In the perspective of the new EU Data Protection Regulation, Companies which process personal data should have roles and organizational structures capable of ensuring the satisfaction of security requirements and compliance.
For this purpose, the Data Protection Officer (DPO) Role is the main function that companies should identify.
The DPO mission is to be a point of reference towards data subjects, the external supervisory authority, internal operational and controlling functions, in order to provide governance, to monitor activities and to ensure compliance to the requirements of Data Protection Law and of other matters related to data governance.
The DPO is essentially a company’s internal function which shall assure the operational ability to comply with Data Protection requirements, in cooperation with the Compliance Officer, Risk Manager, Security Officer and operational people.
Important tasks of DPO function should be issuing Data Protection internal rules, verifying the results and providing assurance of the company ability to react in case of risks or detection of deficiencies.
The DPO will be mainly responsible for overseeing compliance of personal data processing systems.
Companies’ Governance shall ensure:
- DPO appropriate and timely engagement in all issues related to personal data protection;
- DPO independence in performing his role and tasks within the organization;
- DPO appointment without this being a reason for incompatibility or this resulting in a conflict of interests with other DPO tasks and duties;
- DPO appropriate resources, people, and devices.
Companies should answer to requests coming from data subjects about processing of their own data, purposes, and operational and storing measures and to this purpose the DPO shall ensure effective and efficient organizational and technological solutions to be adopted in order to comply to this Regulation.
The appointment of a DPO shall be based on professional qualities, competencies and knowledge of data protection law and its best practices.
The DPO shall also have an advisory role, supporting a consistent application of Data Protection rules and company policies and procedures (e.g. data breach, management of requests coming from Authorities).
Coordination, on the basis of a RACI Chart, with Compliance Officer, Risk Manager, Security Officer and operational people is the key success factor of the Role .
Main DPO tasks that should be coordinated with the other controlling roles are the following:
- supporting the definition and the implementation of security measures;
- providing advice about possible privacy related impacts for new initiatives being launched (cfr. PIA)
- monitoring the privacy compliance for the accomplishment of any information system component being developed;
- monitoring the effectiveness of technical and organizational measures for privacy protection;
- retaining documentation as an evidence of the results achieved;
- overseeing the measures and the decisions taken in accordance with Data Protection law, including the organizational ones (appointments, training), the technical ones (from designing to releasing) and the security related ones;
- handling Data Protection incidents and data breaches;
- verifying that the PIA is requested by the controller about the specific kind of data processing and that prior consultations to external supervisory authority are submitted.
The ISACA COBIT 5 framework for the governance and management of enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success.
The ISACA COBIT 5 framework, along with the Information System Life Cycle, outlines the following main controls under responsibility of the DPO, shared with the other company functions in a RACI Chart perspective.
The DPO shares its responsibility with the Security Manager in most control objectives of Cobit 5.
|Processes categories||Processes||Control Objectives|
|Planning and control processes||Manage Quality||APO11.02 Define and manage quality standards, practices and procedures|
|Manage Risk||APO12.01 Collect data|
|APO12.06 Respond to risk|
|Manage Security||APO13.03 Monitor and review the ISMS|
|Developing processes||Manage Solutions Identification and Build||BAI03.07 Prepare for solution testing|
|Manage Organisational Change Enablement||BAI05.05 Enable operation and use|
|BAI05.06 Embed new approaches|
|BAI05.07 Sustain changes|
|Manage Knowledge||BAI08.01 Facilitate a knowledge-sharing culture|
|BAI08.05 Evaluate and retire information|
|Monitoring processes||Monitor, Evaluate and Assess the System of Internal Control||MEA02.01 Monitor internal controls|
|MEA02.03 Perform control self-assessments|
|MEA02.04 Identify and report control deficiencies|
|Monitor, Evaluate and Assess Compliance with External Requirements||MEA03.01 Identify external compliance requirements|
|MEA03.02 Optimise response to external requirements|
|MEA03.03 Confirm external compliance|
The Cobit 5 framework is a helpful tool to define DPO Responsibilities and tasks according to international good practices.
Applying COBIT5 to Critical Information systems would provide state of art data protection. A DPO with such skills would prove extremely valuable to a company that has a privacy-aware culture and a structured organization. I hope many more will be so, as we move towards adopting the new European GDPR.