ICT organizational GDPR roles - DPIA
Intro
Understand the qualifications, the obligations, the role and functioning of the DPO within any organization that processes personal data.
Able to distinguish the role of the DPO from the role of the CISO
Able to understand the different approach of data protection in Risk Analysis, in comparison to “traditional”Information Security Risk Analysis
Able to identify Data Protection Risks and mitigating measures
Understand the significance of the DPIA and what such an assessment should contain.
1. Data Protection Officer (DPO) - CISO - Privacy Team
Key messages
The GDPR establishes the position of the data protection officer (DPO).
The role of a DPO is to ensure that the organisation processes personal data of any individuals (data subjects) in compliance with the applicable data protection rules.
Appointment of a DPO is mandatory in some cases.
The DPO acts as an internal consultant and auditor and reports to the top management.
The Chief Information Security Officer (CISO) is part of an organization’s management team and is responsible for the actual implementation and functioning of security measures, taking decisions and representing the organisation in relation to Information Security.
It is highly likely that the role of CISO is incompatible with the role of the DPO, unless the organization can prove that the role of the CISO is purely advisory.
An organization should not rely only on the DPO for any privacy related issue. The establishment of a privacy team, comprising of employees with the necessary skills and expertise is crucial.
2. Relationship between Personal Data Protection and Information Security
Key messages
Information security is an integral part of the GDPR, but constitutes only one of the data protection legislation principles.
The GDPR adopts a risk based approach for data protection and information security
The notion definition of “Risk” in Data Protection is different from Information Security.
The GDPR risk is in respect to any rights and freedoms of individuals that may result from personal data processing.
In Data Protection Unlinkability, Transparency and Intervenability are added to the well known CIA triad (confidentiality, integrity and availability).
3. The DPIA as an accountability tool
Key messages
The Data Protection Impact Assessment (DPIA) is a method to identify and mitigate any data protection related risks arising from a new project.
Conducting a proper DPIA is, probably, the most complete accountability tool.
Through the DPIA process a data controller can mitigate risks throughout the lifecycle of a product.
The DPO provides advice to the team conducting the DPIA but should not be the person responsible for that assessment.
General References
WP29 - Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01) - endorsed by the EDPB
Hellenic DPA - Announcement on the representation of data controllers/processors before the HDPA
Belgian DPA - Decision 141/2021 -incompatibility of the roles of DPO and CISO
WP29 - on Data Protection Impact Assessment (DPIA) (wp248rev.01) - endorsed by the EDPB
Irish Data Protection Commissioner - Data Protection Impact Assessments