The CNIL is the French data protection authority. As the regulator of personal data in the digital world, the authority assists professionals in their compliance, and helps individuals to control their personal data and exercise their rights. The Commission assesses the impact of technological innovations and emerging uses on privacy and freedoms, while working closely with its European and international counterparts to develop a harmonized regulation. To carry out its missions, the CNIL has the power to advise, to carry out on-site and online inspections and to impose administrative sanctions.
The main mission of the Department of Technology and Innovation (DTI) is to provide technological and IT expertise to all CNIL’s departments, and to build the institution’s vision on innovation and foresight. The DTI includes the technological expertise department, the IT department, the CNIL digital innovation laboratory (LINC) and the digital transformation unit.
Within this department, the Technological Expertise Department (SET) is responsible for helping to understand new technologies, the challenges they present in terms of privacy protection and the best practices that shall be applied. It assists other CNIL departments in the investigation of cases submitted by private or public organizations, and develops the Commission's doctrine on technical issues. It creates tools for companies and users, in collaboration with the other CNIL departments, particularly the LINC. It is also responsible for managing notifications of personal data breaches. Finally, it promotes the doctrine of the CNIL and the EDPS (European authorities) in France and internationally.
Two positions of cybersecurity engineer specialized in incident handling have been created in this department. Their main mission will be to manage security incidents involving personal data that are notified to the CNIL in the form of data breach notifications under Article 33 of the RGPD (approximately 5,000 per year). They will be in charge of analysing those incidents, from a technical point of view and in regard of the risk for the individuals, of proposing possible actions to remedy the incident and of valorising the information received. Finally, they will carry out information systems security analysis cases that the department will have to deal with.
These individuals will be part of the SET team, which is expected to grow to sixteen agents by 2022, and will work in pairs on notification processing, with support from the rest of the department.
Under the responsibility of the Head of Department and his deputy, and in collaboration with the team, these individuals will be responsible for the following activities :
Manage data breach notifications received by the Commission:
- process, analyse and qualify notifications, both from the point of view of information systems security and the consequences for individuals;
- determine whether and how individuals should be informed of the data breach that affects them;
- inform the hierarchy in particular on the most serious / sensitive cases, considering the consequences for people, the context and the nature of the organization, the possible media repercussions, and the technical aspects;
- transmit, where necessary, notifications to other competent data protection authorities of breaches affecting cross-border processing;
- Discuss with the notifying bodies in order to answer their questions and/or to guide them in the actions towards appropriate solutions;
- proactively inform other Commission departments (communication, public relations, controls, sanctions, complaints, etc.) of cases that may be relevant to them or at their request) of cases that may be relevant to them;
- Supervise and continuously improve the service provided by the CNIL, in particular the data breach notification teleservice and the management processes (backoffice).
Valuing the notification management activity:
- participate in the redaction of articles on the CNIL website, for example "the violation of the quarter", in order to convey the Commission's messages;
- produce business indicators and statistics on the activity of violations;
- Participate in the drafting of the annual report on the breach and cybersecurity part;
- manage the opening of data related to notifications (open data);
- inform other departments when vulnerabilities are discovered that could be the subject of Commission work and, where appropriate, participate in it;
- carry out external interventions in order to present the activity of management of the notifications or the legal obligations in this field;
- to be a source of proposal on the evolution of the notification management activity and in particular the implementation of new services for notifiers of the type that a CERT or a SOC could offer.
Carrying out analyses on the security of information systems on cases (formalities, requests for advice) submitted to the Commission:
- Analyse the security level of the processing described in the architecture files or the Data Protection Impact assessment (DPIA);
- identify areas for improvement;
- write recommendations, notes or deliberations based on the conclusions of the analyses.
Required skills and qualities:
- Engineering degree or equivalent in cybersecurity, information systems security or computer science;
- At least two years of experience in crisis management or security incident management;
- Strong knowledge in information and electronic communication technologies, network and information system security, and the evaluation of IT strategies and risks;
- Knowledge of the GDPR and of the French law on data processing and liberties or at least a particular interest in this subject;
- Understanding of the issues involved in notifications to the Commission;
- Ability to popularize technical concepts and to work with non-technical profiles;
- Sense of synthesis;
- Written and oral expression skills;
- Fluent in written and spoken English;
- Organizational skills;
- Reactivity and ability to work under pressure;
- Rigor and respect for deadlines;
- Sense of pedagogy;
- Strength of proposal and spirit of initiative;
- Teamwork skills;
- Interpersonal skills.
Status and application:
Contractual agent of the State on permanent contract. Public servants are subject to the regulatory provisions on ethics.
The position can be filled by secondment on contract (CDD) or by secondment of a civil servant from one of the public services.
Remuneration according to profile and experience.
Candidates wishing to apply for this position are invited to send a CV and a letter of motivation (in french) to the Human Resources Department, under the reference ICNV