The advent of new data privacy regulations such as Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA) has triggered the creation of DPO roles in many organizations today, and that trend has had no small impact on cybersecurity leaders. While there are varying interpretations of the differences between the roles of Privacy leadership (DPO or CPO) and Information Security leadership (CISO, CSO or CIO), most agree that these roles have some degree of overlap and must work together to further their mutual interests.
The purpose of this blog is to identify three existing business mechanisms that data privacy and security leaders can leverage in order to work better together. We’ll refer to them as DPOs and CISOs, respectively, throughout this blog.
Enterprise Risk Management
The first mechanism is an organization’s Enterprise Risk Management (ERM) program. Although the word “Enterprise” might lead some to think this is a technical effort, ERM is typically an executive-level management function that covers the entirety of an organization’s risks. ERM risks run the gamut from financial and competitive to operational and security. In publicly traded companies, the Annual Report to Shareholders contains numerous pages of narrative describing the organization’s risks which are typically derived from and managed by an ERM program.
One of the common “Information/Cyber” risks detailed today in annual reports is compliance with privacy laws. An effective ERM program should not only identify risks, but also the mechanisms to manage those risks.
An effective ERM Risk Register will list all the individual risks (e.g. Compliance with Privacy Statutes) and then detail the various mechanisms and efforts to address or mitigate the specific risk. The risk registry is an excellent mechanism for drafting and managing a conso ..
Support the originator by clicking the read the rest link below.
