upstream projects involving personal data
• his or her presence is recommended when decisions with data protection implications are taken
• the DPO is able to interact and work with functions playing an important role in data protection, such as the CIO
• all relevant information is passed on to the DPO in good time to enable him/her to provide a relevant, informed and impartial opinion
• the DPO's opinion is always given serious consideration. In the event of disagreement, it is recommended, as a matter of good practice, to record the reasons why the DPO's advice was not followed
• the DPO is consulted immediately when a data breach or other incident (press reports, complaints, etc.) occurs.

The DPO's resources

The RGPD stipulates that the entity must provide the DPO with the resources needed to carry out his tasks (time required, access to financial resources, staff ifaccess to data and processing operations (facilitated access to the organization's other departments) and by enabling him to maintain his specialist knowledge.

The DPO's resources must be adapted to the size, structure and activity of the organization. The more complex or sensitive the processing operations, the greater the resources allocated to the DPO.

It is advisable to specify the type of resources allocated to the DPO in the engagement letter, as a commitment by the organization to the DPO to enable him/her to carry out his/her duties as effectively as possible.

What is the status of the DPO?

The DPO's independence in carrying out his or her duties

The RGPD provides certain guarantees designed to ensure that the DPO is able to carry out his or her missions with a sufficient degree of autonomy and independence from the organization that appoints him or her.
This independence means that the DPO :

• Must not receive instructions in the performance of his or her duties, for example on how to handle a subject, investigate a complaint, the outcome of an internal audit, or the advisability of consulting the supervisory authority. Similarly, he or she may not be obliged to adopt a particular point of view on a question relating to data protection legislation, such as a particular interpretation of the law.
• Must not be subject to sanction or dismissal as a result of the performance of his or her duties, for example if the Data Protection Officer advises the controller to carry out an impact analysis and the controller disagrees, or consigns a legal or technical analysis that contradicts that adopted by the controller. it should be noted, however, that the delegate's duties may be terminated for reasons covered by normal employment legislation (such as theft, harassment or other serious misconduct).
• Reports directly to the highest levels of the organization's management, so that the level at which decisions are taken is aware of the DPO's opinions and recommendations. For example, the supervisory authorities recommend that the DPO prepare and present a regular (e.g. annual) report on his or her activities to the highest level of the organization. The DPO must also be able to address specific issues directly to the highest level if he or she deems it necessary. note that this requirement to report to the highest level does not prejudge the "attachment" of the delegate, for which there is no requirement under the RGPD.

No liability of the DPO in the event of non-compliance with the RGPD

The RGPD stipulates that it is the data controller who is responsible for ensuring and being able to demonstrate that processing is carried out in compliance with the RGPD. Similarly, it is the processor who is responsible for compliance with its own obligations under the RGPD. Consequently, the delegate is not liable in the event of non-compliance with the RGPD within the organization that appointed him.

It is therefore not possible to transfer to the DPO, by delegation of authority, the responsibility incumbent on the controller or the processor's own obligations arising from the RGPD. Indeed, this would be tantamount to giving the DPO decision-making power over the purpose and means of the processing, which would constitute a conflict of interest contrary to the RGPD.

On the other hand, if the DPO commits a fault for which he or she can be held responsible in the course of his or her duties, he or she could of course be sanctioned or even dismissed.

Obligation of confidentiality/professional secrecy

Delegates must be bound by professional secrecy or an obligation of confidentiality with regard to the performance of their duties.
It is therefore advisable to include such an obligation in the employment contract or letter of assignment of internal delegates, or in the service contract of external delegates.

please note: this obligation of professional secrecy or confidentiality does not prevent the DPO from contacting the supervisory authority to seek its opinion. Indeed, the RGPD provides that the DPO may consult with the supervisory authority on any subject.

What to do in the event of the DPO's departure, leave or replacement?

The delegate plays a central role in the organization's data protection, and acts as a point of contact for individuals as well as for the supervisory authority, with which he or she must cooperate. Consequently, the departure or replacement of a DPO, whether permanent or temporary, must be anticipated and organized by the data controller as far in advance as possible.

Internal transition

Communicating internally
In the same way as when the DPO was appointed, the departure and replacement of the DPO need to be communicated internally by all possible means (e.g. internal memo published on the intranet, information for employee representative bodies, etc.).

In the event of a replacement, this information will make it possible to communicate the name and contact details of the new DPO.

Keeping track of current files
It is essential to update procedures to ensure the follow-up and resumption of ongoing files (e.g.: follow-up of a request to exercise a right, completion of an impact analysis in progress, etc.).

Transparency vis-à-vis the people concerned

In the event of departure or replacement, the organization must ensure that the information notices, which must include the DPO's contact details, are up to date.

note: to avoid having to systematically update contact information, use "neutral" contact details (e.g. generic e-mail address, telephone number, postal address, etc.).

Contacting the supervisory authority

In the event of a definitive change
The data controller or processor must inform the competent supervisory authority as soon as possible that the DPO's assignment has come to an end. For operational purposes, to deal with the end of an assignment, the legal representative should be copied on the e-mail informing the supervisory authority of the end of the assignment (see address in the e-mail confirming the appointment).

If the DPO is replaced, the organization must appoint a new DPO within the same timeframe.

In the event of temporary absence

• If the absent DPO is officially replaced by another DPO for the duration of the absence, a new appointment must be made with the relevant supervisory authority (at the same time informing them of the end of the absent DPO's assignment)
• if the DPO is not replaced, internal procedures need to be updated (e.g. mail and call routing) to ensure that requests from data subjects or the supervisory authority are dealt with. In cases where the appointment of a delegate is compulsory for the organization, this vacancy can only be exceptional and very limited in time.

please note: when the supervisory authority contacts a company, it will contact the DPO who has been officially appointed by the company, regardless of any internal reorganization. It is therefore important to manage the routing of calls, e-mails and letters to the appropriate people until a permanent appointment has been made.