CEO or Data Protection Officer (DPO): Who will win the power game?
Meanwhile, the CEO and the Data Protection Officer (DPO) are adversaries. With the tightening of data protection regulations, a conflict is bubbling up on the corporate floors. Who decides which of the company's economic interests are at stake? The business manager or the expert who monitors data protection compliance? Morten Brøgger, CEO of Wire, knows the answer.
In the meantime, the CEO and the Data Protection Officer (DPO) are counterparties. This is a given anyway due to the tightening of the data protection regulations DSGVO in May 2018. This requires the appointment of a Data Protection Officer for companies with at least ten employees. If this becomes mandatory, the relevance for a secure handling of data and information will increase.
Although more than half of all companies have not yet filled a full-time position for data protection experts, the topic has finally arrived in the boardrooms. Nevertheless, there are still many uncertainties, also regarding a function in the company that has greatly gained relevance in the age of privacy.
The Data Protection Officer monitors compliance with data protection regulations and is therefore responsible for the privacy of employees and customers. Because he or she is expected to monitor and challenge the work processes and culture, these employees assume a prominent and important function in the company.
A new role
In the latest cyber security survey by the German Federal Office for Information Security, 70 percent of companies were victims of hacker attacks in 2016 and 2017. Many companies are sitting on a ticking time bomb. Many companies fall into the fallacy of relying on external data protection experts to examine their operations and processes for IT security or put their trust in costly cyber insurance policies. This conceals further risks.
External providers could financially compensate for protective measures and losses, but they usually cannot bring back lost data. If the entire IT system of a company is affected, the restoration can cost several million euros, depending on the size of the company - not including the loss of competitive advantages and the costs of lost sales and image damage.
Even a single stolen file hacked through customer data or passwords may do lasting damage.
This is where the Data Protection Officer comes in and has to step on the toes of management.
Checklist for DPO-to-be
The tasks of the Data Protection Officer include alerting the management to data protection breaches and insisting on extensive changes if necessary. Insecure cloud storage solutions or the company's own communication channels are "sore points" for companies that the data protection expert must keep a particularly close eye on.
In general, when using software solutions, the DPO must be able to check the following features and answer questions:
- GDPR compliance: whether and how personal data is processed?
- Audited software: Are there regular independent IT security audits?
- Open source availability: Are there critical security vulnerabilities or potential backdoors for third parties in the freely available source code?
- Server location: Are the servers located within the EU and does the comparatively strict legal framework apply?
- End-to-end encryption: Are data transmissions or all communications end-to-end encrypted so that only the sender and recipient have access?
In the best case, the CEO establishes an internal security culture together with the Data Protection Officer. This means that they work to ensure that employees develop a positive attitude towards the necessary policies, because in the worst case scenario, their own jobs and the well-being of the company depend on the functioning of the IT security mechanisms.
No power play, no losers
The Data Protection Officer can bring very uncomfortable truths to light for the CEO: he openly addresses errors and violations, demands reforms and questions existing workflows. Nevertheless, management and data protection experts basically represent the same interests. In the end, all parties involved reap invaluable benefits from close cooperation: the company is better protected against cyber threats, employees handle sensitive information more prudently, customers benefit from improved data protection and this also pays off in terms of their own respectability.
Therefore, it is important that the DPO implements a new workflow while integrating secure tools into the work processes. The latter also offer the opportunity to further increase the company's productivity and thus have a positive impact on the KPIs. In the end, there are only winners if the CEO and the DPO do not fight a power struggle, but instead pull together.
The Data Protection Officer is responsible for guiding more global processes. Together with the CEO, the company's interests are thus sustainably protected.