To safeguard privacy within your organization, specific roles are defined and tasked with handling privacy-related matters. These roles include the CISO (Chief Information Security Officer) and the DPO (Data Protection Officer). In this blog post, we explain their responsibilities and the differences between these two functions.
CISO
The Chief Information Security Officer (CISO) is responsible for an organization’s information security and serves as the primary point of contact for this subject. The CISO supports management with up-to-date knowledge on information security and ensures that the organization complies with legal obligations and maintains information security standards. Key tasks of the CISO include translating information security and privacy policies into objectives, responsibilities, and evaluation points. A CISO also ensures awareness among colleagues regarding information security and privacy and coordinates the planning and control cycle of all information security systems.
Data Protection Officer (DPO)
The Data Protection Officer (DPO) is an internal supervisor for the processing of personal data within an organization. Appointing a DPO may be legally required under certain conditions. A DPO is mandatory if the organization is a public authority, engages in large-scale processing of personal data, processes special categories of personal data (such as health data, religious or political beliefs, etc.), or processes criminal records.
The DPO supervises the application of and compliance with privacy legislation (GDPR). It is crucial that a DPO maintains an independent position within the organization and does not report to management (this independence also applies if the DPO is appointed voluntarily rather than as a result of a legal obligation). The DPO is an expert who follows privacy legislation, guidelines from the European Data Protection Board, and the national data protection authority to understand and advise on the current interpretation of these regulations. A DPO does not always have to be directly employed by an organization; for example, it could be a representative of an external processor acting as an independent DPO for their client.
The responsibilities of the DPO include creating privacy awareness within the organization and active participation in the organization’s data processing methods. The DPO is also the primary contact person for the Data Protection Authority.
Differences between a CISO and DPO
Although the descriptions of the CISO and DPO roles show similarities and some overlap in tasks and responsibilities, they cannot be combined and must be performed by separate individuals. This is because it would conflict with GDPR regulations, and organizations have been fined for this violation. The CISO focuses on (the implementation of) securing all valuable information within the organization, while the DPO oversees compliance with privacy legislation, including an appropriate level of security for personal data.
The CISO is not ultimately responsible for compliance with privacy legislation; that responsibility lies with the organization’s management, to whom the CISO reports. The DPO must maintain their independent position and therefore does not have to report to anyone.
An essential difference is that information security (and the CISO) focuses on business risks, while privacy (and the DPO) focuses on the risks to the personal lives of individuals who may be affected by the organization’s actions. This difference in perspective can lead to conflicting interests, which is another reason why the roles of the CISO and the DPO cannot be combined—the DPO would lose their objectivity. Proper alignment and cooperation between the CISO and DPO will strengthen both areas and address all risks.
For some organizations, appointing a Data Protection Officer is mandatory, whereas the CISO position is not legally required. The CISO role is an organizational decision to execute the information security policy. The CISO works with management and the internal organization, where the “C” in CISO indicates C-level responsibility in the organization. Larger organizations may also have an ISO operating more in the middle of the organization.
Overview of GDPR compliance obligations
If you are responsible for privacy compliance within your organization, it is useful to have a clear understanding of what you must comply with. Our privacy experts have created a handy overview of the regulations you need to be aware of, so you can quickly get started with the rules that apply to you.