The Data Protection Officer’s missions and scope

With the recent application of the General Data Protection Regulation (GDPR), the profession of Data Protection Officer (DPO) has come to the fore and companies are now actively seeking to hire people with these much sought-after skills.

The Data Protection Officer occupies a strategic position, combining legal skills and IT skills with project management.

 

Interview with Mélissa Gleyo, DPO at TraceParts.

 

– Mélissa, can you tell us how TraceParts went about ensuring compliance with the GDPR law?

TraceParts has been collecting the personal data of millions of users since 2001. Fortunately, the company has always taken care to protect users’ data as much as possible. So, when I started working on the GDPR and TraceParts’ compliance with the new rules, the task was less arduous than I had expected. The company had already put in place several measures to ensure this type of data was processed and protected effectively. My tasks were therefore mostly focused on improving existing practices to finalize the company’s initial compliance.

 

– What does your job involve?

I am the central contact in the company for all issues concerning the personal data of our platform’s users, as well as our employees’ personal data.

I am essentially responsible for informing and advising the Management and staff, as well as our customers and partners, who often want reassuring.

My first tasks involved making an inventory of all the personal data collected by TraceParts, and establishing how those data are processed. This enabled me to assess their compliance with the new legal framework. I also looked at the tools and measures put in place by the company to ensure the security of the data and assess their effectiveness.

Based on this review, I made certain recommendations to the Managing Director of the company. Most of these have now been implemented. This includes redrafting the privacy policy on TraceParts’ website, writing a personal-data protection charter with and for the employees, reviewing and updating contracts.

I also had to brief the teams about the best practices to be implemented concerning personal data and sometimes put certain barriers in place, which did not exist before.

In addition, as DPO I am the contact person for the Supervisory Body (the CNIL in France).

 

– On a day-to-day basis, how do you ensure compliance with the new regulation that came into force on 25 May 2018?

I constantly monitor TraceParts’ compliance with the GDPR.

To do this, I keep up to date with any new obligations that may result from the text and any amendments (for the moment, not everything in the Regulation is clear cut even for the legislative body itself). I implement any regulatory changes or developments as quickly as possible in the company.

I also liaise with TraceParts’s staff, customers and partners to answer their questions and meet their needs.

 

– Do you think that having a DPO is essential for all B2B companies?

While there is undoubtedly less risk to privacy in a B2B context, companies must comply with the obligations of the GDPR. This is notably the case regarding user consent and personal rights. People are entitled to have access to certain information and there are specific requirements as regards how long data may be kept, or regarding security and the precautions that must be taken concerning the use of cookies. With this in mind, I think every company needs to appoint someone to supervise the management of personal data and to provide information and advice on data protection issues. This means employees and customers have a single point of contact capable of answering their questions and dealing with their concerns.

In addition, I think that appointing a DPO gives customers a clear sign and guarantee that the company takes data protection and privacy extremely seriously.

 

– How would you summarize the GDPR to anyone who has been on a desert island for the last 6 months?

Privacy is not something to be taken lightly! It was crucial that we established a clear framework for processing personal data, since the system had been left behind by the spread of computing and digitization.

Personal data is the most important information a company can have; while getting value from that information is not wrong, it has to be carefully supervised. This is what the GDPR aims to ensure.

However, we should not over-dramatize the situation. About 80% of the new text is identical to the old European regulation (Directive 95/46 EC). So, while companies may need to adapt to changes and make certain improvements and investments, they should see this as an opportunity and not a constraint.

 

And you? Are you compliant with the new GDPR?

[call_to_action button_text=”GDPR compliance: are you ready?” text=”GDPR compliance: are you ready?” color=”#01CBBF” size=”regular” url=”https://info.traceparts.com/legal/gdpr-compliance/” target=”_blank” position=”bottom”]