You were appointed DPO three years before the regulation's entry into force. What led to your appointment?
Yes, I became group DPO in 2015. This appointment was part of our overall risk management policy. It led to the creation of a "Risks, Compliance & Insurance" Division with a very strong Compliance focus. The main goal of my mission is to set up a Data Compliance programme to protect customer/resident data, aligned with future business issues (omni-channel company, digital development, data mining), respecting the Group's fundamental values (honesty, transparency, respect for others) and complying with the European regulatory framework which is becoming increasingly stringent. ADEO is a group composed of a federation of autonomous companies, not all of which are European. We realised that we needed someone to "conduct" all of these companies, backed by a network of local correspondents. I currently report to the risks director, who reports to the general secretary.
What are your priority tasks?
There are three main parts to my mission:
- Construct and approve governance and data protection rules, with the concerned BUs (marketing and human resources)
- Increase awareness/train all affected employees in these topics
- Define compliance monitoring rules and begin reporting to management
In practice, I work with internal auditing on Privacy by Design. We want to develop self-monitoring but for that we need to provide the right tools. I'm also in close contact with IT (and especially my replacement as the Group CISO). We've also added the Personal Data aspect to major Cloud Computing files. Last, I work with the legal department, making sure that subcontracting contracts comply with data protection rules.
How does a CISO become DPO?
CISOs are expected to be aware of Regulatory Compliance in their daily work. They need to consider many legal constraints when defining and applying a corporate ISSP. Intellectual property, trademark law, HADOPI, the Data Protection Act, "Telecoms Package", LCEN, methods of payment regulations, and cryptography regulations are all topics CISOs need to at least be aware of, and ideally know in depth. For example, it's difficult to set up a binding good IS uses charter if you don't consider all these constraints.
Personally, I've been applying the regulatory and legal framework as a security engineer since 1999. I've kept abreast of major changes by reading a great deal as part of my own personal development. In particular, I've been following the European regulation since its beginnings in 2012. And when we began working on the outlines for the DPO position at ADEO, I created a three-day legal training programme with the legal department at ISEP to learn the basics of the Data Protection Act. And ten days of specific training with Diane Mullenex and her team (CNIL-approved training for the Data Protection Act part) in order to gain skills in the future European framework, but also in current laws in non-member EU States where ADEO is present.