Although the Data Protection Officer (DPO) is the only actor to be appointed within the framework of GDPR governance, he or she is not the only one in charge of personal data protection. The Information Systems Security Officer (ISSO) plays a key role in the implementation of the compliance strategy within the company, and must ensure that only appropriate measures are used to guarantee an adequate level of data security. Of course, his role goes far beyond the protection of personal data, since security concerns the entire information system. However, personal data is part of it, and as guarantor of the information security policy, the CISO makes a major contribution to ensuring that personal data is used in an appropriate manner. Cybersecurity is at the heart of the protection of personal data. There are several reasons why the DPO and CISO should work together.
To secure personal data
The important role that security plays in the protection of personal data is clearly laid out in the GDPR. Article 32 of this text requires the implementation of technical and organisational measures. Any organisation that processes personal data is thus obliged to secure the data by implementing appropriate measures to ensure a sufficient level of security. This obligation is imposed on all actors involved in the personal data processing chain, and is therefore the responsibility not only of the controller, but also of the processor.
This role is all the more essential nowadays, when most processing of personal data is carried out using computer technology. And as soon as these techniques are used, cybersecurity comes into play to protect the data. Compliance with personal data regulations cannot therefore be considered optimal if personal data is not secure.
To ensure compliance with the various obligations
The need for collaboration between the DPO and the CISO is reflected in several obligations of the GDPR. The actions to be carried out cannot be accomplished without the intervention of the CISO, or even the security team. For example, the requirements relating to data breaches require a risk assessment to determine whether there is a risk to the rights and freedoms of individuals and the extent of the risk. This assessment should be carried out in collaboration with the CISO, and it is important that this actor intervenes to put in place the appropriate measures to remedy the security breach and reduce the potential impact on data subjects. Another example concerns the outsourcing of a service or the use of a new solution where the analysis of the third party’s compliance with the GDPR also includes the verification of the security measures put in place.
This collaboration is also necessary when carrying out the privacy impact assessment (PIA), in particular for the part concerning security measures and risk analysis. It is also indispensable in the context of compliance with the protection principles by design and by default, in order to choose the appropriate measures and set up suitable parameters at the time of product creation. Similarly, accountability requires that security documentation is put in place to demonstrate the sufficient security of the data.
To avoid cyber attacks
Cyber attacks have increased considerably in recent times and collaboration between DPO and CISO helps to prevent them. In 2021, 5,037 data breaches were notified to the CNIL. This represents an increase of +79% compared to 2020. For example, the Corbeil-Essonnes hospital, in France, suffered a cyber attack in August 2022 that affected nearly 1.5 million people, including patients and hospital staff. The health insurance company also experienced an attack in March 2022 that allowed unauthorised people to log into healthcare professionals’ accounts, and this breach affected the personal data of around 500,000 patients. Dedalus also experienced a leak of medical data in February 2021 of nearly 500,000 people that was released on the internet due to the lack of encryption of personal data on the server and the non-imposition of authentication to access the public area of the server. Similarly, the french authority was informed in September 2021 of the leakage of data from the AP-HP concerning 1.4 million people tested against Covid-19.
Most of the data affected by these incidents are considered sensitive by the GDPR and such attacks can lead to serious consequences for individuals. To avoid this, enhanced security measures must be implemented. It is not enough to put in place all the necessary processes under the GDPR and to conclude contracts including all the required clauses. If sufficient security measures have not been implemented, there is not only the risk of attacks, but also the risk of sanctions.
To protect against sanctions
Most of the sanctions pronounced by the french authority, the CNIL, in the last two years concern breaches of obligations on personal data security. Of the last 10 sanctions published by the CNIL concerning breaches of the regulations on personal data, at least 5 concern breaches of data security. Indeed, EDF (french electricity provider) was sanctioned for, among other things, failing to put in place sufficient security measures. The passwords for accessing the customer area of the “prime énergie” portal were stored in an unsecured manner and those for accessing the EDF customer area were only hashed, without using random characters before the hash. The same applies to Discord, which was sanctioned for failing to comply with several GDPR obligations, including the obligation relating to the security of personal data. The password management policy was deemed not to be sufficiently robust. Other sanctions pronounced in 2021 also concern failures to comply with the obligation on data security, such as that of Slimpay or Free.
These examples are not exhaustive but demonstrate that cybersecurity is a pillar of GDPR compliance and optimal protection of personal data cannot be ensured without close collaboration between DPO and CISO.