When the General Data Protection Regulation (GDPR) came into force General Data Protection Regulation (RGPD), the number of Data Protection Officers (DPO) appointed by the CNIL was 21,000. This figure has been rising steadily to reach 25,494 in 2020 and 28,810 in 2021.
L'annual study of the data protection officer professionhe annual study conducted by the Ministry of Labor shows a diversification of profiles and a growing importance of the DPO profession, whose designation is mandatory in certain cases.
DPOs with more diverse profiles, but insufficient training
- 58% of the DPOs surveyed are satisfied with the performance of their duties;
- 87% are convinced of the usefulness of their position. They also wish to continue their missions with a strong motivation of 67%;
- 47% come from fields of expertise other than law and IT: for example, administrative and financial profiles or profiles related to quality or compliance-audit;
- 1/3 have not received any IT and Freedom/RGPD training since 2016, even though more and more of them are neither lawyers nor IT specialists.
The profile of the DPO in 2021
- 72% perform their function as internal DPO;
- 71% work outside the Île-de-France region;
- 62% have a master's or doctorate degree;
- 63% are 40 years of age and older;
- 55% have been in the DPO position for 2 years or less.
Internal, external or shared DPOsThe RGPD has made the appointment of a data protection officer compulsory for public bodies and companies whose core business leads them to carry out regular and systematic monitoring of individuals on a large scale, collecting and re-using sensitive data or data relating to criminal convictions and offences.
The appointment of a DPO is strongly recommended in all cases. The DPO allows to support the compliance with the RGPD, to answer to the requests of exercise of rights of the persons and to reduce the risks of litigation.
Depending on the organizational choices of the structures, there are 3 types of DPO:
- Internal DPO, who is an employee of a single organization;
- Internal shared DPO, who is a shared employee for several data controllers;
- External DPO, who is independent or employed by a specialized organization (public digital services organizations, consulting firm, law firm, etc.).