Dear CISO: Who is Responsible for Data Privacy?

In Theory:

The legal team/DPO
should lead the privacy policy as well as manage direct interaction with data
subjects, such as DSAR management.

AWS Builder Community Hub

Security should lead the
implementation of the privacy policy, including how to create, monitor,
and protect the organization’s personal data inventory.

In Practice:

CISOs have the
knowledge, tools and business processes in place to lead an end-to-end process
of complying with regulatory requirements. This is because they have been doing
it for many years, each one according to the relevant regulations that are part
of his area. 

However, there is a significant difference between privacy regulations (GDPR, CCPA, etc.) and other regulations. The direct interaction with data subjects that aren’t necessarily registered customers of the organization presents a new challenge for CISOs. Risk and legal departments have owned this type of process for many years and have gained the skills to do it while protecting the interest of the organization they represent.

To summarize:

  1. The CISO should lead the process. In a case where you’re not planning to create a separate role for the DPO, the CISO should be the DPO as well.
  2. The legal departments should lead the DSAR and any other interaction with data subjects. They should be a customer of the CISO when it comes to technology solutions supporting that process.
  3. The CISO should provide the legal departments with the tools to make their life as easy as possible while interacting with data subjects either directly or through the customer service department.

The post Dear CISO: Who is Responsible for Data Privacy? appeared first on

*** This is a Security Bloggers Network syndicated blog from authored by Itzhak Assaraf. Read the original post at: