(ThisĀ is a continuation of the previous article)
During recent discussions on the role of Independent Data Auditors, an interesting debate emerged regarding whether a Chief Information Security Officer (CISO) can effectively discharge the responsibilities of a Data Protection Officer (DPO).
The debate raises a more fundamental question: Do the objectives of the CISO and the DPO naturally converge?
Many organizations assume that they do because both functions deal with information. A closer examination, however, suggests that their primary objectives are significantly different.
The Objective of the CISO
The CISO is fundamentally responsible for protecting the organization’s information assets.
Traditionally this responsibility is expressed through the principles of Confidentiality, Integrity, and Availability (CIA). The CISO seeks to ensure that information is accessible only to authorized persons, remains accurate and trustworthy, and is available when required.
The security architecture, access controls, monitoring mechanisms, logging systems, and incident response frameworks are all designed to support the business objectives of the organization.
The CISO therefore operates primarily from the perspective of organizational risk.
The Objective of the DPO
The DPO operates under a different mandate.
The DPO’s role originates from law rather than from business necessity. Under DPDPA 2023, the processing of personal data is expected to be aligned with the rights of the Data Principal, except in situations specifically exempted by law.
Questions such as:
-
- Who may access personal data?
- For what purpose?
- For how long?
- Under what authority?
- Subject to what rights of correction, access, grievance, or nomination?
are driven not merely by organizational convenience but by the rights recognized under law.
While the DPO is appointed and compensated by the Data Fiduciary, the essence of the role is to ensure that the interests of the Data Principal are respected.
Where the Conflict Arises
The management of an organization naturally seeks to maximize business value from information assets available to it, including customer information wherever legally permissible.
The CISO supports this objective by ensuring that information remains secure and usable.
The DPO, however, must ask a different question.
Not “Can we use this data securely?”
but
“Should we be using this data at all?”
This distinction creates an inherent tension.
A security professional may advocate longer retention periods to support forensic investigations.
A privacy professional may advocate deletion once the original purpose is exhausted.
A security team may seek extensive monitoring to detect insider threats.
A DPO may question whether such monitoring is proportionate and necessary.
The conflict is not accidental. It is built into the governance framework.
Why DPDPA Recognizes Both Perspectives
DPDPA acknowledges that information security is essential and therefore recognizes several legitimate-use situations where security interests may justify processing.
However, the Act does not subordinate privacy rights to security objectives.
Instead, it attempts to balance both interests.
This balancing exercise requires an independent voice within the organization that is capable of representing the perspective of the Data Principal.
Conclusion
The most mature organizations recognize that the CISO and DPO are not substitutes for one another.
The CISO is the guardian of information assets.
The DPO is the guardian of privacy rights.
The Board must balance both perspectives.
When disagreements arise between the two functions, it is often evidence that the governance system is functioning properly. The tension between security and privacy is not a weakness. It is an essential mechanism for ensuring that organizational objectives do not inadvertently override the rights of individuals.
The next question that naturally follows is whether a similar tension should also be reflected in the DPDPA audit process itself.
Naavi
