Here is a short topic on privacy that many know about but few talk about. It is about the role issues that I see between CISOs, IT and GCs in many organizations.
There is typically agreement that
- CISO should be primary in insuring that information security is managed
- IT should be primary in implementation of technical controls in most organizations
But there is often lack of clarity on who is responsible for
- Inventory of locations of privacy data
- DPIA of the flow of data in business applications
- Subject Impact Request process
- Risk management/treatment for privacy risk
- Defining application requirements for privacy by design
I believe that many organizations do not consciously take on defining accountability and responsibility for these for items and it ends up creating a lot of risk. Ultimately, since GC will end up being accountable for privacy, it behooves them to ensure that roles are very clear and that there is a well define end-to-end process for privacy.