Although the Data Protection Officer (DPO) is the only actor appointed within the framework of GDPR governance, they are not the only ones in charge of personal data protection. The Information Systems Security Officer (ISSO) plays a key role in implementing the compliance strategy within the company and must ensure that only appropriate measures are used to guarantee an adequate level of data security. Of course, his role goes far beyond protecting personal data since security concerns the entire information system. However, personal data is part of it. As a guarantor of the information security policy, the CISO significantly contributes to ensuring that personal data is used properly. Cybersecurity is at the heart of the protection of personal data. There are several reasons why the DPO and CISO should work together.
To secure personal data
Security’s important role in protecting personal data is clearly laid out in the GDPR. Article 32 of this text requires the implementation of technical and organizational measures. Any organization that processes personal data is thus obliged to secure the data by implementing appropriate measures to ensure sufficient security. This obligation is imposed on all actors involved in the personal data processing chain and is, therefore, responsible for the controller and the processor.
This role is all the more essential nowadays when most processing of personal data is carried out using computer technology. And as soon as these techniques are used, cybersecurity comes into play to protect the data. Therefore, compliance with personal data regulations can only be considered optimal if personal data is secure.
To ensure compliance with the various obligations
The need for collaboration between the DPO and the CISO is reflected in several obligations of the GDPR. The actions to be carried out can only be accomplished with the intervention of the CISO or even the security team. For example, the requirements relating to data breaches require a risk assessment to determine whether there is a risk to the rights and freedoms of individuals and the extent of the risk. This assessment should be carried out in collaboration with the CISO, and this actor must intervene to implement the appropriate measures to remedy the security breach and reduce the potential impact on data subjects. Another example concerns the outsourcing of a service or the use of a new solution where the analysis of the third party’s compliance with the GDPR also includes verifying the security measures put in place.
This collaboration is also necessary when carrying out the privacy impact assessment (PIA), particularly concerning security measures and risk analysis. It is also indispensable in compliance with the protection principles by design and by default to choose the appropriate measures and set up suitable parameters at the time of product creation. Similarly, accountability requires that security documentation is put in place to demonstrate the sufficient security of the data.
To avoid cyber attacks
Cyber attacks have recently increased considerably, and collaboration between DPO and CISOs helps prevent them. In 2021, 5,037 data breaches were notified to the CNIL. This represents an increase of +79% compared to 2020. For example, the Corbeil-Essonnes Hospital in France suffered a cyber attack in August 2022 that affected nearly 1.5 million people, including patients and hospital staff. The health insurance company also experienced an attack in March 2022 that allowed unauthorized people to log into healthcare professionals’ accounts, and this breach affected the personal data of around 500,000 patients. Dedalus also experienced a leak of medical data in February 2021 concerning nearly 500,000 people released on the internet due to the lack of encryption of personal data on the server and the non-imposition of authentication to access the public area of the server. Similarly, the French authority was informed in September 2021 of data leakage from the AP-HP concerning 1.4 million people tested against Covid-19.
Most of the data affected by these incidents are considered sensitive by the GDPR, and such attacks can lead to severe consequences for individuals. To avoid this, enhanced security measures must be implemented. It is not enough to put all the necessary processes under the GDPR and conclude contracts, including all the required clauses. If sufficient security measures have yet to be implemented, there is not only the risk of attacks but also the risk of sanctions.
To protect against sanctions
In the last two years, most of the sanctions pronounced by the French authority, the CNIL, concern breaches of obligations on personal data security. Of the last 10 sanctions published by the CNIL concerning breaches of the regulations on personal data, at least 5 concern data security breaches. Indeed, EDF (french electricity provider) was sanctioned for, among other things, failing to put in place sufficient security measures. The passwords for accessing the customer area of the “prime énergie” portal were stored unsecured, and those for accessing the EDF customer area were only hashed without using random characters before the hash. The same applies to Discord, which was sanctioned for failing to comply with several GDPR obligations, including the obligation relating to the security of personal data. The password management policy was deemed not to be sufficiently robust. Other sanctions pronounced in 2021 also concern failures to comply with the obligation on data security, such as that of Slimpay or Free.
These examples are not exhaustive but demonstrate that cybersecurity is a pillar of GDPR compliance and optimal personal data protection can only be ensured with close collaboration between DPO and CISO.