CISO - DPO: The twain are different.

Thinking on a Friday

I put out a survey last week on LinkedIN and as at the time of writing this is the result:

Maybe I should have included another option of DPO as I do believe that a number of folks who have chosen InfoSec may have wanted to bifurcate the role.

However, in a number of interactions with other professionals I find that many have the opinion that the CISO can be DPO which (in my opinion) is a fallacy. This is the case with the legal professionals as well as the droves of CISOs who have got shiny Certificates from the various training organizations!

If you look at nations where Privacy compliance is mature, you will see that this is not practiced.

There is a huge conflict of interest if the same person is designated and appointed CISO+DPO.

Check the areas of conflict

Even if we do not look West these are sufficient grounds to ensure that the CISO and DPO offices are kept separate.

Remember that the DPO carries a responsibility to ensure that the company does not fall foul of the law and face a Rs 250 cr liability. In contrast the CISO faces no such liability in the event of a data breach!

Yes, the most the CISO faces is the bad music from the Board, or CERT may come and rap the organization on the knuckles. Nothing more. Even if the company is "audited" by a CERT empaneled auditor, there may be nothing more than a mild wave which touches their shores.

Does the law say anything about this, or will the DPB give any guidance ? We have to wait and see. Until then one can hope that good sense / judgment prevails in the corridors of HR / Board and the existing CISOs are not issued DPO letters!

However, as it stands, most companies have dual-designated personnel with no guidance or knowledge of what they are staring at into the future.

Lets pray! as always !

-Dinesh Bareja

#Privacy #DPO #CISO #DualRoles