Can a CISO be a DPO?
No. A Chief Information Security Office (CISO) should not be the DPO.
On April 28, 2020, the Belgian Data Protection Authority (DPA) imposed a €50,000 fine on a company for GDPR noncompliance related to their data protection officer (DPO). The company had appointed their head of Compliance, Risk Management and Audit as their DPO. The Belgian DPA found that the appointment introduced a conflict of interest, and in particular with the DPO’s decision-making-authority to dismiss employees, and to determine the purposes and means of processing within the context of the compliance, risk and audit departments.
The Belgian DPA decision raises questions for companies who appoint an internal person in another role such as those in the security, compliance, or legal areas as their DPO. For many companies who don’t have or want to allocate the budget, appointing a full-time DPO who does not fulfill another roll is not done. Neither regulators nor plaintiff attorneys have left a strong enough impression on organizations that a full-time, separate DPO is necessary. Instead, another person in the company, such as the CISO or head of compliance, is given a secondary role of DPO. Often, the person who is given this secondary role does not report directly to the board of directors, but instead up through a hierarchy that eventually leads to the CEO. The duties and responsibilities of a DPO are tacked onto the other, more business-primary position. Yet the DPO role is essentially an independent auditor. One might view it as quasi-regulatory. There are several problems with making the CISO the DPO.
The following analysis could apply if any of a number of other internal positions, such as CIO, CTO, Compliance lead, Audit lead, or Corporate Counsel, were made DPO. The DPO’s role should not be conflated with any of these roles. Per the decision of the Belgian DPA, “the combination of the role of DPO with that of being the Head of any department that is subject to the DPO’s oversight prevents the DPO from acting independently”.
Section 4, Articles 37, 38 and 39 of the GDPR address the designation, position and tasks of a DPO. The GDPR does allow for the DPO to “…be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.” GDPR, Article 37.6. So there is not an absolute prohibition on an employee becoming DPO. The GDPR also allows the DPO to “…fulfill other tasks and duties”, provided that the controller or processor must ensure that any tasks and duties of the DPO do not result in a conflict of interests. The question becomes whether or not other tasks or duties might result in a conflict of interest. Given the breath of definitions of “personal data” and of “processing”, few tasks or duties might avoid all conflicts.
The Article 29 Working Party published guidance on DPOs which was later adapted by the European Data Protection Board (EDPB).
Guidelines on Data Protection Officers (‘DPO’), WP243 rev.01 http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048.
While the placement of a DPO should be done on a case by case basis, in the balance of this article we will look at how the GDPR and guidance probably do not permit a CISO to become a DPO.
The GDPR, Article 38.3 requires that “The data protection officer shall directly report to the highest management level of the controller or the processor.” Typically the highest management level of a company is the board of directors. The W29/EDPB points to board as the highest management level. A CISO normally does not report directly to the board of directors.
Deciding the Purpose and Means of Processing
Article 38(6) of the GDPR allows organizations to appoint to the position of DPO a person who fulfils “other tasks and duties” as long as what the person does will not result in a conflict of interest. The Article 29 Working Party (now the EDPB) provided Guidelines on Data Protection Officers. Where a person who holds the position of DPO within an organization determines the “purposes and the means of the processing of personal data”, a conflict exists. “As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” WP29/EDPB Guidance on DPOs, page 16.
A CISO does decide the purpose and means of processing quite often, such as encrypting data to make it unreadable, or backing data up remotely to enable recovery. Many actions taken to secure data are in fact processing. The creation and use of controls for data involve processing data.
A CISO cannot collect data on employees in the security department, then put a DPO hat on and independently judge whether or not the collection was proper, denying that processing took place in the first place.
GDPR, Article 38(3) establishes basic guarantees to ensure that DPOs are able to perform their tasks with a sufficient degree of autonomy within the organisation. In particular, controllers/processors are required to ensure that the DPO ‘does not receive any instructions regarding the exercise of his or her tasks.’ Recital 97 adds that DPOs, ‘whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner’.
Independent judgment is indispensable for a DPO, and practically impossible for a CISO who is also a DPO. DPOs are supposed to report security issues missed by the CISO. If there one and the same person, they are likely not going to report their own failings. Judging one’s own work is deeply unprofessional. A DPO should never be in a position where privacy and data protection take a back seat to business interests.
Especially in publicly traded companies, a DPO can have fiduciary duties, such as reporting on non-compliant behavior of executives. CISOs typically report up through a hierarchy and don’t have the same set of fiduciary duties. Having a DPO report up through a hierarchy would stifle the carrying out of those ethical duties.
The primary function of a CISO is security. Privacy would take a secondary position. A CISO for a company will have to prioritize CISO-related security obligations to the detriment of secondary privacy matters. DPO requirements are made less important on any task list because they don’t serve the primary function of a mixed position.
The DPO role requires a high degree of expertise in privacy and data protection. Section 4, Article 37.5 of the GDPR says “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” CISOs are experts in security, not privacy. It bears saying that privacy is not security, and privacy is not just part of security. What is more, CISOs tend to be technical experts, not experts in laws and regulations.
Privacy is a New and Emerging Discipline
Relative to corporate law, finance, account, IT, and other organizational disciplines, privacy is new. The GDPR only came into effect in 2018, the CCPA in 2020, but not enforced until July, 2020. New state and national state privacy laws are arriving frequently. Modern computing, and especially cloud computing, has brought about the collection, storage, use, and sharing of mass amounts of data. New technologies such as AI and facial recognition challenge how we think about privacy. The DPO position requires the full time efforts of a well trained expert, not the part time effort of someone trained in a different discipline.
Separation of Duties
What about separation of duties? That is, might it work for the same person to fill two rolls, the DPO and another, if there are a strict set of policies and procedures separating the duties of each role? No. Independent judgment is still all but impossible. The duties are also bound to conflict, such as reporting issues caused by the primary role. And when incidents arise, time and resources must be prioritized for the DPO, not the other role.
Some have suggested that if a conflict of interest arises to challenge the independence of a DPO, then the DPO could step aside and a “back-up” DPO could act temporarily during the resolution of the event. This of course begs the question, what if there is a conflict for the back-up? Does the company use a back-up-back-up DPO? This does not seem like a practical solution.
WP29/EDPB guidance says the functions of a DPO can be exercised on the basis of a service contract. An external DPO can quickly bring needed expertise and experience into an organization. The DPO is often a part-time roll, with periods of projects and lulls as the company becomes compliant. Independence is more easily preserved and validated. Investors in a company with an external DPO might look on it favorably as a strong indicator of regulatory compliance. An external DPO can avoid having to put pressure on an internal employee to uphold independent judgment regarding privacy compliance.
DPOs should be independent. CISOs, heads of compliance, risk and audit, and other similar positions in an organization should not be DPOs. Both the GDPR and the WP29/EDPB guidance provides clear direction against tacking the DPO role onto another role within an organization. CISOs should not be DPOs.