The importance of the data protection officer in SMEs

In the General Data Protection Regulation (GDPR), the Data Protection Officer (DPO) has a central role. A survey conducted by Innofact for Usercentrics and Siinda shows that only 16% of companies do not have one.

Helping companies comply with the RGPD

Described as the "conductor" of data protection compliance by the CNIL, the DPO's role is to inform and advise the company that has appointed him/her, as well as to monitor compliance with the regulation and national law.

This support takes the form of various actions:

  • mapping treatments,
  • prioritize actions to be taken,
  • manage risks,
  • organize internal procedures,
  • document compliance.

The Data Protection Officer is also required to manage compliance by :

  • structuring and animating its internal and external network,
  • raising employee awareness through the creation of thematic content and the initiation of a global reflection on the implementation of a data protection policy within the structure in which they work.

The appointment of a DPO is mandatory if :

  • processing is carried out by a public entity,
  • the structure carries out "regular and systematic monitoring of individuals on a large scale", or processes sensitive data or data relating to criminal convictions and offences.

If the organization does not meet any of these criteria, the appointment of a data protection officer remains optional.

SMEs consider themselves well positioned when it comes to data protection

The progress made by European SMEs since the RGPD came into force in 2018 is real. A study on the subject was commissioned by publisher Usercentrics and business association Siinda in which 600 executives working in French, German and British SMEs were surveyed. The results show that over 68% of those surveyed consider themselves to be well positioned when it comes to data protection. What's more, most European companies have a data protection officer. Only 16% say they have not appointed one.

For all that, in France, the CNIL, which plays a major role in monitoring and enforcing the RGPD, considers that much remains to be done. Indeed, the appointment of a DPO does not guarantee that data privacy issues are fully taken into account. According to AFPA, in 2020, 63% of data protection delegates did not benefit from a specific budget.

Today, 41% of French companies believe that data protection is good for them. However, a quarter of those surveyed perceive compliance as a cost center and see their business model threatened by tightening regulations. Thus, the hopes and expectations raised by the adoption of the RGPD have yet to be realized.