The General Data Protection Regulation (GDPR) is a European Union regulation that was instituted on May 25th, 2018 to rule on how companies and entities should address and ensure personal data protection.
More specifically, the GDPR is a set of guidelines on how companies must manage their IT landscapes, staff, partners and operational processes in order to assure the security, confidentiality, privacy and accuracy of any data they hold that may (by itself or when cross-referenced with other data) unambiguously identify a data subject (i.e. person).
On Personal Data
Let’s make a pit stop here to further clarify what “personal data” means under GDPR, because the concept is more comprehensive and encompassing than personal individual information (PII) as defined under the Privacy Shield:
- Your car license plate is personal data under GDPR. Why? Because there are accessible repositories where other data, when cross-referenced with your car license plate, could be used to unequivocally identify you.
- Your mobile phone device ID is also personal data under GDPR Why? Because over mobile networks’ registries, that device ID will have an associated IP address (static or dynamic) which in turn is linked to your name, address, bank account number, etc. in your telecom operator’s digital data repository.
- Your photograph could enable a third party to univocally identify you even without any cross-referencing, hence also personal data.
So, it is no longer just your SSN, bank account number or name and address; it is everything and anything that can identify you.
Companies and entities that are established in the European Union must observe GDPR towards any data subject from any geography, whereas companies established outside of the European Union must observe GDPR towards European Union residents, regardless of their nationality.
The Data Protection Officer (DPO)
The GDPR also defines the obligation of companies/entities to nominate a Data Protection Officer (DPO) if they plan to conduct personal data treatment activities (collection, storing, processing or sharing) over sensitive personal data (data that if exposed to non-authorized third parties represents a severe risk towards the data subject) or extensive volumes of personal data of many data subjects.
The DPO role is referred to under the entire GDPR text and specifically described under its Section 4 - articles 37, 38, and 39 detailing:
- HOW the DPO should be designated by the company/entity
- WHAT shall be the position within the corporate structure
- WHICH specific tasks must a DPO assure and be responsible for
In fact, the DPO role is like the role of a CISO, being a pivotal point for corporate compliance towards GDPR and in some cases a legal requirement.
GDPR specifically states that the person who performs the role of DPO may have other responsibilities within the company. However, these may not constitute a conflict of interest towards ensuring that GDPR is observed.
One significant difference in comparison to the CISO’s role is that the DPO should exclusively report to the highest hierarchical position in the organization and never to middle or senior management, for it may imply a conflict of interest.
Why would there be a conflict of interest between Data Protection and the CISO?
To understand whether a CISO may assume the role of DPO in the same company, we must understand the tasks and duties of both profiles and assess if there are conflicts of interest that may jeopardize the required assurance of Personal Data Protection.
Both roles seem similar and complementary, which suggests that the CISO may, with some additional training and education, assume the DPO role.
Now, can it be done then?
To avoid conflict of interest, the GDPR rules that the DPO must directly report to the company’s Board of Management or COO/CEO and not to any middle or senior management positions.
Traditionally, the CISO will report to the CIO, who then reports to the CFO (another interested party within the organization).
This constitutes a clear conflict of interest.
Ok, so let’s move the CISO to a hierarchical position where he/she reports directly to the Board or the CEO/COO.
Not a great idea.
Such a move would create internal problems because it would empower the CISO to decide which investments are required and tackle any digital security issues that exist or may arise -- and the money would come out of the IT and Finance budgets.
However, the main conflict of interest derives from the CISO’s specific operational role.
As we have assessed, the CISO bears the responsibility for defining the overall corporate Digital Security Policy and aims mainly to safeguard the company. However, being the DPO means he/she would also be auditing such corporate guidelines to ensure compliance towards GDPR and soon the ePrivacy Regulation intended to ensure data subjects’ personal data protection. Most of the time, these goals represent conflicting interests.
To clarify, the CISO defines the technical actions to be taken in order to ensure the security of corporate IT assets and data, and these may be contradictory towards personal data security, privacy and confidentiality assurance.
In fact, the DPO would be actively auditing the advice, decisions and policies of the CISO, as well as all other departments.
There have already been several cases in which supervisory authorities have penalized companies for this kind of activity. For example, the Bavarian Data Protection Authority penalized a company for having its IT manager acting as DPO because it was found to represent a conflict of interest. The Authority determined that the IT manager was essentially monitoring himself, hence negating mandatory independence, while acting as the company DPO.
So, bottom line, the CISO should act as a support role to the DPO, as should the CIO, the legal department, and each department’s manager, but the CISO cannot simultaneously perform his/her role and serve as DPO.
Guy Leibovitz is the CEO and founder, Cognigo