I’ve been at meetings where there is a clash between the information security officer and the data protection officer. For example, there was an argument about who should own the information security policy as if the creation of the policy shouldn’t be a unified approach requiring much more than these two functions. The definitions of roles and responsibilities of the data protection officer and information security officer speaks for itself. In this article, I will place in a practical sense, and from my experience, the varying and telling differences between these two functions.
First, let’s tease out the functions of a data protection officer. The DPO function stemmed from the propagation of data protection regulations around the world. This DPO role came into play because of this regulation and the focus here, therefore, is on personal data and how it is managed within the business. The Article 29 Data Protection Working Party stipulates the roles clearly; it states that the DPO remains the cornerstone of accountability and can facilitate compliance within any business.
The information security officer, on the other hand, focuses on how to prevent technical attacks on various spaces where information may pass through or stored, and carries out vulnerability scans to ensure that the organisation’s information meets the three pillars of cybersecurity, including confidentiality, integrity, and availability. The task here is to ensure information is secure throughout the business and that staff are sensitised about their duties on how to detect social phishing campaigns, malicious emails and other dodgy communication that can expose a company to hackers.
The DPO usually acts as intermediaries between relevant stakeholders (e.g., supervisory authorities, data subjects, and business units within an organisation). For example, a train company wanted to carry out what was described as an excessive intrusion on the privacy of data subjects. The DPO had to liaise with the supervisory authority about this new processing activity, present the risk and make the business justification as to why the processing was necessary. By seeking the input from the supervisory authority, the company’s DPO takes a formidable approach to prevent any introspection from the supervisory authority. It must be stated though that the compliance of a company to data protection regulation is still the responsibility of the company and therefore, the DPO can’t be held responsible.
However, the CISO can be held responsible for the failure of information security within a business. Case in point, Uber’s Chief Security Officer, Joe Sullivan, was found guilty of criminal obstruction for failing to report the 2016 cybersecurity incident to authorities. It shines a light on the fact that CISOs can be held liable when they fail to carry out their duties well in most cases.
But the fact remains that there is a difference between the DPO role and the CISO function. It must be stated again that one focuses on the end-to-end management of personal data within the business while the other pays attention to the security of all categories of information. It must be stated that for the company to thrive in a secure and technical way, these two functions must merge to achieve a single goal – protect and secure the company. It behoves the company to ensure these merger work is in the best benefit of the organisation.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: firstname.lastname@example.org