Large numbers of organisations are scrambling to ensure systems are protected from malicious attacks and that data is secure and only accessed by those with authority to do so. Meeting these requirements often requires a full audit of all data stored across the organisation and the introduction of tools and processes to maintain security at all times.

The best person for the job

In larger organisations, undertaking these tasks and achieving required levels of data security and privacy is a constant and complex task. For this reason, many organisations are looking to appoint a central person whose job it is to manage the process.

Often given the title chief privacy officer (CPO), this person takes an organisation-wide view of the issues and ensures appropriate steps and investments are made to achieve stated goals. A key goal for a CPO is to ensure an organisation understands that the value of data is not just about the profits that can be extracted from it, but rather that it has intrinsic, personal value in and of itself.

Once established in the role, the CPO will be tasked with protecting the privacy of data generated by individuals, customers, and employees. They will be focused on ensuring that their organisation is collecting and using data in ways compliant with regulations and guidelines at all times.

The success of the CPO will be judged by how well the organisation meets privacy requirements and whether data collected is treated in a way that recognises the inherent human right to ownership and privacy of personal information. It’s not a goal to be reached but rather something that must be maintained over time.

A data watchdog

Unfortunately, many organisations have no clear idea about the extent of the data they’re collecting and storing or how it’s being protected or used, and this is an issue a new CPO would need to overcome. They need to become a data watchdog and be determined to maintain a clear perspective across the organisation.

When it comes to responsibilities, those of the CPO would include:

  • The implementation and oversight of processes and procedures that govern privacy of data at the point of collection
  • Ensuring their organisation understands the importance of the rules and regulations associated with collecting, protecting, and curating personal data
  • Confirming that the organisation collects the minimum amount of data possible to meet business requirements and that any data no longer required is deleted

From a day-to-day perspective, a CPO can be likened to one leg of a three-legged stool, where the other legs are the chief information security officer and the chief information officer. In such a working relationship, the CISO’s role would be to ensure the enterprise is protected from security risks that could have an impact on how it protects and drives revenue.

Meanwhile, the CIO would provide the infrastructure that actually makes protecting and driving revenue possible. The CPO would therefore lead the oversight body tasked with ensuring the responsible use and privacy of data and would be supported in that effort by the CIO and CISO.

A chief data protection officer?

A different way to approach the challenge is to appoint a chief data protection officer (CDPO). This person would more than likely sit above the CISO and be on an equal level with the CIO. The CDPO would likely end up being a subsection of the CIO role, focused more specifically on personal data and the law.

The CDPO would be responsible for managing the protection of enterprise-related data in various contexts and forms. The role would be geared toward the protection of all data needed by the organisation, including intellectual property and financial data.

A CDPO would be focused broadly on risk mitigation from a business standpoint, and security and privacy would both fall under their purview. This person would have to constantly balance risk and make decisions that take into account security and privacy.

When asked by the board whether data across the organisations is secure, a CDPO would explain that risk is determined, ultimately, by the potential impact that loss of the data in question would have on the business.

They would then explain how they have been implementing a variety of processes, both technical and policy based, to ensure proper data governance and management of data within the context of the business’ objectives.

Over time, the role of the CDPO would become an integral part of the organisation’s strategy and day-to-day activity. By having someone focused on this important area, an organisation can thus be confident it is both meeting its regulatory requirements and doing the right thing by its staff and customers.

In a future where data is becoming an increasingly valuable business resource, taking such steps is vital.

Budd Ilic, ANZ country manager, Zscaler