GDPR Compliance: Should CISO Serve as DPO?Sorting Out the Role of the Data Protection Officer
As organizations that handle the data of Europeans settle into the third year of enforcement of the EU's General Data Protection Regulation, some are struggling to define and understand the role of a data protection officer as required under the regulation - including whether the CISO should take on the extra role of DPO.
Under GDPR, companies must have a DPO if they collect, store, process or share sensitive personal data or extensive volumes of personal data.
A joint report by the International Association of Privacy Professionals and Ernst & Young, published last year, revealed inconsistencies in how companies are implementing the DPO role, including whether the CISO also serves as DPO.
When Is DPO Required?
Article 37(1) of GDPR requires the designation of a DPO in three specific cases:
- Where the personal data processing is carried out by a public authority or body;
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
"Core activities" refers to the key operations necessary to achieve an organization's goals.
For example, the core activity of a hospital is to provide healthcare. But a hospital also needs to process health data, such as patients' health records. Therefore, processing personal data should be considered a core activity, which means hospitals that handle substantial amounts of Europeans' data must designate DPOs.
CISO as DPO?
While some say it's appropriate for CISOs to serve as DPOs because the roles complement each other, others argue the DPO position should be separate.
"The DPO has to perform a balancing act in an organization, says Gregory Dumont, who serves as DPO as well as CISO at U.K.-based SBE Global, a provider of repair and after-sales service solutions to the electronics and telecommunication sectors. "He has one foot in the organization, one hand holding the data subjects' interests, one hand holding the supervisory authorities, and another foot elsewhere since he has to be independent. This is, I believe, where the confusion comes from, and why many organizations struggle to position the DPO within their structure. Some DPOs are outside counsels; some DPOs sit within compliance and report to the CPO; some DPOs sit in the legal department."
But Guy Leibovitz, CEO of Cognigo, an Israeli data security developer, which got acquired NetApp, in a blog writes that the DPO needs to a separate position.
"A CISO defines the technical actions to be taken in order to ensure the security of corporate IT assets and data, and these may be contradictory toward personal data security, privacy and confidentiality assurance," he says. "In fact, the DPO would be auditing the advice, decisions and policies of the CISO, as well as all other departments."
Some organizations are struggling to determine whether a DPO should be part of their legal or compliance teams.
"Ideally, a DPO function should be independent of all functions," says Rob Masson, CEO at U.K.-based The DPO Center, a data protection resource center. "What organizations must accept is that legal and compliance are there to serve the needs of the company. The DPO role is ideally there to serve the needs of the data subjects you process data on. The DPO should therefore - as much as it is possible - be independent and report to a C-suite executive."
Masson says GDPR mandates that the DPO operate parallel to the larger IT operation, while remaining independent.
"The employer can't instruct the DPO on how he needs to function or the action he needs to take. As a result, DPOs often get into an unsaid conflict with IT teams," he says. "The role becomes all the more tricky since DPOs, despite acting independent of organizations, are ultimately on their payrolls. This often can lead to a lot of conflict."
Masson asserts that having a CISO also serve as DPO is "clearly a conflict of interest." He adds: "A CISO has a fiduciary duty toward the organization whereas a DPO has a duty toward people. If a breach takes place, a CISO in all practical sense has to play down the breach whereas as a DPO he would have to protect the rights of data subjects. How can one person perform the same task?"
But Dumont, who serves as DPO and CISO at SBE Global, offers a different point of view.
"Some people say that the CISO works to protect the company whereas the DPO works to protect the data subjects. Again, I think that reasoning is erroneous because the CISO and the DPO both act to protect the organization. Protecting customer data is also in the interest of the organization, not just the data subjects," Dumont says.
The Value of Independence
Cathal Ryan, assistant commissioner, at Ireland's Data Protection Commission Ryan, wrote recently that the DPO position is akin to that of in-house counsel because the DPO must be independent and raise privacy issues with the highest level of management. "However, unlike the role of in-house counsel, who must complete several years of education and training to be qualified, there is no training requirements for a DPO."
DPOs often do not have the backing and support of the organization when raising privacy issues, Ryan says. "Therefore, a DPO must be a strong, influential individual that sticks to their guns regardless of how the organization reacts to the issues raised."
Creating a model for the DPO role that would work for all types of organizations all over the world is unrealistic, Ryan says. "Perhaps uniformity throughout sectors is the most appropriate way to approach the role of a DPO, as each sector deals with data protection differently," he says.
Ryan says key challenges include:
- The lack of GDPR training courses available and the lack of a consensus on minimum qualifications for the DPO role;
- The difficulty in coordinating requests from consumers to access or erase their data;
- The volume and scope of the work involved in the DPO role;
- A lack of resources and expertise;
- Data retention issues;
- The need to change organizational culture to make privacy protection a priority.