Close collaboration between CISOs and DPOs can benefit both roles in their efforts to better understand, align with and protect the business.
Since the introduction of the European Union’s GDPR legislation the role of the Data Protection Officer (DPO) has exploded within businesses in Europe and across the world. Within a couple of years, the role has gone from niche to commonplace. The International Association of Privacy Professionals (IAPP) estimates some 500,000 DPOs are in Europe alone, most of whom report directly to the board. According to the IAPP-EY Governance Report 2019, around 72% of organizations from the EU and US have at least one DPO, and 18% reportedly have more than one.
While their roles overlap with the objectives of the CISO, they are not the same. CISOs should look to collaborate and work closely with DPOs for the benefit of both positions.
How DPOs and CISOs differ
While CISOs protect the organization and its data, DPOs are tasked first and foremost with protecting the interests of the data subjects. The EU has said there must not be a conflict of interest with the duties of DPO and their other duties. In the event of a breach, for example, the two loyalties might clash if there are breach notification duties the company would rather not fulfil.
“The functions of the CSO and the DPO have been always very separate,” Andreas Klug, chief privacy officer at QVC Ladbrokes Coral, said during the PrivSec conference in London. “It’s a different education. The DPO tends to be either a legal or compliance professional who is used to interpret and apply laws in an organizational environment whereas the CISO tends to be more versed in tech, usually has an IT background, and uses technology in order to keep the company and data safe.”
Author: Dan Swinhoe – CSO, Insider