To ensure privacy within your organization, certain roles should be defined within your organization that will deal with this issue. This includes the CISO (Chief Information Security Officer) and the DPO (Data Protection Officer). What do they do and what is the difference between these two functions? We explain it in this blog.
What is a DPO
The Data Protection Officer (DPO) is the person who oversees an organization’s application of and compliance with the GDPR. Within the organization for which the DPO acts, he will ensure that the personal data of staff, customers, suppliers or other individuals (also known as data subjects) are processed in accordance with applicable data protection rules. In doing so, the DPO also serves as the first point of contact for the Data Protection Authority.
The DPO is an integral part of the organization, making her ideally suited to ensure compliance. Nevertheless, the DPO must be able to perform its duties independently.
What is a CISO
The Chief Information Security Officer (CISO) plays a crucial role in managing all business processes related to information security. The CISO will be responsible for implementing the information security policy and monitoring it. The CISO actively works with the board and the internal organization.
The person holding this position must have knowledge and experience in information security, risk analysis and specialized security techniques, as well as knowledge of relevant laws and regulations.
The CISO as a technology leader understands how various aspects of security relate to the IT systems, devices and networks on which the company operates and relies.
A CISO applies his unique perspective to identify security risks and recommend strategies to manage them. The CISO can also address complex security issues and describe them in non-technical language so that leaders and other stakeholders can understand the potential consequences of these issues.
What is the difference between a DPO & CISO?
A first major difference between the two functions is the way risks are looked at The CISO will always look at existing and future risks from a financial and operational perspective, while the DPO will look at the same risks from a more consumer-oriented perspective.
The role of CISO is to manage a company’s multiple vendors under strict GDPR regulations. This can be challenging because in just about every business there are suppliers and customers and some of these customers may also be suppliers. In these cases, the CISO will need to make sure he has all the contracts that cover all these interactions. Therefore, it is very important to check and make sure that the company’s vendors provide the same level of security and data protection as the company itself.
The DPO is not going to look at the risks that may occur to the company, but rather the risks and loss of personally identifiable information that may occur to the individual involved
In addition, a number of organizations are required to appoint a DPO. For the CISO, the appointment is never required by law. The appointment of a CISO is an organization’s free choice to implement information security policies.
Are the two functions compatible?
It is quite clear that there is a connection between the two functions and an overlap between the duties and responsibilities of both. Now does this mean that you can appoint the same person as DPO and CISO within your company? No, such practices are even prohibited.
The major difference between the two positions, and the reason the same person within the same company may not hold both positions, is that the CISO should focus on the security of all valuable information in the organization while the DPO should monitor compliance with privacy regulations and support companies to ensure an appropriate level of security for the personal data of data subjects.
Thus, one works in the interest of the company, while the other works in the interest of stakeholders.
This also means that the CISO can never be ultimately responsible for privacy compliance. That responsibility falls to the management of an organization. It may seek the assistance of a DPO for this purpose, but this DPO must always ensure its independence. Given its independent position, therefore, the DPO need never be accountable to a company’s management where the CISO is required to do so.
Given that it is sometimes challenging to manage dual roles simultaneously, we at DPO associates understand these complex issues and our specialists can provide these services directly to your company depending on your business requirements and needs.
Contact us today to appoint your CISO or DPO.