Interview with Paul-Olivier Gibert, President of AFCDP

Published on by Paloma SIGGINI - updated on

"The regulation is a CISO problem because it deals with personal data protection and container protection."

How are companies dealing with the arrival of the European IS security regulation?

First, we have to know whether adapting to the European regulation is a question of information security. Is it a CISO problem? Yes and no. Yes, because it addresses personal data protection and container protection. But it goes well beyond that. The issue will be dealt with at the highest corporate levels because the fines for infractions are very steep (up to 4% of global sales) and it deals with personal data which are increasingly essential for many organisations to function.

What about the DPO?

This will be an essential position in all organisations that process a lot of personal data. It attracts many people because it's an independent position and reports to the Executive Committee and General Management. This can lead to conflicts. A bit like when CISOs wanted to become Security Directors. It's a position that requires knowledge of the regulations and good knowledge of data: both personal data protection and how this data is used. It will become particularly important for Big Data projects when data go to third parties through API.

Who can become DPO? Are CISOs a legitimate choice for this position?

I think that CPOs are the closest to DPOs because they know the regulations and have learned to convey the messages. The AFCDP has been active at the European level since the publication of the commission's project and provides its members with a framework that will help them become effective DPOs. The European regulation has the same perspective as existing texts. We estimate that there could be between 10 and 20 000 DPOs, 2.5 times the number of CPOs. Some CISOs want to become DPOs, but it's not that simple. It involves responsibilities that expose the person in charge. That person has to take the message to his or her organisation and beyond, even if it means clashing with the Executive Committee. Are CISOs ready for that? In any case, a CISO becoming a DPO should be considered a career advancement, not just an additional task in their current position.

Latest publication

Alsid is the winner of the 2017 Innovation Prize to be presented at Les Assises de la Sécurité on Thursday 12 October following the plenary conference. 

Read more