This text is a manifesto, nourished by 17 years of experience spent in contact with personal data, as well as by the frank and often bitter feedback from my students or partners.
The paradoxes of the DPO: manifesto for sincerity, pragmatism and fair measure
Since 2018, the Data Protection Officer (DPO) has been established as a cornerstone of digital trust in Europe, in line with the CIL of our dear Alex Turk. Its role, of undeniable nobility, is to ensure the application of the General Data Protection Regulations (GDPR). However, at a time when Europe is piling up texts (DSA, DMA, IA Act), the DPO in the field is caught in a bind. The time is no longer for victimization, but for professional sincerity and shared responsibility.
This manifesto aims to question the posture of all the players: the companies which undervalue the charge, the DPOs which self-sclerose, and the authorities which must find their right balance in the regulatory wave.
1. THE PARADOX OF MEANS: the sclerosis of the DPO from the job description
The first false note is that of the means and the definition of the function. The workload is exponential, but theefficiency of the DPO is often condemned from the job description.
- The Charge and Isolation Trap
The DPO is supposed to be an expert in law, IT, SSI and project managementin communication, all infused with the culture of its organization and its professions. The observation is implacable, relayed by AFCDP studies and feedback from the field: many DPOs work part-time, with a working time allocated paltry, and are often isolated.
Today’s DPO is ossified not only by overload, but also by an internal lack of understanding of the complexity of his role.
This is the observation that the AFPA was able to relay: the DPO no longer has the time to ensure its own monitoring and training. The inability to train is a sign of systemic sabotage: the company asks him to be the guarantor of compliance without giving it time to assimilate developments (business, regulations, technology, etc.). Investment in GRC tools, automated mapping and human resources is too often perceived as a “cost” by top management, and not as a strategic investment guaranteeing resilience. The lack of an adequate budget creates an undersized DPO doomed to inefficiency. The icing on the cake: we gave you a tool, that’s enough for this year’s expenses.
- The schizophrenia of conflict of interest
The effectiveness of the DPO is undermined by the mixing of genres. Too often, for reasons of economy or ignorance, the function is combined with other responsibilities: CISOLegal Director, or Quality Manager. I even saw a naturopathic DPO for a pharmaceutical lab.
This accumulation has two harmful consequences:
The Conflict of Interest castigated by the GDPR and European case law: How can the CISO evaluate the AIPD of its own security system? How does the Director Legal can he be in a position to contest or criticize a decision taken by his own management? The DPO loses its neutrality and its ability to alert independently, unless it involves balancing.
“Professional Schizophrenia”: even without a direct conflict of interest, the accumulation of roles places the DPO in a state of chronic mental pressure. He is both the devil’s advocate (the internal controller) and the project leader (the operational). This mix’n twist is already found in the GDPR itself since the DPO must audit, in addition to implementing. This constant back and forth between strict compliance and business feasibility not only weakens its posture, but generates fatigue and inefficiency which has repercussions on all files. A DPO must be a balancing factor. For this, he must only be DPO.
2. THE PARADOX OF POSTURE: from “Compliant” to “Risk Driver”
Responsibility for the weakening of the role does not lie solely with the company. DPOs must also examine their conscience and review their speech.
- Denouncing the myth of “We are compliant”
Based on my 17 years of experience, I affirm that total compliance does not exist. It would be too expensive, too cumbersome and counterproductive. However, we still too often hear DPOs “trumpeting” that they are compliant. This statement is at best a pipe dream, at worst a managerial lie.
When it comes to data, the only professional posture is risk control or management.
The DPO must be the risk strategist: identifying, evaluating and accepting residual risks in agreement with management. To assert “total compliance” is to deprive oneself of the ability to communicate gray areas in order to obtain the budgets necessary to resolve them. It’s settling for a regulatory veneer that will be swept away by the first flaw or the first CNIL check, or even the first slightly informed look.
Personal anecdote: a leading bank has just asked a client in an RFI, among 100 questions: are you GDPR compliant? As I write these lines, my DPO heart is torn between answering “yes, we have a DPO”, “yes”, and “no, no more than you”. My client, whom I had made well aware of, responded to me with an iconoclastic tone: “why do they care to know how long we keep our employees’ pay slips?”
- The Devil in Shadow IT: the failure of data culture
The most scathing evidence of this complacency is in the operational details. How to assert compliance when allowed to thrive (non-exhaustive list):
The inextricable complexity of unapplied retention periods, inherited from old systems.
The risk of free comment areas in business tools.
And above all, the Hydra of Shadow IT: the famous paintings Excel boosted to macros, VB and VBA. These parallel databases, ungovernable and insecure, are proof that data culture and Privacy by Design have failed.
These gray areas reveal that compliance is seen as a bureaucratic exercise, not a security and governance requirement. The DPO cannot declare itself “compliant” until Shadow IT is mapped and controlled.
3. THE PARADOX OF PRIORITIES: the DPO contributes, He does not direct
If the GDPR is our foundation, Europe is now surrounding it with a wave of regulation (DSA, DMA, IA Act). These texts are crucial, but they raise the question of the right role of the DPO in the face of this expansion.
- The balance of authority priorities
It is natural that the CNIL is asked to position itself on AI, because it is the authority with the strongest technical and legal legitimacy on the analysis of risks linked to information systems and algorithms.
However, it is essential to question the balance of your priorities. Does the quest for leadership on AI not divert too much energy from the fundamental mission: the strict application and exemplary sanction of recurring violations of the GDPR? The case of a state operator like France Travail (formerly Pôle Emploi) which multiplies violations without public sanction sends a disastrous message about the need to invest in compliance. Authority must find the right balance between anticipation of the future and the rigor of present execution.
- The role model: labor law and cybersecurity
The DPO must not get caught up in the leadership of the AI Act. Its role in the face of these new texts must be the one it has always had on essential related subjects.
The DPO simply needs to have a veneer or be a CONTRIBUTOR on AI, DSA and DMA, just as he is on:
- Labor law: the DPO has a veneer, is consulted on the deployment of HR tools or teleworking, but the leader and responsibility remain the HR director.
- Cybersecurity (NIS2): the DPO collaborates on documentation and risk analysis, but the technical and operational leader remains the CISO.
The load equation is impossible if the DPO wants to absorb everything. He must focus on his core business, the GDPR, and provide his expertise on AI (personal data management, documentation, people’s rights) without being the leader. The DPOs who campaign to manage AI are either:
- In fully controlled GDPR risk management,
- In a somewhat candid desire to further broaden their field of intervention
The Reconquest through empathy and sincerity
This big gap is dangerous. It leads to DPO exhaustion and, worse, the potential uselessness of its function. It is time for all of us (companies, authorities and DPOs) to examine our consciences.
Regaining the DPO function involves:
- Professional sincerity: replace the discourse of “we are compliant” with “we manage priority risks”. Communicate uncovered residual risks in a structured manner, and obtain arbitration from Management.
- Intransigence on independence: refusing conflicts of interest and accumulations which lead to schizophrenia. The DPO must be independent, or at least not have a role that would lead him to self-evaluate.
- Refocusing: focusing on the heart of the GDPR (fight against Shadow IT, user training). Be an expert CONTRIBUTOR and not an exhausted leader on new regulations (IA Act, DSA).
- Management’s requirement: managers must stop perceiving the DPO as a cost center. Budgeting for compliance is an imperative for resilience.
The issue is not the survival of a function, but the credibility of European digital regulation as a whole. It is through kindness and empathy, cardinal values of the AFCDP, that we will be able to collectively address these sensitive subjects without ostracism, and thus succeed in our mission. Let’s adopt pragmatic conformity, and stop lying to ourselves.
