6 works by the CISO that speed up GDPR compliance

While legal knowledge is essential for any DPO, IT project management knowledge is also important. These allow, for example, the DPO to integrate Privacy by Design or to be able to identify weaknesses and appropriate security measures.

Good news, the CISO did not wait for the implementation of the GDPR to define technical and organizational security measures.

Among the projects that were undoubtedly carried out by the RSSI, we can mention:

• Management of logical or physical accesses to the information system
• The mapping of IS assets (applications, data, etc.)
• Managing and reporting security incidents
• Conducting risk analysis and defining security needs within IT projects
• Raising awareness and training employees on security issues
• A process for auditing and controlling the correct application of the institution's PSSI

In this article, we will illustrate to what extent this work contributes to GDPR compliance projects and how the DPO can use it to accelerate the compliance of his organization with the GDPR.

The work of the CISO to accelerate the construction of the register of processing activities

The RGPD requires companies to fill in the processing register a set of information relating to the personal data they handle. In particular,

• The type of personal data and their level of sensitivity;
• How they got them;
• How they are stored;
• Their recipients;

However, as part of the formalization of the PSSI (Information System Security Policy) or the SDSI (Information System Master Plan), cartographic work is generally carried out by the RSSI and the DSI on their information system.

• Functional maps will allow the DPO to quickly take ownership of the company's activities.
• The maps of IS assets will allow the DPO to identify the applications, the business objects of the IS, the managers of these assets and their users.

These two tools will therefore be major assets in helping the DPO to formalize the treatment register.

Be careful, however, that the knowledge or knowledge of the CISO is not sufficient to constitute the register. To finalize the register, organizations must then identify the legal grounds that allow them to collect, store, process or even manipulate this data. It is the expertise and skills of the DPO that will make it possible to validate the legality of the treatments and the information collected.

Thus, the mapping work of the RSSI and the DSI will clearly make it possible to accelerate the process of building the register of processing activities but will not be enough to finalize it. In all cases, a dialogue with the business departments must take place.

The work of the CISO to facilitate the formalization of a Personal Data Protection Policy.

In our previous article, we mentioned that the DPO, among its missions, must define and ensure the implementation of technical and organizational measures to guarantee the security of personal data. This most often results in the formalization of a Personal Data Protection Policy.

However, within the PSSI, there is a chapter on asset security, which addresses:

• the process for identifying assets and the responsible entity,
• The process of classifying sensitive information assets
• the safety rules to be applied according to their sensitivity:

Personal data is an asset like any other. The DPO will therefore be able to benefit from the work of the CISO and the security rules defined in the PSSI.

It is often the case that the rules set out in the PSSI are sufficient and no additional work is required.

The work of the RSSI to organize the PIAs (AIPD)

The other advantage of formalizing security measures within the PSSI is found at the time of formalizing Data Protection Impact Assessments (DPIA).

In fact, when carrying out a DPIA, the DPO with the help of the CISO must identify existing measures that make it possible to protect themselves from dreaded events, i.e. for personal data:

• loss of integrity
• loss of confidentiality
• the loss of availability

They must then assess the likelihood of a threat in view of the security measures put in place.

Thus, the PSSI will allow the DPO to have a global vision of security measures and avoid the phenomenon of “information fishing” that slows down or complicates risk analyses.

That's not all, it is possible that the CISO, through its security controls and audits, has already made the distinctions between operational measures and those that were not. The AIPD that will result from the PSSI will therefore be even closer to reality and therefore more relevant.

The work of the CISO to promote the integration of Privacy by Design

In its article 25, the RGPD highlights the concept of Privacy by Design. Again, the actions of the RSSI will make it possible to meet these obligations.

As part of the PSSI, there is a section “on securing developments” which is precisely designed to cover this point. The first rule that is addressed is to “recognize safety as an essential function, and take it into account when designing projects.”

This chapter contains rules for expressing or evaluating these needs according to the criteria of availability, integrity, confidentiality and traceability. It explains which rules applied in data storage management, in application development (HMI, exchange between client/server), development validation rules, log retention rules, etc.

This chapter should be supplemented with other rules for projects handling personal data (for example, the anonymization of data for development, training or testing environments, the encryption of data in the database without destroying performance). Thus, while the PSSI formalized by the RSSI addresses the issue of securing developments well, the institution's compliance with Article 25 is highly committed.

The work of the CISO to accelerate the formalization of the data breach management process.

Another area where the CISO will be able to accelerate the compliance process is to ensure that the company is ready to deal with data breaches. That is to say, to ensure that the company is in a position to detect a data breach, to limit its impacts, and to inform individuals and supervisory authorities as required by the GDPR.

The RSSI must have implemented as part of its PSSI an escalation process in case of detection of a security incident. Depending on the severity of the violation, this must lead to a crisis unit. For the DPO, it is necessary to complete this process with a loved one so that he is informed and can manage notifications.

As a reminder, the deadline for notifying the supervisory authority is set at 72 hours from the date on which the incident became known. The CISO's expertise in this type of situation can be a real benefit for the DPO.

The CISO's work to reduce the workload on contracts with subcontractors

The review of subcontractor contracts is a titanic part of the compliance project.

Finding contracts, various amendments and ensuring that clauses cover security and data protection aspects takes a lot of time and effort for teams. Moreover, many DPOs propose to define standard clauses and wait for the renewal of contracts to include them instead of doing this contract review.

However, let us keep in mind that the review of contracts makes it possible to clarify and delimit the obligations of the various partners. It is therefore important in the context of identifying the risks of non-compliance that weigh on the company.

On this subject again, your CISO may already have clauses in contracts in place to validate that suppliers take security issues seriously into account.

It is therefore possible that your subcontractors, or at least some of them, already meet the requirements of article 28 and, in addition, those of article 32.

In terms of contract terms, some CISOs have formalized standardized security requirements to be included in subcontractor contracts.

• confidentiality clauses on the data handled.
• audit clauses to conduct or conduct its own security checks.
• regular penetration test certification clauses
• evidence of monitoring the vulnerabilities of subcontracted environments.

If the CISO has already implemented this type of action, the DPO can, during its contract review process, ensure that the clauses are sufficient to cover the protection of personal data.

The work of the CISO to promote the awareness of employees to the protection of personal data.

The CISO and the DPO must be responsible for training and raising the awareness of employees, and ensure the application of the organization's internal rules. It is likely that the CISO has already set up communication channels:

• awareness sessions for newcomer youth (new hires);
• awareness days;
• information on the intranet site or an FAQ available on several internal media;
• an e-learning platform.

In the event that the CISO has implemented these devices, the DPO can also use them to carry out its own communications or to complement speeches related to data security.

With Adequacy, DPOs can go even further in capitalizing on the work carried out by the CISO.

‍