Would my CISO be my DPO?

On 24 May 2017, the Belgian Privacy Commission published a recommendation (04/2017) on the designation of a Data Protection Officer (DPO) by public and private entities when required to do so under the General Data Protection Regulation (GDPR), especially as regards the combination of duties, such as Chief Information Security Officer (CISO) (the “Recommendation”).

As a reminder, the DPO shall “monitor” compliance not only with the GDPR, but also with other EU and national data protection provisions, as well as the applicable privacy policies. So yes, it matters to find someone suitable, either a staff member or a third party on the basis of a service contract (either an individual or an organization). Also, it’s worth stressing that DPOs must be given sufficient autonomy and resources to carry out their tasks effectively.

In essence, the Commission mainly refers to the guidelines that were previously issued by the Article 29 Working Party, the independent EU advisory body on data protection and privacy (the “Guidelines”). In other words, the DPO must be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices (security of processing is just one piece of the puzzle!). The required level of expertise is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data the organization concerned processes. For example, there is a difference depending on whether the organization systematically transfers personal data outside the EU or whether such transfers are occasional. That being said, no degree or certification is formally required.

As regards the combination of duties, the CISO (or any other “similar” position such as Compliance Officer or Risk Manager) cannot automatically be designated as the applicable DPO; in each particular case, it should depend on a thorough and documented assessment by the organization concerned, while no prior approval will be given by the Commission. However, the latter insists on appointing DPOs who are in a position to perform their duties and tasks “in an independent manner”, without any conflict of interests. This entails in particular that the DPO cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data. In other words, and still according to the Commission, the CISO cannot become the DPO if (s)he actually implements the necessary security measures.

The Recommendation and the Guidelines can be found on:

https://www.privacycommission.be/sites/privacycommission/files/documents/recommandation_04_2017.pdf

https://www.privacycommission.be/sites/privacycommission/files/wp243_rev01_enpdf_DPO_3.pdf