RGPD regulation, the CIL becomes DPO

The new General Data Protection Regulation (GDPR) will come into force on May 25, 2018 validated by the European Union states in 2016. The aim is to strengthen the rights of EU citizens and give them greater control over their personal data. Companies will have to comply by May 24, 2018. To guide the company through the RGPD compliance process, the CIL will be a major asset.

The Data Protection Officer

The Data Protection Correspondent, or CIL, was created by the 2004 reform of the Data Protection Act and its 2005 implementing decree, with the aim of spreading the “data protection” culture.

The CIL applies the principles of personal data protection: definition of the purpose of processing, relevance of the data collected for processing, security, rights of the persons concerned by the processing and limited retention periods. It has thus become a key player in the regulation of practices. In this way, it contributes to better application of the rules governing the protection of personal data. The CIL function will evolve into the DPO (Data Protection Officer) function with the new European regulations (RGPD).

The map below, based on public data supplied by CNIL, shows the distribution of CILs by department. The figure shown on the department corresponds to the number of CILs declared to the CNIL as of February 16, 2018, out of a total in France of 18879. After the RGPD comes into force, the number of DPOs will be much greater than the number of CILs given the criteria for appointing DPOs for companies, so it will be interesting to compare the breakdown.

Advantages of choosing a CIL

The CIL is a vector for risk reduction, protecting the organization and its representative from major civil, administrative and criminal sanctions, and contributing to the cybersecurity of technical infrastructures. The appointment of a CIL has the effect of exempting the organization concerned from the formalities involved in declaring new processing operations to the CNIL. It also enables you to improve your control of the legal and technical risks associated with the processing of personal data, to be in direct and regular contact with the CNIL and to receive advice in the event of a CNIL inspection.

The job of data protection correspondent

The Data Protection Correspondent is a fairly recent profession, introduced with the Data Protection Act of 2004. Since then, its missions and responsibilities have expanded. The European regulation, adopted in 2015, obliges private companies and public administrations to adapt to a new evolution of the CIL profile. The appointment of a DPO will therefore be mandatory for companies with more than 250 employees and required in three specific cases according to Article 37(1) of the RGPD.

Appointing a CIL

The Data Protection Officer may be an employee or an external person. He or she must be qualified and interested in the field of IT compliance. It must also be protected from conflicts of interest, so that its organizational and decision-making freedom is guaranteed. The appointment of a CIL must be approved by the organization’s executive body.

Guarantor of all CNIL instructions, the CIL ensures compliance with all legal constraints imposed by the French Data Protection Act. The CIL may be an employee or an external party. This mode of practice means that a CIL often has another activity in the fields of law, IT…

The future of CIL

The CIL profession will evolve with the draft European Regulation. CILs will disappear, to be replaced by DPOs. It is therefore necessary for current CILs to be trained in these new European regulations and in the new missions assigned to them. DPMS offers training to understand the RGPD, to master the requirements of the law applicable on May 25, 2018, but also to learn about the evolution of the CIL profession towards that of DPO.

The CNIL provides articles explaining why the CIL has a vocation to become DPO in the context of RGPD compliance: https: //www.cnil.fr/fr/le-cil-et-le-futur-delegue-la-protection-des-donnees

For our customers, you should know that OKTEY, which publishes your Altospam email protection service, has been RGPD-compliant since January 16, 2018.