DPOs and CISOs what are the synergies?
Tech culture
Two professions that don’t exist without each other.
Two key professions in the administration of organizations have emerged in recent years: the Chief Information Security Officer (CISO) – due to the growing pressure from cyber-attacks – and the Data Protection Officer (DPO) because of the legal obligation to protect personal data. Two different, but complementary and closely intertwined responsibilities.
The DPO’s and CISO’s missions
Data protection is one of the DPO’s regulatory duties. The duty arrived in 2018 with the General Data Protection Regulation (GDPR).
The position of DPO is therefore governed by legal obligations under Articles 37, 38 and 39 of the GDPR, in particular those of listing and tracking the personal data held by the organization.
Appointment is strongly recommended but is neither systematic nor compulsory (barring a few exceptions): in very small companies, sometimes it’s the director who has this role. In other cases, the position is outsourced.
A well-known role
This position is listed publicly: all users need to know who to contact to exercise their rights regarding personal data.
Although not regulated, the CISO position is essential: everyone is aware that there’s no doubt that a company’s IT systems are going to be hacked, the question is limited to knowing when.
For CISOs, protecting the system and its data – including personal data: surname, first name, contacts, tracking of external exchanges (with customers, suppliers, partners) as well as internal exchanges (with employees, corporate officers …) is crucial
Global data protection and personal data protection are therefore closely intertwined. The CISO’s scope of action is broader than that of a DPO, but the DPO has more comprehensive regulatory obligations which are strongly regulated by law.
A few figures
94% of DPOs say they work with the CISO or the technical team, and 75% of CISOs say they work with their company DPOs.
DPO and CISO: six areas of collaboration
1. Creating the ISS processing register and keeping it up to date
The notion of mapping systems and processes (i.e. all uses of data and all people who handle data)is the baseline of effective security policy. It must be kept up to date in the same way as the list of software licenses, for example.
It’s the CISO’s main mission and is also used by DPOs to draw up their data processing registers. They must check that the processing is lawful: data processing must be justified by normal professional use, limited in time, and comply with good practice. They also monitor day-to-day access and handling authorizations assigned to specific departments or employees.
CISOs will also activate access and authentication processes, as well as any security systems they select – in particular data encryption.
2. Documenting the security measures for every process
Every change to processing and to the people entitled to know about it must be recorded.
The register also specifies the planned safety enhancement measures, even those that aren’t operational yet.
The CISOs’ mission is to technically optimize the security measures they have chosen to deploy. In that respect, they have a permanent watch role.
3. Conducting an impact assessment of data security risks
The impact assessment is one of the key initial phases in the personal data protection approach. It participates in assessing the lawfulness of processes (their legal justification), especially by ruling out all unnecessary or excessively intrusive handling.
The DPO gives it priority once the mapping of the systems and processes has been finalized. The CISO completes it by assessing the risks (of leaks, alteration, loss, etc.).
4. Creating the register of incidents or data breaches
CISOs take special care to detect attempted attacks on their systems, to manage them as quickly as possible, and then analyze and document them.
DPOs’ responsibility goes one step further: Article 33-1 of the GDPR requires them to notify the supervisory authority competent of all personal data breaches within 72 hours of becoming aware of them.
Failure to do so can be an aggravating factor for the administrative penalties on the company which can be up to 2% of annual sales.
5. Making sure “privacy by design” and “privacy by default” rules are applied in projects
Ideally, the notion of security must be included from the design stage.
A key role for CISOs, security built into the system architecture is more effective and less time-consuming than applying multiple patches after the fact.
Users shouldn’t have to activate a security system: wherever possible, it should be installed and activated by default – such as a “transparent” encryption system.
DPOs will benefit from this measure, since their personal data users will also benefit from native protection without even realizing it.
6. Managing, supervising and controlling risks
DPOs and CISOs are both involved in the monitoring and managing of the risks associated with implementing the data protection policy.
All data handling must be subject to prior surveillance, or even supervision, regardless of whether transfers, outsourcing, or third party access are involved.
It remains the responsibility of DPOs to check the compliance of subcontractors and service providers with the GDPR (accounting and auditing firms, recruitment firms, banks,…). A contract with these third parties must be drawn up (or amended) and mention the security of the data used by each one depending on its access to personal data from the customer. It is advisable to insert liability and/or penalty clauses if the level of security is not optimal.
It is essential to adopt best practices and raise employee awareness of data exchange security and even provide them training.
The missions of DPOs and CISOs are complementary and mutually beneficial. They aren’t, however, interchangeable: the CISO’s scope of action is broader and more technical, while the DPO’s is focused on personal data, and is subject to legal obligations and responsibilities.