DPO and CISO – two ‘hats’ for one person… or not?
After a privation of almost two years, leavened by a series of webinars, Orange’s DPO Jan Léonard could once again chair a ‘live’ meeting of the Privacy Focus Group. Getting straight back on track with a couple of interesting, indeed lively discussions – the first of which on the ‘effectiveness and strategic role of the DPO’.
The diversity of the Coalition members without fail guarantees valuable and varied exchanges of experiences in working groups. On this occasion, Stéphanie De Clercq (BNP Paribas Fortis), Taco Mulder (CHU Brugmann – HUDERF), Laurie-Anne Bourdain (Isabel Group) and Gwendoline Brys (DKV and Ergo Insurance) explained the position, activities and reporting duties of the DPO in their organizations. Due to particular aspects (sensitive personal data, group structure), regulations (financial sector), available resources (tools, budget), maturity levels and other elements, there were plenty of differences and similarities in the position and actions of the DPO in their organizations. In most cases, the DPO was part of the second line of privacy/data protection (of three), in cooperation with multiple parties throughout the organization, often reporting up to the board level. Common activities include monitoring data protection measures, providing advice, awareness raising, internal and external (DPA) reporting and more.
Almost universally, the effective functioning of the DPO depended on ‘satellites’ (a.k.a business risk officers, antennae, eyes-and-ears…) in the ‘business’ departments of the organizations. Part of the first line protection, these embedded privacy champions are trained to catch (potential and real) privacy incidents, and to proactively raise privacy concerns when new ideas (business opportunities, processes, solutions) are conceived. Furthermore, the cooperation of DPOs with specialists (e.g., about DPIAs) is highly advocated. Several constraints – lack of resources (tools, budget, staff), lagging maturity levels… – result in some rather pragmatic approaches. As for instance, backing up a single person DPO by calling upon the services of a counterpart at a peer organization.
CISO and DPO – irreconcilable jobs for one person?
The need for some pragmatism segued into a discussion whether a single person could combine the positions of DPO and CISO, without a sanctionable conflict of interest. Indeed, the DPO must remain solidly independent in his advisory function, without assuming responsibility for actual decision-making and implementation. So common wisdom says ‘no’ to this combination as ‘too risky’. Also, a ‘DPO protects the rights of individuals, while a CISO protects company assets’ was another point of incompatibility.
On the other hand, the advantages of a person wearing both ‘hats’ were also pointed out, particularly as DPO is often a part time job. ‘I can put pressure in either of my roles’ noted a DPO/CISO, while pointing to his reporting line for conflict avoidance, as ‘I run less a risk of conflict when I report to the CEO than to the CIO.’
Moreover, a strict separation of these functions is probably impossible in small and medium sized companies, with most of their employees wearing multiple hats out of sheer necessity. This represents a particular problem in small companies handling large personal data loads of a sensitive nature.
Notwithstanding some litigation, the issue of sharing DPO/CISO responsibilities is not yet a clear-cut case.
A final point of discussion concerned a sectorial approach for resolving the needs of (smaller) companies. Code of conducts could be a solution, but significant obstacles remain as the inherent costs of the related ‘monitoring bodies’. An acceptable and less rigorous option would be the pursuit of guidelines.