Here is a short topic on privacy that many know about but few talk about. It is about the role issues that I see between CISOs, IT and GCs in many organizations.   

There is typically agreement that

  1. GCs should have the primary role in interpreting privacy law and to be responsible for the organization’s privacy policy
  2. CISO should be primary in insuring that information security is managed
  3. IT should be primary in implementation of technical controls in most organizations

But there is often lack of clarity on who is responsible for

  1. Inventory of locations of privacy data
  2. DPIA of the flow of data in business applications
  3. Subject Impact Request process
  4. Risk management/treatment for privacy risk
  5. Defining application requirements for privacy by design

I believe that many organizations do not consciously take on defining accountability and responsibility for these for items and it ends up creating a lot of risk.   Ultimately, since GC will end up being accountable for privacy, it behooves them to ensure that roles are very clear and that there is a well define end-to-end process for privacy.