Can a CISO act as a DPO?
The new European General Data Protection Regulation (GDPR) imposes, in certain cases, the appointment of a Data Protection Officer (DPO). Public and private sector organizations are struggling with the need for them to create an additional responsibility or merge it with the existing Chief Information Security Officer function (CISO). When responding to interrogations, I regularly advise the inquirer to verify three basic criteria.
The first involves the availability of an overall CISO, driving Information Security and informational risk management or is it a simple manager in charge of IT security. The DPO should have a direct contact with business managers and should accomplish series of activities that impact their operations; An adequate authority, independence and responsibilities are prerequisite. Regarding the independence, the G29 WP said in its guidelines on DPO that "As a rule of thumb, conflicting positions within the organization may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organizational structure if such positions or roles lead to the determination of purposes and means of processing". So it is a case by case analysis that have to be performed by the management of the company.
The second criteria involve potential conflict between company internal objectives in the three main Information Security objectives (Confidentiality, Integrity and Availability) that are focused on company inner interest which is CISO main activity. This is to be compared with the DPO activity that is to focus on protecting interests not necessarily in line with the company (employees, clients, prospects), namely those of the data subjects for whom personal information is held. Article 38 of GDPR mentions that the function "must be provided necessary resources but may fulfil other tasks and duties". It also indicates that one should "Beware of conflict of interests ".
The third criteria involve the skills and capabilities of proposed CISO-DPO. It is not common to find professionals disposing of the two skills that may sometime be counterintuitive. Furthermore, our recent education dedicated to Data Protection Officers at Solvay Brussels School (solvay.edu/it) highlights five domains of skills that are required to accomplish this activity.
Those domains, to be conducted by one person or a team, possibly assisted by external expertise, include the following: Understanding of legal as well as other management requirements necessary to establish a Data Protection policy, a strategy for accomplishing and a program plan. The second domain involves the ability to conduct Data Protection Impact Assessment exercise to define the risk gap, the mitigations and necessary improvements. The third domain is related to implementing the transformation process and to make the change effective, across tools, applications, services, data flow mechanisms and new business functions responding to compliance requirements.
The fourth domain involves information security and the building of capabilities for an effective protection. The fifth domain involves all capabilities related to incident handling and communication that is required in the case of a data Breach.
Despite the fact that the mandatory cases for appointing a DPO under the GDPR are unlikely to apply to small organizations, Smaller organizations that may not even dispose of a CISO function may be obviously tempted to staff both activities in one single function. The function could also be staffed through external support. Article 37 of GDPR mentions that it could be "a staff, or on the basis of a service contract".
It seems to me essential that activities of both the DPO and the CISO would be organised in the forms of a second line of defence. This means that Business managers remain ultimately responsible for their risks and their protection activities. A support function accomplishing DPO activities remains though accountable for monitoring compliance, providing advice and addresses risks.