In this article we want to spotlight a data protection officer based on 10 questions he was asked by DPI. Christophe Gregoire, lawyer and DPO at MOLLITIA Consult, former student and current “Stay Tuner” at DPI, is happy to answer them.
How did you come to the role of DPO?
As a lawyer, I worked for a dozen years at ING, in functions focused on law and credit risk management. Member of the Management Committee of the Hainaut headquarters, I had the opportunity to meet companies of all sizes and all sectors. They gave me a taste for independence and the desire to help the smallest of them, which I did when I became an independent consultant nearly 20 years ago. I have, I think, an idealistic side and an unshakable conviction in the importance of the human factor. It is this facet of the GDPR that seduced and attracted me. I therefore enrolled in the DPI Certification Training Program. The virus was inoculated…
Which missions of the DPO role do you prefer?
Most certainly, awareness and training. “Why all these restrictions? They will break the dynamics of the business, the competitors do not do it, why us?” The reasons for opposing compliance are diverse and sometimes legitimate. In this context, I always start by recalling that even if we commonly speak of data protection, this text is aimed at that of natural persons with regard to their personal data. But also, and we often forget, the free circulation of this data. Two cardinal values of business.
How can you envisage doing business in an open economy like ours, without being able to rely on effective free movement? And how to perform without trusting relationships? We were strongly reminded of the importance of the human factor during the recent pandemic, overcome by changing a number of our behaviors. These are elements that must challenge management. It’s therefore up to the DPO to demonstrate that the GDPR is an opportunity, not a hassle.
What event in the privacy landscape has most affected/touched you so far?
I am always upset by the lack of consideration given by political leaders to the protection of personal data. The first contact that the citizen has with the State is the local administration. It must be irreproachable and compliance with the rules on personal data is part of the defense of fundamental freedoms. It was Montesquieu who said that the greatest harm a statesman does is not to ruin his people, but it is the bad example he sets. This also applies to decentralized power.
How would you describe the role of the DPO within your company?
For me, a good DPO must be able to defy the laws of schizophrenia…
Being both omnipresent to ensure that “by design and by default”, he puts his mark on the actions and decisions of the company. But also very discreet, making sure behind the scenes that everyone knows his role. It is by ensuring that the basic rules are known to everyone, from the front-line agent to the CEO, that we will make the compliance sustainable.
However, if the DPO is the director’s discreet adviser, he must also be able to step into the limelight from time to time. Being a good communicator will be an undeniable asset to obtain the support of everybody and to convince the sceptics. A happy schizophrenic, I told you…
In your opinion, what is the biggest challenge for a DPO?
Never forget the fundamentals and avoid the trap of excessive technicality. Article 12 of the GDPR requires the Controller to address Data Subjects in a concise, transparent, understandable and easily accessible manner, in clear and simple terms. I believe this also applies to the DPO if he wants to be effective. For the rules of the game to be respected and applied, everyone must first understand them. For example, according to surveys, between 80% and 90% of security breaches are caused by insufficient knowledge of the phishing technique. Once again, we come back to the human factor.
In your opinion, which technological development has the most impact on data protection (positive/negative)?
Without hesitation, Artificial Intelligence. “Jus est ars boni et aequi”: law is the art of good and fairness, states the Digest, a collection of opinions from the greatest jurists of our era. What would Emperor Justinian think today when he would discover ChatGPT? As a lawyer without any particular technical training, I am both fascinated and frightened by the way AI has intruded into whole swaths of our social life, including government decisions, health care, battlefields , attempts to influence elections, etc. This artificial intelligence carries with it the revolution of the labor market, that of the employee as well as that of the lawyer or the doctor.
Should a framework be created? And if so, which one? In the absence of a framework, how can we prevent AI from being able to “imitate a person so well, to the point that we cannot discern the silicon under the smile” as Michael Froomkin, eminent professor of law at the University of Miami writes? This reflection is at the same time exciting, challenging and frightening. As DPO, our role as a safeguard is only reinforced.
As DPO, what relationship do you have with the data subjects?
This is currently limited to contacts with the Data Subjects, which have to date always taken place in a calm atmosphere.
What is your best advice for putting data protection and information security higher on the management agenda?
Talk to them about their children, and the risks presented to them by our digital society, overexposure, overinformation.
As DPO, what is your Swiss army knife allowing you to overcome all your challenges?
Quite honestly, I think the Swiss army knife is precisely the image we should have of a good DPO. This is the qualifier that I have often been given in my career and I have always taken a certain pride in it. Data protection law is a transversal subject. The GDPR is a text considered ubiquitous by many, and even parasitic by those it bothers. It is up to us, as DPO, to adapt to the situations encountered, by bringing experience, creativity and persuasiveness.
How do you keep up to date with new trends in technology and GDPR legislation?
First of all, I try to insert myself in various circles because feeding on the experience of others is priceless. Being a rugby fan, I like to play in a team, a team that is moreover multifaceted. Then, I read a lot, from specialized articles and books to newsletters from experienced players, including the economic press, because understanding the challenges facing entrepreneurs allows me to better anticipate the questions that will be asked of me tomorrow morning.
And finally, but no doubt I should have started there, I am amazed by the professionalism of the DPI team and the quality of what is made available to us. Everything is done to make our lives easier. Thank you a thousand times.