Privacy Specs on CISO vs DPO vs CPO

Can a CISO of the organization act as a DPO?

This article explains if a CISO can take up the role of a DPO in an organization. To discuss the same, it is required to understand the roles and responsibilities of the DPO, CISO, and CPO. While Article 37 of the GDPR allows multiple establishments to have a single DPO by legislation, the designations of CPO and CISO are the vital roles designed by the companies, irrespective of a statutory mandate, to ensure adequate privacy and security compliance.?

DPO, CPO, CISO?

("Data Protection Officer", "Chief Privacy Officer", "Chief Information Security Officer")

The DPO

Roles and Responsibilities:

An organization's data protection officer (DPO) independently makes sure that the laws safeguarding the personal data of persons are followed. Articles 37, 38, and 39 of the EU General Data Protection Regulation outline the title, role, and responsibilities of a DPO inside an organisation (GDPR). The appointment of a DPO is mandated in many other nations, and privacy law is increasingly using this practise. The DPO coordinates with Legal, Compliance, Public Policy, and Information Security teams to develop and monitor policies and standards applicable to the business and in compliance with the GDPR.

Reporting Authority:

The DPO must directly report to the top management level in accordance with the GDPR. While the DPO should not be directly supervised at this level, they must have access to top management who are making decisions concerning the processing of personal data.

The CPO

Roles and Responsibilities:

The role of a Chief Privacy Officer is largely in the nature of a ‘Corporate Legal advisor’. The designation “Chief Privacy Officer” is not legally mandated by any legislature and the CPO serves in a leadership role for privacy compliance. However, various organisations prefer to appoint a CPO to design and implement comprehensive privacy programs and strategies across the organisation with regard to data protection and information security. The CPO is obligated to provide legal and regulatory guidance on privacy compliance and present strategic privacy resolutions as required.?

Reporting:

The CPO reports to the Chief Compliance Officer or the Chief Operating officer as required.?

The CISO

Roles and Responsibilities:

The CISO shall be exclusively committed towards the data privacy and information-security. The CISO shall ensure adequate protection of digital information assets and develop security strategies to advise the top management on information security risks that affect the enterprise. The CISO coordinates with executive management and provides guidance to the enterprise's information security organization. The CISO’s information security programs shall protect the organization's applications and technology whilst enhancing business results.?

Reporting:

The CISO reports to the C-suite?

Can a CISO assume the designation of DPO??

It is a frequently asked question whether a CISO can also be a DPO. The GDPR lays down that the DPO needs to directly report to the highest levels and be independent. It is mandated that the DPO should not have any conflict of interest. Thus, it is not advisable since there can arise a conflict of power which is enumerated as follows:

Extended branch of DPA:

• The DPO functions as an extended branch of the Data Protection Authority (DPA) to perform the tasks in an independent manner. While the CISO is not a statutory designation, the CISO works with the CSO or the C-suite level executives to perform their duties which is not an independent position.

Conflict of Power:

• The CISO designation is a position within the organisation. The CISO shall be committed towards the organisational rules and regulations and is not regarded as an independent authority. The DPO on the other hand administers the duties of the CISO to keep the security practices in check.

Abuse of GDPR Principles:

• In an event where a CISO undertakes the position of a DPO, there shall exist a conflict of power where the CISO shall have the possibility to compromise with their security checks and practices which override the principles of GDPR. As per article 38(6) of the GDPR,?“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”.?

Independence of DPO:

• The GDPR ensures that Privacy and Security functions shall collaborate with each other. However, the independent position of the DPO must be recognised by the organisation, although the DPO works within the organization.?

For instance, a corporation was fined €50,000 by the Belgian Data Protection Authority (DPA) on April 28, 2020, for violating the GDPR in relation to its DPO. As its DPO, the corporation had designated their head of compliance, risk management, and audit. According to the Belgian DPA, the appointment created a conflict of interest, particularly with the DPO's capacity to fire staff and choose the objectives and methods of processing in the framework of the compliance, risk, and audit departments.

Alternative position which can be taken up by the CISO:

As described above, privacy and security shall collaborate with each other. The CISO may also club the position of a CPO which requires vital skill sets in leveraging technology to build privacy and/or security requirements into product designs, automating controls, governing AI and Machine learning etc. The CPO is further responsible for aligning privacy, information security and business objectives.

Disclaimer: The content provided in this blog is for informational and educational purposes only and is deemed 'fair use'. Any reference/reproduction (if any) of the copyrighted content is permissible without specific authorization from the author.

tsaaro.com for any Privacy work

academy.tsaaro.com for getting trained in Privacy