What is a DPO? What is the main task of a DPO? Who assumes this role in a company? What training is required to become a DPO?
To find out more about this profession, read our interview with Colin Chaleon, DPO & Information Security Consultant at sequal by Meanquest.
My name is Colin Chaleon and I hold a Master’s degree in European Law. I specialized in personal data protection law as part of a specialized Master’s degree. I first gained experience as an assistant DPO (Data Protection Officer) in the wines and spirits branch of the LVMH group. I eventually joined sequal by Meanquest and now work as DPO & Information Security Consultant for our customers.
The role of DPO is unique because it is defined and regulated by data protection law. Therefore, his duties are quite specific: he must ensure compliance with the data protection laws and regulations applicable to his company. To do this, he advises, guides, and provides recommendations on the protection of personal information processed by the company.
Every organization deals with the processing of personal data as part of its activities and internal processes (human resources, marketing, finance, communication, production, etc.). This is why the role of DPO is important for every company: he is the one who must ensure the identification of personal data processing activities across various functions, data flows, and associated risks. He is the one who proposes action plans to mitigate these risks. The Data Protection Officer is also the primary point of contact for individuals concerned (those whose data is processed by the organization), as well as data protection authorities to cooperate with them in case of an audit.
The role of a DPO is fascinating because it is constantly evolving. Current technological and legal developments related to data protection lead us, as mandatory Data Protection Officers, to work on increasingly diverse and varied topics (artificial intelligence, cloud computing, big data, etc.).
It is a job that also requires more or less in-depth knowledge in non-legal fields: information security, project management, information technologies, cybersecurity, etc. I particularly enjoy being able to develop my skills in these areas because it is both challenging and intellectually stimulating.
The required skills can, in my opinion, be grouped into three categories:
In French-speaking Switzerland, the majority of companies seem aware of the existence of a law regarding privacy and personal data protection. When we audit our clients, all (or almost all) claim to be aware that the new version of the FADP (Federal Act on Data Protection) came into force in September 2023. However, very few have embarked on a compliance program because very few realize that they are affected by this update. There is still a great deal of training and awareness-raising to be done among companies.
I do not think that the FADP has significantly changed the relationship between companies and their longstanding clients. However, companies that comply with the regulation tend to adopt a much more transparent stance with their clients, particularly because the new FADP has strengthened the duty to inform data subjects, as well as the right of access to data for data subjects. These elements contribute to a more respectful attitude and practices towards the rights of individuals, especially clients/consumers.
In my opinion, it is essential to establish a comprehensive compliance and data protection governance program to maintain such momentum over time. Indeed, the compliance program will allow the company to set milestones to be achieved over a specified period, aiming for continuous improvement. At sequal, we work extensively with the foundations laid by ISO 27001 and its extension dedicated to protecting sensitive data, ISO 27701, to provide our clients with this momentum. We believe these are excellent frameworks and working tools for achieving lasting compliance.
Processing personal data in compliance with regulations involves adopting a series of best practices, starting with undergoing an initial audit to assess the company’s compliance status. This audit helps identify the types of personal data processed, data flows, and associated risks. The result of this audit then allows for the development of a step-by-step compliance program. Rigorous documentation must first be put in place, including essentials of data protection (register of processing activities, personal data processing agreements, confidentiality clauses, etc.). This is not sufficient: compliance with the FADP cannot be ensured without robust IT security for the data. Therefore, we recommend implementing relevant security measures based on the company’s context. For example, we encourage our clients to adopt basic measures, such as no longer transmitting sensitive personal data in clear text via email but instead using secure platforms that we provide. We also propose measures such as data encryption, anonymization, good access control practices, and security incident management methods. By following these recommendations, our clients can not only comply with the FADP but also strengthen the trust of their clients and partners.
The role of Data Protection Officer (DPO) will, in my opinion, undergo certain changes in the coming years, particularly with the advent of new European regulations related to AI, the DMA (Digital Market Act), the DSA (Digital Service Act), etc. I believe that Switzerland will adapt as it did with the new FADP in response to the arrival of the GDPR, and that the mandatory Data Protection Officer, whether internal or external, will likely be impacted. At sequal, we are already frequently confronted with issues related to the use of AI tools, such as Microsoft Copilot. There is no doubt that these areas will increasingly become part of our daily routine.
The role of the Data Protection Officer (DPO) is essential to ensure companies’ compliance with data protection regulations. Their legal and technical expertise, as well as their organizational and interpersonal skills, make them a key player for any organization processing personal data.
If you would like to learn more about the responsibilities of a DPO, the challenges they face, or if you are interested in collaborating to improve your personal data management, please do not hesitate to contact us. We would be delighted to discuss your needs and support you in your compliance efforts.
Stay connected
