Learn more about us.
Can a CISO act as a DPO?
The European General Data Protection Regulation (GDPR), which came into effect in May 2018, imposes, in certain cases, the requirement for organisations to appoint a Data Protection Officer (DPO). Public and private sector organisations continue to grapple with the need to establish this r...
Georges Ataya |Author
Georges is lecturer and Academic Director of Cybersecurity Management at Solvay Brussels School, Vice-President of the Cybersecurity Coalition and Advisor at Ataya Partners.
The European General Data Protection Regulation (GDPR), which came into effect in May 2018, imposes, in certain cases, the requirement for organisations to appoint a Data Protection Officer (DPO). Public and private sector organisations continue to grapple with the need to establish this role or integrate it with existing functions, such as the Chief Information Security Officer (CISO). When responding to interrogations, I regularly advise the inquirer to verify three basic criteria:
1. The Role and Authority of the DPO
The DPO should have direct contact with business managers and should engage in activities that impact their operations. Adequate authority, independence, and responsibilities are prerequisites. In terms of independence, guidelines issued by the G29 Working Party state that conflicting positions within the organization may include senior management roles, but the determination of purposes and means of processing should be the determining factor. Therefore, a case-by-case analysis should be performed by the company's management.
2. Managing Conflicts of Interest
Potential conflicts between a company's internal objectives in the three main Information Security objectives (Confidentiality, Integrity, and Availability) and the DPO's responsibility to protect the interests of data subjects (employees, clients, and prospects) need to be carefully considered. Article 38 of GDPR stipulates that the DPO function must be provided with necessary resources but should also be aware of conflicts of interest.
3. Required Skills and Capabilities
The skills and capabilities of a combined CISO-DPO may be challenging to find in a single professional. Recent education initiatives dedicated to Data Protection Officers highlight five domains of skills necessary for the role. These domains may be managed by one person or a team, potentially with external expertise:
- Understanding legal and management requirements essential for establishing a Data Protection policy, strategy, and program plan.
- Conducting Data Protection Impact Assessments to identify risks, mitigations, and necessary improvements.
- Implementing the transformation process and ensuring compliance across tools, applications, services, data flow mechanisms, and new business functions.
- Developing information security capabilities for effective protection.
- Establishing capabilities for incident handling and communication in the event of a data breach.
While the mandatory cases for appointing a DPO under GDPR are unlikely to apply to small organisations, smaller entities without a dedicated CISO function may be tempted to combine both roles. Article 37 of GDPR allows for the use of external support for the DPO function.
It remains essential that both DPO and CISO activities are organised as a second line of defence. Business managers ultimately retain responsibility for their risks and protection activities. A support function handling DPO responsibilities remains accountable for monitoring compliance, providing advice, and addressing risks.
In conclusion, the concept of DPOs and their role in ensuring data protection and privacy compliance remains vital. Organisations should stay updated with evolving regulations and guidelines while considering the fundamental criteria and principles outlined in this article when appointing DPOs and addressing data protection and privacy concerns.