Key Things CISOs Should Know About Data Privacy

Executive Blog
Written by Yunique Demann, Senior Director, Privacy Strategic Lead, NTT Data

Yunique Demann

Senior Director, Privacy Strategic Lead

NTT Data

MAY 23, 2023

For CISOs across Evanta communities, the number one enterprise priority is reducing risk to the organization. In their function, data governance is among their top priorities for 2023. There can be a question as to whether or not the CISO can also act as the Data Protection Officer. 

In this Executive Blog, Yunique Demann, Senior Director, Privacy Strategic Lead at NTT Data, and Governing Body Member of the Houston CISO Community, shares insight into the function of data protection as it relates to security and the CISO’s functional areas.

The primary role of a Chief Information Security Officer (CISO) is to manage the security of organizational information assets. An asset could be something tangible, such as its hardware or information systems, or intangible, such as its personal data, information or intellectual property. The CISO develops a strategic plan that aligns with the business strategy that addresses how to maintain the security of the organization’s assets by implementing technical and organizational controls that protect and manage enterprise risk.

How Does the Data Protection Officer Fit into the Organization?

The role of a Data Protection Officer (DPO) is to advise on the correct processing and handling of personal data and provide guidance to the organization on how to do that in accordance with international and local privacy laws. In some countries, the role of the DPO is mandated by law, where roles and responsibilities are specified (GDPR, art 38, art 39). 

Although the role of the DPO is not mandatory for all organizations, it is highly recommended that the roles and responsibilities attributed to a DPO are assigned to someone who can perform them independently. This can as mentioned be a DPO or a Chief Privacy Officer (CPO) or someone who is strategically responsible for privacy but does not have the title of DPO or CPO.

A DPO must be independent in their decision making on privacy compliance.”

A DPO advises the data controller on privacy compliance and should not take direction from a comparable designation. A DPO must be independent in their decision making on privacy compliance and should be the authoritative source on data privacy issues. In most organizations if this role is not assigned to a DPO, it usually falls to someone in legal, compliance and sometimes information security. 

Where a DPO is not appointed but the role is required, a fine can be given of 10 million euros or 2% of annual global revenue or whichever is higher. Art.37 GDPR says a DPO is required when:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Can the CISO Play This Role in Data Protection?

With organizations being tasked to do more with less, having a CISO perform in this dual role addresses a gap but does raise a conflict-of-interest. The role of the DPO must be independent, reporting to the highest level of management, ideally the board of directors. This supports the authoritative nature of the DPO role, which is to be the link between the supervisory authority, the organization and data subjects. The DPO acts as an extension of the Data Protection Authority (DPA), advising data controllers on privacy compliance and also being the primary contact for communicating with the DPA.

The CISO role is not a statutory designation and usually reports into the C-Suite, advising executive leadership on enterprise risks. Typically, this role is not considered an independent authority.

The CISO and the DPO have a common interest in protecting personal data. The convergence of these 2 roles creates opportunities for collaboration and understanding of how each leader compliments the other in achieving their objective.

As the CISO where a DPO exists within your organization, you have an ally in protecting personal data, but if a DPO does not exist and you have been assigned DPO responsibilities, it is important that when acting in the capacity of a CISO you are not overriding privacy compliance with security tasks. Performing checks and balances as a DPO on technical and organizations security controls may cause a contradictory outcome on your responsibility as a CISO when it comes to protecting data. This is another example where the two functions can negatively intersect.

If you find that this conflict continuously arises, then it is your responsibility to let executive leadership know and transfer the DPO responsibilities to a person who can be independent. 

Many organizations who are not mandated to have a DPO in place may take the direction in assigning a CISO, Chief Risk Officer (CRO) or legal to perform DPO tasks and responsibilities. Assignment of a DPO is purely voluntary in this capacity but highly recommended. However, although there is no legislation driving the tasks assigned to a DPO, it is still important to have clear division of roles for the purpose of having checks and balances performed by the same individual.

The DPO should not take direction from the CISO in order to remain independent in managing privacy compliance.”

To summarize, can a CISO be a DPO? Privacy and security must work collaboratively, but should not report to the same person. The DPO must not take direction from the CISO and must remain independent in managing privacy compliance. These two tasks make it challenging for a CISO to truly perform in the capacity of a DPO. 

However, if the DPO role is voluntary, it is possible that a CISO can take on the responsibility for data protection by implementing the technical and organizational controls for protecting personal data. However, for strategic privacy tasks, the CISO should take direction from a separate function, such as legal, in essence dividing the DPO responsibilities into operational (data protection) and advisory. However, if the role of a DPO is mandated by law, it will be very difficult to have these 2 functions performed by one person.

To engage in conversations with your security peers on data privacy and other topics, join your local CISO community, and connect with like-minded executives on mission critical issues at one of our upcoming CISO summits or programs