DPO

Should a CSO/CISO Ever Be a DPO?

I finally figured out why this blog was so damned difficult [for me] to write; I’ve been thinking all wrong about what exactly a DPO actually is. Which is odd, because I had the exact same challenge when writing about CSO/CISOs, and I really should have learned from my mistake.

When you think about a CISO (assume this also means CSO), or a DPO, you instantly picture a person. Maybe your organisation already has one so their face springs to mind, or if not, you have a indistinct and faceless image of someone in a suit. The fact is, neither the CISO nor the DPO are people, they are functions. Multiple functions in fact.

And not only that, they involve multiple disciplines, skill-sets, even personal preferences. Most importantly, neither the CISO nor the DPO functions [performed correctly] are ever a single person. A DPO would, quite literally, have to be an expert in privacy law (both EU and national), contracts, risk management, policy development, distribution and audit, and understand all personal data flows throughout the business.

You therefore need to break the function down before you can move forward. For example; I broke the CISO function down into 3 distinct skill-sets/phases:

  1. The Planner: The p-CISO comes in at the beginning of an engagement, before an organisation even knows what it actually needs. Their job is to design a security program that does the only thing it’s supposed to; support / enable the company’s business goals;
    o
  2. The Executor: e-CISOs get things done. They take the hand-off from the p-CISO and put the agreed plan into action; and
    o
  3. The Optimiser: o-CISOs are in it for the long-haul. These are the folks that take the still raw security program, and make sure it get fully instilled in the company culture and business as usual processes.

I have never, I mean NEVER, met any one person who is fully competent at, or even wants to perform all of these things. For example, I thrive as a planner, would fail miserably at execution, and could not be less suited for optimising. In fact, phase 1. and 2. are likely short to mid-term specialist external consultants, and only 3. is a full-time employee or ‘indefinitely outsourced’ service.

The DPO will be no different, but first you have to address exactly what they are required to do (per Article 39):o

  1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions – so any incumbent not only has to have significant knowledge of their organisation’s business processes, but they have to have sufficient understanding of both the GDPR and any national laws relevant to member states under his/her remit;
    o
  2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits – so the incumbent not only has potentially significant additional tasking in staying up to speed with relevant EU and national law(s), but they have to able to translate that into appropriate policy, training material, and audit procedures;
    o
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 – so the incumbent has to be able to balance the risk to data subject rights to the value of the processing to the business, and justify any decision to proceed to a supervisory authority. Or NOT to proceed to their CEO/Board!;
    o
  4. to cooperate with the supervisory authority – the incumbent must sound credible, they must at least be able to talk-the-talk;
    o
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter – again, the incumbent had better know his/her stuff. If the supervisory authority thinks the DPO is nothing but an empty suit this will reflect very poorly on the organisation concerned

Now ask yourself; Does any one person in your organisation have what it takes to manage the above? I think it unlikely.

So that should leave you breaking the development of the DPO role into a similar 3-phase process, similar to the CISO’s above. It would look something like this:

  1. The SME: The sme-DPO comes in at the beginning of an engagement to design the data protection compliance program. S/he has enough knowledge (and access to other more task-specific SMEs) to ensure that the program has the requisite leadership commitment, that all personal data will be discovered and mapped to business processes, that all policy and contract language will be in place and so on;
    o
  2. The Program Manager: the pm-DPO should also be very knowledgable in data protection, but their role is to take take the sme-DPO’s plan and run all work streams to their appropriate conclusions. To all intents and purposes, this organisation is now compliant. They can perform GDPR Article 30 reporting, they can answer any data subject access request, their breach notification is documented and tested, their 3rd party and vendor contract addendums / DPAs are in place and so on; and
    o
  3. The Maintenance DPO: m-DPOs are now the ‘named-face’ of data protection in an organisation, but like a governance function, it’s more of a organisational role. They are responsible for combining the right departmental expertise and external SME guidance into a coherent and sustainable program.

If you assume that the CISO will only be one of many SMEs in phases 1. and 2., what makes them the right person to handle 3.? Actually, if the CISO has be hired correctly, there is quite a lot in their favour. They:

  1. should already have dotted-line reporting, and direct access to, the Board – Both of which are prerequisites for a DPO, just as they are for internal audit;
  2. should already have a seat at whatever passes for Corporate Governance – where the responsibility for data protection and data security rightly sits;
  3. will, as an intrinsic part of their job, have an almost unparalleled understanding of where the personal data is, and what’s done with it;
  4. will, again as an intrinsic part of their job, have an almost unparalleled understanding of who does what in an organisation;
  5. should certainly be able to handle all aspects of “technical and operational security measures”, should a supervisory authority ever ask;
  6. should already be very familiar with the development, distribution, and ongoing maintenance of a training program;
  7. must understand the absolutely necessity for, and the enforcement of, good policies, standards and procedures; and
  8. must understand the maintenance of a compliance program from an internal policy, and an external regulatory perspective

And the list goes on. In fact, the only real questions to ask are:

  1. Does the CSO/CISO have the necessary and business-appropriateexpert knowledge of data protection law and practices (Article 37(5))” to do the job?; and
    o
  2. Do they want it?

For the longest time my gut feeling was that the m-DPO should be more of a legal function (which it is), but in-house legal expertise is actually more rare than in-house security expertise. So now, in the absence of legal, I find myself unopposed to security filling the m-DPO seats, but only if both the candidate, and the position itself meet ALL of the above criteria.

About the only thing I would warn against is taking any stock in “certified DPO” courses, they are about as useless and inappropriate as “certified CISO” courses. You don’t learn these things from a course, you learn them from doing the bloody JOB.

And finally, would I ever recommend a ‘virtual-DPO’ or other ‘indefinitely outsourced’ service to handle the m-DPO function? That depends, can they meet all of the above criteria without a seat at the governance table? For a small monthly retainer? Over the phone?

Dunno, your call, but now you know the right questions to ask.

[If you liked this article, please share! Want more like it, subscribe!]

 

[Ed. I wanted to thank a ‘colleague from Kosovo’ for prompting this blog :)]

4 thoughts on “Should a CSO/CISO Ever Be a DPO?

  1. Hi David

    As ever a very well constructed and rounded post to which i was nodding all the way through it.

    You nailed it as it is always a blended role of experiences and why i quite like the word ‘function’ .. DPF – Data Protection Function, as it indicates a quora approach to the requirements and obligations of which the DPO heads up .. or you could call it the DPO’s DPO (Data Protection Office!)

    Keep it up !
    Dave

  2. Hi David,

    Well in my perspective the WP29 guidance on the topic is pretty clear.

    According to the WP243 and art. 38(6) of the GDPR a DPO must be able to fulfill his/hers obligations and “any such tasks and duties do not result in a conflict of interests”.

    Thereby entailing that a DPO can’t be part of excisting management or Governance execution?

    The Wp243 further states: “As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”

    In my pespective atleast this also includes a CISO – but then Again we might not know untill the first case is upon us.

    I do agree with the blended role-theory, however the topic of actually having your Company CISO doing multiple jobs by also serving as a DPO is – in my oppinion – in contradiction with the GDPR. He cant sufficiently be able to monitor and asses his own work and change his “hats” whenever suitable – this would not appear thrustworthy atleast.

    anyway! thx for a very interesting and informative blog.

  3. You totally missed the critical point: conflict of interest between the arsonist-CISO-Breach-Screw-up, and the DPO-Fireman-PrivacyProtector.

    You also missed the point about DPO certification through 1-year university syllabus, not just the USA-Cashcow-2-Day-Rubbish “training” of these Jack-of-all-trade smooth operators.

    If I were an EU regulator, I would send out request letters to all US DPOs (it is mandatory to give regulators the contact info of your DPO when you must have one) and ask each one to justify his competence per article 39.

    I am a DPO registered with the French CNIL, and a French licensed attorney who practiced data privacy under the 1995 Directive for over 20 years. I met a lot of competent and privacy a passionate DPOs all over Europe, but so far not one in California, where I am also registered with the bar as Foreign Legal Consultant, with extensive experience with clients both in the Bay area and Silicon Beach.

    There has been almost no DPO job positions on the main US job boards over the last 3 years. US companies entirely rely on US law firms who USE the GDPR as a marketing tool for ever more billable, while practicing EU law without thorough knowledge and EU master degrees in privacy (in fact no degrees at all). They learn EU privacy from blogs and articles like David’s, and go on to advise Big Data clients like Facebook, Uber, Yahoo, Microsoft, Tinder, etc. Who keep getting nailed by the EU DPAs with fines they seem not to care about.

    Not to mention Grindr, who got caught pants down sharing AIDS personal data with third parties in Spring 2018, without any DPO in place and no DPIA in place.

    David, I appreciated your article which was well documented but a bit too scholar, but lacked a practical approach that certainly would have been interesting, given your experience and pointed observations.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.