DPO and CISO – two ‘hats’ for one person… or not?

After a privation of almost two years, leavened by a series of webinars, Orange’s DPO Jan Léonard could once again chair a ‘live’ meeting of the  Privacy Focus Group. Getting straight back on track with a couple of interesting, indeed lively discussions – the first of which on the ‘effectiveness and strategic role of the DPO’.

The diversity of the Coalition members without fail guarantees valuable and varied exchanges of experiences in working groups. On this occasion, Stéphanie De Clercq (BNP Paribas Fortis), Taco Mulder (CHU Brugmann – HUDERF), Laurie-Anne Bourdain (Isabel Group) and Gwendoline Brys (DKV and Ergo Insurance) explained the position, activities and reporting duties of the DPO in their organizations. Due to particular aspects (sensitive personal data, group structure), regulations (financial sector), available resources (tools, budget), maturity levels and other elements, there were plenty of differences and similarities in the position and actions of the DPO in their organizations. In most cases, the DPO was part of the second line of privacy/data protection (of three), in cooperation with multiple parties throughout the organization, often reporting up to the board level. Common activities include monitoring data protection measures, providing advice, awareness raising, internal and external (DPA) reporting and more.

Almost universally, the effective functioning of the DPO depended on ‘satellites’ (a.k.a business risk officers, antennae, eyes-and-ears…) in the ‘business’ departments of the organizations. Part of the first line protection, these embedded privacy champions are trained to catch (potential and real) privacy incidents, and to proactively raise privacy concerns when new ideas (business opportunities, processes, solutions) are conceived. Furthermore, the cooperation of DPOs with specialists (e.g., about DPIAs) is highly advocated. Several constraints – lack of resources (tools, budget, staff), lagging maturity levels… – result in some rather pragmatic approaches. As for instance, backing up a single person DPO by calling upon the services of a counterpart at a peer organization.

CISO and DPO – irreconcilable jobs for one person?

The need for some pragmatism segued into a discussion whether a single person could combine the positions of DPO and CISO, without a sanctionable conflict of interest. Indeed, the DPO must remain solidly independent in his advisory function, without assuming responsibility for actual decision-making and implementation. So common wisdom says ‘no’ to this combination as ‘too risky’. Also, a ‘DPO protects the rights of individuals, while a CISO protects company assets’ was another point of incompatibility.

On the other hand, the advantages of a person wearing both ‘hats’ were also pointed out, particularly as DPO is often a part time job. ‘I can put pressure in either of my roles’ noted a DPO/CISO, while pointing to his reporting line for conflict avoidance, as ‘I run less a risk of conflict when I report to the CEO than to the CIO.’

Moreover, a strict separation of these functions is probably impossible in small and medium sized companies, with most of their employees wearing multiple hats out of sheer necessity. This represents a particular problem in small companies handling large personal data loads of a sensitive nature.
Notwithstanding some litigation, the issue of sharing DPO/CISO responsibilities is not yet a clear-cut case.

A final point of discussion concerned a sectorial approach for resolving the needs of (smaller) companies. Code of conducts could be a solution, but significant obstacles remain as the inherent costs of the related ‘monitoring bodies’. An acceptable and less rigorous option would be the pursuit of guidelines.

Deel deze nuttige inhoud met vrienden:

Volg ons op sociale netwerken:

Andere blogposts

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.

Deel deze nuttige inhoud met vrienden:

Volg ons op sociale netwerken: