The DPO Role and the Cobit 5 ISACA Framework

By | Wednesday November 4th, 2015

In the perspective of the new EU Data Protection Regulation, Companies which process personal data should have roles and organizational structures capable of ensuring the satisfaction of security requirements and compliance.

For this purpose, the Data Protection Officer (DPO) Role is the main function that companies should identify.

The DPO mission is to be a point of reference towards data subjects, the external supervisory authority, internal operational and controlling functions, in order to provide governance, to monitor activities and to ensure compliance to the requirements of Data Protection Law and of other matters related to data governance.

The DPO is essentially a company’s internal function which shall assure the operational ability to comply with Data Protection requirements, in cooperation with the Compliance Officer, Risk Manager, Security Officer and operational people.

Important tasks of DPO function should be issuing Data Protection internal rules, verifying the results and providing assurance of the company ability to react in case of risks or detection of deficiencies.

The DPO will be mainly responsible for overseeing compliance of personal data processing systems.

Companies’ Governance shall ensure:

  • DPO appropriate and timely engagement in all issues related to personal data protection;
  • DPO independence in performing his role and tasks within the organization;
  • DPO appointment without this being a reason for incompatibility or this resulting in a conflict of interests with other DPO tasks and duties;
  • DPO appropriate resources, people, and devices.

Companies should answer to requests coming from data subjects about processing of their own data, purposes, and operational and storing measures and to this purpose the DPO shall ensure effective and efficient organizational and technological solutions to be adopted in order to comply to this Regulation.

The appointment of a DPO shall be based on professional qualities, competencies and knowledge of data protection law and its best practices.

The DPO shall also have an advisory role, supporting a consistent application of Data Protection rules and company policies and procedures (e.g. data breach, management of requests coming from Authorities).

Coordination, on the basis of a RACI Chart, with Compliance Officer, Risk Manager, Security Officer and operational people is the key success factor of the Role .

Main DPO tasks that should be coordinated with the other controlling roles are the following:

  • supporting the definition and the implementation of security measures;
  • providing advice about possible privacy related impacts for new initiatives being launched (cfr. PIA)
  • monitoring the privacy compliance for the accomplishment of any information system component being developed;
  • monitoring the effectiveness of technical and organizational measures for privacy protection;
  • retaining documentation as an evidence of the results achieved;
  • overseeing the measures and the decisions taken in accordance with Data Protection law, including the organizational ones (appointments, training), the technical ones (from designing to releasing) and the security related ones;
  • handling Data Protection incidents and data breaches;
  • verifying that the PIA is requested by the controller about the specific kind of data processing and that prior consultations to external supervisory authority are submitted.

The ISACA COBIT 5 framework for the governance and management of enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success.

The ISACA COBIT 5 framework, along with the Information System Life Cycle, outlines the following main controls under responsibility of the DPO, shared with the other company functions in a RACI Chart perspective.

The DPO shares its responsibility with the Security Manager in most control objectives of Cobit 5.

Processes categories Processes Control Objectives
Planning and control processes Manage Quality APO11.02 Define and manage quality standards, practices and procedures
Manage Risk APO12.01 Collect data
APO12.06 Respond to risk
Manage Security APO13.03 Monitor and review the ISMS
Developing processes Manage Solutions Identification and Build BAI03.07 Prepare for solution testing
Manage Organisational Change Enablement BAI05.05 Enable operation and use
BAI05.06 Embed new approaches
BAI05.07 Sustain changes
Manage Knowledge BAI08.01 Facilitate a knowledge-sharing culture
BAI08.05 Evaluate and retire information
Monitoring processes Monitor, Evaluate and Assess the System of Internal Control MEA02.01 Monitor internal controls
MEA02.03 Perform control self-assessments
MEA02.04 Identify and report control deficiencies
Monitor, Evaluate and Assess Compliance with External Requirements MEA03.01 Identify external compliance requirements
MEA03.02 Optimise response to external requirements
MEA03.03 Confirm external compliance

The Cobit 5 framework is a helpful tool to define DPO Responsibilities and tasks according to international good practices.

One thought on “The DPO Role and the Cobit 5 ISACA Framework

  1. Dominick Leiweke

    Applying COBIT5 to Critical Information systems would provide state of art data protection. A DPO with such skills would prove extremely valuable to a company that has a privacy-aware culture and a structured organization. I hope many more will be so, as we move towards adopting the new European GDPR.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.