Dear CISO: Who is Responsible for the Privacy of Data Subjects?

In Theory: The legal team/DPO should lead the privacy policy as well as manage direct interaction with data subjects, such as DSAR management.

Security should lead the implementation of the privacy policy, including how to create, monitor, and protect the organization’s personal data inventory.

In Practice: CISOs have the knowledge, tools and business processes in place to lead an end-to-end process of complying with regulatory requirements. This is because they have been doing it for many years, each one according to the relevant regulations that are part of his area. 

However, there is a significant difference between privacy regulations (GDPR, CCPA, etc.) and other regulations. The direct interaction with data subjects that aren’t necessarily registered customers of the organization presents a new challenge for CISOs. Risk and legal departments have owned this type of process for many years and have gained the skills to do it while protecting the interest of the organization they represent.

To summarize:

1. The CISO should lead the process. In a case where you’re not planning to create a separate role for the DPO, the CISO should be the DPO as well.
2. The legal departments should lead the DSAR and any other interaction with data subjects. They should be a customer of the CISO when it comes to technology solutions supporting that process.
3. The CISO should provide the legal departments with the tools to make their life as easy as possible while interacting with data subjects either directly or through the customer service department.