The looming General Data Protection Regulations (GDPR) have created alarm among companies over who will be accountable for implementing its requirements.
Early research indicates that 79% of Britain’s medium and large companies are unsure about their compliance, and many do not understand how the burden of compliance will be divided up.
In reality, the legislation makes it clear where the distinctions lie between the responsibilities of different roles.
Separation of powers
For successful implementation of the GDPR, it is critical to have a separation of powers between those designing the strategy and those responsible for implementing it.
The data privacy officer (DPO) is responsible for defining and regularly reviewing the overall privacy-management strategy, while the information security professional must execute the strategy using his/her own preferred tools and technologies.
Cash-strapped small to medium-sized enterprises (SMEs) might be tempted to amalgamate the roles of information security professional and data privacy officer into one. But this would be equivalent to combining judge and executioner; if the person charged with implementing the strategy is the same person responsible for reviewing its implementation, there would be no independent oversight.
Crucially, if the privacy-management strategy is designed by the same person who has to implement it, they might design the strategy to fit the security product, rather than the other way around.
Another reason to separate the functions of creating and implementing the Data Privacy Management (DPM) strategy is because information security professionals often go for the best-of-breed technologies to comply with every law, whereas non-security professionals have a more holistic approach to compliance.
The chief infomation security officer (CISO) might comply with the GDPR by splashing out on a hugely expensive privacy-management product to filter every email in the company; while the DPO may be more likely to analyse what information they can “afford to lose” and prioritise security spending accordingly.
It should be the DPO’s responsibility to communicate to the board where they are most at risk of a breach. The DPO should also, crucially, work with the board to determine whether it is worth the risk by comparing the cost of buying new technology to guarantee compliance, with the cost of simply taking the legal and reputational hit.
The question of liability
The DPO and information security professionals are not legally accountable for the success or failure of the privacy-management strategy. However, the DPO is responsible for escalating all risk or harm-related issues to a higher level within the organisation.
Ultimate accountability and ultimate veto power over the strategy lies with senior executives in the organisation.
The DPO has ultimate responsibility for reporting data breaches to customers, or shaping the manner in which they are reported through the organisation’s communications team. The DPO should also communicate and coordinate with key business stakeholders to ensure compliance across the organisation.
The key to successful compliance is to always ensure a separation of powers between information security professionals and those responsible for the privacy management strategy. This helps to ensure there is independent oversight, and that responsibility for data privacy is spread evenly across the organisation.
Yves Le Roux, co-chair of the (ISC)2 Emea Advisory Council and technology strategist for CA Technologies.