The Janusian conflict between the CISO and the DPO

Data and data handling are becoming a visible part of corporate and everyday life, receiving more Board airtime and public attention than ever before and increasing pressure on businesses to take data protection seriously. For example, a two-year-long ICO investigation showed significant data protection failures resulted in an enforcement action being issued against Experian.

Some organisations combine the DPO role with the CISO, but there is a trend for this perspective to change. Many organizations struggle to position the DPO within their organisational structure, and they can be found as outside counsels, internal compliance experts or sited within the legal department.

When do you need a Data Protection Officer (DPO)?

Article 37(1) of GDPR requires the designation of a DPO in three specific cases. Note that core activities refers to the key operations crucial to achieve an organization’s goals.:

  • Where the personal data processing is carried out by a public authority or body;
  • Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
  • Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

What’s the evidence that there is a CISO and DPO conflict?

A CISO sets out the strategy to ensure the security of corporate IT assets and data. If the DPO role is often combined with the CISO role, this could create a challenging conflict of interest, particularly for smaller organisations. The increased pressure on businesses can lead conflict and confusion over ownership of the DPO role. Earlier this year, the Belgian Data Protection Authority fined a company €50K for appointing the DPO role to the Head of Compliance, Risk and Audit. Given the increasing data protection penalties, how can businesses be confident that they are meeting their GDPR legal obligations? This involves asking the right questions of themselves while being very clear about accountability.

Accountability can be difficult to define, and that’s increasingly the case between the CISO and the DPO. The CISO is often said to have two overriding fears: everyone who works for the company…. and everyone who doesn’t. By contrast, the DPO looks at data through the lens of the individual. Under GDPR, companies must have a DPO if they collect, store, process or share sensitive personal data or extensive volumes of personal data. There is a conflict between these roles, however. To fulfil the DPO role obligations, the DPO is effectively questioning the CISO strategy and practices. Furthermore, if there is a breach, then the CISO may work to minimize the perceived repercussions while DPO may highlight the impact, looking at the issue from the data subject perspective. The roles may be unresolvable for personal data security, data privacy and confidentiality, particularly for employees.

The CISO/DPO conflict further manifests itself in the issue of privacy in the workplace. During the time of the pandemic, the workplace is now in the home for many companies. When GDPR and the Data Protection Act 2018 came into force, nobody could have envisaged that many UK businesses would be working from home, handling customer, client and employee data. 

The CISO and DPO roles are interrelated and can result in conflict. There are illustrations of this issue in some of the data privacy news. Recently, the ICO fined Marriot Hotels £18.4m for data protection breaches, resulting from an undetected cybersecurity incident four years earlier, resulting in the data protection breach which displayed the issue. The CISO could argue that employees might need to be protected from themselves, making their role harder. Today’s equivalent of the 18th Century Spanish Prisoner scam, where email recipients are offered a large financial sum from a mystery Prince in exchange for some assistance, will be familiar as an example of the pernicious email confidence tricks which regularly trouble CISOs. Employers have increased suspicion that remote worker employees may be less productive, resulting in escalating surveillance.    On the other hand, the DPO may look at the issue from the perspective of personal data, which needs to be processed with a legitimate purpose in mind.  The two opposing perspectives are difficult to reconcile, and both paths lead to reputational, financial, legal and data risk if they are not balanced.

What does the conflict mean for employees?

How do these issues impact employees? Employee reactions may vary, but ultimately, they need to be able to trust that their employer is taking care of their data. Some employees may regularly share content and updates on social media either infrequently or even to the point of Too Much Information (TMI), which may look innocuous but could potentially give away details of the employer’s confidential activities. On the other hand, employees may feel that the IT team and the HR team are conducting surveillance on them by default and feel pressurised that the data exchange is part of an informal transaction for retaining employment. If the individual does become furloughed or loses their job, they could submit a Data Subject Access Request (DSAR) as a tactical measure against their employer. Increased DSARs will increase pressure on organisations that may be already struggling to keep up with their data protection commitments. 

Resolving the Janusian conflict

Part of resolving the Janusian conflict is to separate the ownership. It’s important that the enterprise recognizes that there needs to be education throughout the organisation so that data privacy and cybersecurity is understood for the individual as well as the enterprise; a breach of one area can lead to a breach in the other area. Often, organizations can focus on one issue or the other, confusing them with the same thing. As a result, the human involvement in breaches does not get averted.

Here are some thoughts on how to resolve the Janusian conflict:

  • One route to supporting the DPO is to set out expectations to obtain a consensus within the organization before the post is filled, and ensure that these expectations are communicated well. If the CISO is part of the agenda, then they can understand their own boundaries and roles better.
  • The organisation needs to provide GDPR training courses for everyone in the enteprise, along with setting out a plan for DPO training
  • It is important to scope out the responsibilities involved in the DPO role, along with a ‘safety net’ process to support the DPO for speaking out. If guardrails are not in place, then the DPO is put at risk for speaking out even if they are only doing their job.
  • It is crucial to sort out a policy for data retention issues; it’s clear that many organizations don’t have clear policies and it becomes something that people walk about, but do not actually decide and agree.

Ultimately, the CISO and the DPO should act together to protect the organization. Succesfully protecting customer data is also in the interest of the enterprise since it protects the organization from risk and punishment, not just the data subjects. The DPO has a difficult job since they ask hard questions that the organisation may not want to hear, and it can be hard to be the Cassandra in an organization – telling the truth, but nobody listens to you. As a result, the DPO may not have the backing and support of the organization when raising privacy issues but the Board will need to listen, support and facilitate the DPO as they do their role properly. Ultimately, the Janusian conflict leads to a change the data culture so that data privacy and cybersecurity a priority. It is not something that is covered by business insurance so it’s not a matter of getting insurance and then expecting insurance to foot the bill.

One thought on “The Janusian conflict between the CISO and the DPO

Leave a Reply