DPO and CSSI: What complementarity in their missions?

In A previous article, we presented the evolution of the CISO's missions, clarified its role, and emphasized the importance of its involvement in the compliance process.

Let's now focus on the “Data Protection Officer” (DPO), a necessary step in trying to identify the best way, for our two actors, to work together.

The role of the DPO

Arriving in 2018 with the implementation of the RGPD, DPOs must help managers meet their obligations in terms of the protection of personal data vis-à-vis their customers, prospects, employees.

In fact, the missions of the DPO are to:

• Define and implement the processes and procedures that make it possible to comply;
• Assisting and advising the data controller and company management on legal requirements for the protection of personal data;
• Keep the RGPD records up to date: of treatments, of violations of personal data and of the exercise of rights;
• Conduct impact analyses relating to the protection of user data for risky treatments in your organization;
• Define and ensure the implementation of technical and organizational measures aimed at guaranteeing the security of personal data processing;
• Maintain the documentary repository demonstrating the compliance of the establishment up to date;
• Monitor compliance within the body with the regulation and implementation of internal policies relating to data protection;
• Report to the data controller whether or not the establishment is compliant;
• Raise awareness, train and inform staff on data protection issues;
• Cooperate with the supervisory authority.

DPO and CSSI: two roles, two actors

Some companies, like CIOs - CISOs, wanted to make their CISO their DPO so as not to multiply their workforce. However, the Bavarian Data Protection Authority has already considered that a conflict of interests existed between the DPO and the CISO and that it was not possible for the same person to combine these two responsibilities. In other countries, the same type of doctrine has been adopted. We will therefore assume that these two roles are held by two distinct actors within your organization.

The mission of the DPO is to help the company used personal data in a secure and privacy-friendly manner

Some people see a different or even divergent purpose in these two positions: the CISO must protect the company and its assets, the second aims to protect people. For my part, I refute this vision of the DPO. In my opinion, the mission of the DPO is to help the company used personal data in a secure way that respects the privacy of individuals. Whether they are customers, users or employees.

Even if we do not all agree on this analysis, we will no doubt be able to agree on the fact that these two actors share some objectives and have similar activities.

The CISO will continue to protect the information system and the data that passes through it

The DPO will be committed to protecting personal data, by focusing more on controlling the appropriate use of the data collected. While the CISO will continue to protect the information system and the data that passes through it; whether personal or not... The RGPD only makes personal data more “sensitive” in the eyes of business management. In fact, the objective of GDPR compliance requires the DPO and the CISO to work closely together, in perfect synergy.

DPO - RSSI collaboration: Common projects

The DPO, as part of its activity, needs the RSSI and the projects requiring their collaboration are numerous.

The violation management process

The process of managing violations must allow them to be detected quickly in order to notify the supervisory authorities and in some cases, communicate to the persons concerned as soon as possible. The duo will have to answer three main questions:

• How do we detect security incidents within the institution?
• How do you identify a security incident as a personal data breach?
• When and how do we alert the DPO to comply with regulatory time constraints?

The PIA Risk Analysis Process

Data Protection Impact Assessments (PIAs) help to identify and assess the measures in place or to recommend new measures. The DPO must therefore rely on the framework of security measures put in place in the Information System Security Policy (PSSI) initiated by the CISO.

An exchange is necessary between the RSSI and the DPO when recommending security measures specific to a treatment.

Raising awareness among employees and management.

RSSI and DPO must both make staff and management aware of security issues. It is true that awareness-raising objects are not perfectly superimposed, but, in both cases, it is necessary to mobilize teams and set up communication channels.

However, in order to successfully complete this project, it is necessary for DPO and RSSI to coordinate the actions to be taken so that their respective speeches are audible.

Regular monitoring of security measures.

Defining security measures without ensuring that they are in place or functioning properly is useless. DPO and RSSI must check their establishment every year.

Be careful not to over-solicit operational teams

To do this, they must put in place processes that allow the security measures they have defined together to be verified and accepted. Attention, the verifications of one must be used to feed the other. The aim is not to double the audit burden or to over-stress operational teams.

Another point of attention is the requests made by the partners or the persons concerned. It is essential for both actors to formalize a common response to avoid discourse inconsistencies depending on the entry point.

RSSI - DPO collaboration: pitfalls to avoid

To allow good collaboration between the two actors, certain biases must be avoided.

Making the RSSI the DPO subcontractor

Coming mainly from the legal community, DPOs can see the CISO as an expert or a person responsible for implementing their security measures.

It is important that, when faced with questions relating to encryption or pseudonymization, the DPO does not tend to delegate these technical aspects to the CISO, to “wash their hands”. Now, as we have Seen previously, this vision is very reductive of the function of the RSSI. The latter is not a “subcontractor” to the DPO on security aspects.

The DPO must not abandon the technical aspects at the RSSI

DPO and RSSI are both responsible for the proper security of data within their organization. It is therefore a joint decision that must make it possible to define the organizational, legal and technical security measures to be put in place.

On the one hand, there is no person in charge of legal aspects and on the other hand, a person in charge of technical aspects. We have a partner, a team that is able to take on the problem from all angles. The new regulations emphasize a convergent and multidisciplinary approach between RSSI and DPO, lawyers and technical specialists. Consistency at all levels will protect the institution's personal data.

Confusing RSSI and DSI

The CISO should not be confused with the Information System Department, which is the entity in charge of implementing technical measures. In many companies, technical expertise is the preserve of the IT operational teams in the IT department and not the CISO. In these situations, the DPO must avoid bypassing the CISO by preferring exchanges with the DSI to find solutions instead of talking with the CISO.

See the DPO as a competitor to the CISO

Finally, the last trap in the success of this collaboration that we encounter no longer comes from the DPO but from the CISO himself. Some CISOs see the DPO as someone who comes to take part of their scope, their “responsibility”, their “power”. The turmoil that is taking place between the two actors is very harmful to the success of the compliance project.

It is important to remember that the DPO is:

• a teammate who will come to relieve the CISO on personal data protection issues;
• an ally to get messages across to employees, managers and the IT department to move projects forward.
• A source of information on new treatments, projects to allow projects to be identified at an early stage and to address security issues at the beginning of projects (Security by design).

DPO and RSSI: Synergy or non-compliance.

To successfully bring an institution into GDPR compliance, the synergy between DPO and RSSI must be as strong as possible and their actions coordinated. To us, the establishment of monthly working meetings seems to us to be a minimum obligation.

Each must draw on the work and expertise of the other. Their complementarity will certainly result in faster compliance, better security and knowledge of the company's information assets.