With the GDPR firmly in place and Brazil’s LGPD coming into effect on August 15, 2020, companies all over the globe are striving to hire the right people for the roles of data protection officer (DPO) and chief information security officer (CISO). It is important that the DPO and CISO work well with one another, and these two roles should be held by different employees.
In large enterprises, the CISO often reports to the chief security officer (CSO), who oversees both physical security as well as cybersecurity. In practice, these titles—CSO and CISO—are often used interchangeably. Nevertheless, by definition, the CISO is responsible for safeguarding company information without being intrusive to workers.
In regard to GDPR and LGPD issues, the CISO helps to decide what information is collected, how long that information is retained, and where it is stored. By law, businesses need legitimate reasons for collecting consumers’ personal data, and it’s partly up to the CISO to decide what, if any, data is collected.
Be cognizant of internal conflicts of interest
With some additional training, the CISO could theoretically function as a DPO; however, this is not advisable because DPOs shouldn’t have any conflicts of interest. Part of the DPO’s role involves auditing the CISO’s security posture, which obviously isn’t possible if the same person is fulfilling both roles. Companies have been fined for this in the past; in 2016, a German company was fined by the Bavarian Data Protection Authority after a regulatory agency found that the company’s IT manager was also the DPO, essentially auditing himself and creating a conflict of interest.
To avoid conflicts of interest, the DPO should report to the highest possible person in the organization, as opposed to someone in middle management. According to the GDPR, DPOs are allowed to have other roles within the company; that said, this is not advisable if holding multiple roles will create a conflict of interest.
Consider the privacy culture of your organization
Unlike the CISO role, which is essentially to keep the company as secure as possible without being intrusive, the DPO’s role can be quite intrusive. It is vital to have this role filled by someone who is ethical and approachable.
Although some people believe that DPOs should be hired from outside the organization, I believe that it makes sense to hire your DPO from inside. After all, privacy is different across various countries, regions, and companies; any employee who has worked at an organization for a long time will have a solid understanding of that company’s culture. And to be sure, any DPO worth his or her salt needs to understand the privacy culture of the organization.
As mandated by the GDPR, DPOs are required to conduct privacy awareness training for all of their company’s employees. Also, they must alert the authorities in the event of a security breach. That said, DPOs are not whistleblowers per se; they’re more like data guardians striving to prevent breaches from occurring in the first place.
Issue a statement of independence
It’s my contention that individuals who previously worked in managerial roles involving economic considerations may not have the requisite distance needed to be a DPO. Also, if your company files 10-Ks, your DPO should include a statement of independence or, at the very least, disclose any conflicts of interest. Obviously, a statement of independence looks better in the annual reports.
Additionally, it may make sense to create a data protection committee. If this committee believes that the DPO could be biased against someone in the organization, it’s prudent to employ an assistant DPO.
It’s important to have your DPO and CISO working in tandem
Despite the DPO’s auditing responsibilities, the DPO needs to work closely with the CIPO. With the CISO and DPO actively working together to safeguard company data and customers’ personal data, you can keep your organization secure and compliant with data privacy laws.
Lastly, the DPO should also work closely with all upper management, including the CEO and general counsel. After all, it is vital that all department heads are on the lookout for any improper instances of consumer data collection, storage, and usage.