Since the introduction of the European Union’s GDPR legislation the role of the Data Protection Officer (DPO) has exploded within businesses in Europe and across the world. Within a couple of years, the role has gone from niche to commonplace. The International Association of Privacy Professionals (IAPP) estimates some 500,000 DPOs are in Europe alone, most of whom report directly to the board. According to the IAPP-EY Governance Report 2019, around 72% of organizations from the EU and US have at least one DPO, and 18% reportedly have more than one.
While their roles overlap with the objectives of the CISO, they are not the same. CISOs should look to collaborate and work closely with DPOs for the benefit of both positions.
How DPOs and CISOs differ
While CISOs protect the organization and its data, DPOs are tasked first and foremost with protecting the interests of the data subjects. The EU has said there must not be a conflict of interest with the duties of DPO and their other duties. In the event of a breach, for example, the two loyalties might clash if there are breach notification duties the company would rather not fulfil.
“The functions of the CSO and the DPO have been always very separate,” Andreas Klug, chief privacy officer at QVC Ladbrokes Coral, said during the PrivSec conference in London. “It's a different education. The DPO tends to be either a legal or compliance professional who is used to interpret and apply laws in an organizational environment whereas the CISO tends to be more versed in tech, usually has an IT background, and uses technology in order to keep the company and data safe.”
“They all look after data, but they always sit in various parts of the business and are subject to different budgets to different reporting lines,” Klug continued. “If you have different people in different parts of an organization, a large organization in particular, then there are others who influence that relationship who very often have nothing to do with data protection and privacy, but purely corporate.”
Whether the privacy lead or not, the GDPR requires the DPO to have a reporting line to the highest levels of management. Even within organizations where the DPO is not the privacy leader, 20% of DPOs still report directly to the board. The IAPP study shows that reporting lines for DPOs are generally split between the general counsel (25%), CEO (23%), or chief compliance officer (22%), and rarely the CISO or CIO/CTO — although a single person holds the CISO and DPO roles in around 10% of organizations.
While it is becoming more common for CISOs to report directly to the board, it is still not the norm in the UK. According to surveys by CSO UK and it's sister site CIO, 65% of UK CISOs or equivalent report to the CIO function, 2% to the CFO, and only 12% of CISOs are a peer to the CIO.
DPOs tend to look horizontally on the corporate ladder at the CISO position. Privacy leads are at the equivalent level within the company in 39% of cases, and junior to a CSO in 24% of organizations. The DPO is the senior position in only 9% of companies.
How CISOs should work with DPOs
According to Zscaler, 80% of GDPR-related data isn’t under the control of CISOs, so if they want to protect it from potential threats, it is in their best interest to work with the DPO, who is who more likely to have a direct hand in helping protect that data. “It's actually the less technical parts where the CSOs fail most often,” Greg Van Der Gaast, head of information security at the University of Salford said during the PrivSec talk. DPOs tend to be better at relationship building and have more visibility into the organization. “Who's doing what with what? What do I need to protect? That's something that's more easily recognizable by a DPO,” he said.
Katia Zavershinskaya, DPO at Arsenal Football Club, agreed with Van Der Gaast and added that all the preparation in the run-up to GDPR gives DPOs knowledge they can share with CISOs, adding that the visibility of the DPO in the business because of that prep can be used by both roles. That prep includes doing initial audits and speaking to the teams about what data they store and where. “The collaboration between security and a DPO is really important because the DPO is more likely to know the business side and the data held by different teams and departments within the business,” she said. “Visibility is really important; the business knows who you are, and in case of a data breach [DPOs] know where to go.”
Just as DPOs can help CISOs better spread the message of security into the business, CISOs can help DPOs better understand what is involved in protecting data beyond good privacy practices. Given that many DPOs come from a legal or privacy background, CISOs can help educate them about what good and bad security practices look like.
“It would behoove the DPO to get an understanding of whether the information security is performing well enough,” Van Der Gaast said. “You need to have that overlap and awareness to really engage things. You need to know at least enough about the subject matter to say, 'Hey, this doesn't feel quite right to me. can you come and have a look?'”
In better aligning together, privacy and security can form a united front to better drive change in the business, TomTom’s DPO Cassandra Moons tells CSO, as they are both key stakeholders in projects that involve data and will need to be aligned around dealing with aspects of operations and governance. “As privacy and security, we need to listen and understand first how our business stakeholders have organized their daily work and how they operate before we can make a real impact by providing clear pragmatic guidance that satisfies regulations,” Moons says. “One of the most important objectives is to make sure everyone within the company understands the need for privacy and security so people feel responsible when dealing with data as part of their daily job life. In the end, it’s all about shared responsibilities from everyone in the company as data is everywhere around us.”
“Getting buy-in starts with a good story that sticks with your audience. Inspire people by explaining very simply what privacy and security is all about and why it should matter to them and the company as a whole. People need to see the real value of privacy and security first before they genuinely believe in it,” Moons adds.
Context matters with CISO-DPO relations
Privacy and security need to work hand in hand to develop and maintain a fruitful relationship, says Moons, but there’s no ‘one size fits all’ answer to describe the ideal process between DPO and CISO or how security and privacy should work together. “Close alignment between privacy and security teams is needed to effectively protect data and remain compliant, but the right approach depends on the type of business, the amount and type of data that is being processed, and the context of a specific business case.”
At TomTom, for example, privacy falls within the legal department. Moons says the privacy team meets frequently with the security team about ongoing matters and strategy. They collaborate on initiatives such as launching new products, data management, and development projects for automotive clients.
While they should work closely together, both roles must recognize when to work separately. For example, when it comes to employee training and awareness, privacy training covers much more than just security, while security is more than privacy. “Privacy also deals with the concept of defining personal data, the privacy rights people have and privacy transparency,” says Moons. “Security training also covers behavior that doesn’t necessarily impact personal data such as recognizing phishing mails and protecting confidential business information. At TomTom we believe that compliance and the cybersecurity practice aren’t mutually exclusive and should form the basis of all internal education programs.“
At PrivSec, Arsenal’s Zavershinskaya said there has to be close understanding and collaboration is critical when it comes to the provisioning and deployment of new systems so that security and privacy are both covered from the outset. “It's really important to bring security on board. [More] often than not as DPO I don't know the security requirements, and vice-versa, so there needs to be enough understanding and enough knowledge of each area to know at what point you engage with the CISO and at what point do you engage the DPO.”
In the same vein, CISOs and DPOs should work together during a data breach or similar incident yet should be willing to take or cede the lead depending on the context. “When an incident happens, everyone wants to jump on the bandwagon to try and drive it forward, so it's really important early on to determine who is driving it,” said Zavershinskaya. “We'd look at having an internal assessments including the DPO, CISO, IT and legal to determine what the breach is, who was driving the breach, who's responsible for the breach, who's accountable for the breach, who needs to be consulted, and who's impacted.”
“In my experience as a data protection officer, I would get involved in data breaches that affect data subjects, but they don't always affect data subjects. If it's a breach that affects data subjects, the DPO could be in position to drive it and work with IT, work with security to understand the breach.”
Zavershinskaya added that as notification of data subjects is under the remit of the DPO, collaboration with CISOs is important so the DPO knows who to inform and what information to share with them. In the aftermath, the DPO should work with the CISO to determine where their might have been failures of process, if other areas of the business could be impacted, and any potential training that needs to be applied.