Dirk Lehmann, CISA, GCIA
To protect personal data in compliance with relevant laws and regulations a company’s data privacy officer usually establishes controls in the areas people, processes and information technology. The implementation of these controls often lies outside the direct responsibility of the data protection officer and he depends on the human resources (HR) and IT people to implement them. Now my question is: How is a data privacy officer accountable for complying with or breaking data protection laws?
Let’s assume the data privacy officer wants to ensure that no one leaves printed personal data in the open space. For this he defines a control requirement that all employees must be properly instructed on a regular basis by their respective superior. If the control fails and someone leaves personal data on the desk while away, who is accountable?
Another example is a control requirement for an IT application saying that personal data may only be accessible to a certain user group. If the control fails and other users can also access the data, who is accountable?
In both cases, one could say that it is never the data privacy officer but the direct report of the individual who failed to comply. This would put the data protection officer in a comfortable position and not in the line of fire if personal data are leaked.
Another answer could be that the data privacy officer is accountable for the failures. But how can that be if he/she does not do the implementation? Would it be fair to judge him/her on that?
Following the CEO principle, I think that the data privacy officer should be the one accountable. If he/she has an effective program in place to ensure overall effectiveness of his/her control environment, isolated incidents will not hurt him/her.
Read Dirk Lehmann and Frank van Vonderen’s recent Journal article:
“Auditing Global Compliance of Data Protection Mechanisms,” ISACA Journal, volume 6, 2011