Skip to main content

DPO and CISO collaboration: security and compliance

Make IT Safe ·

Data protection and IT security can no longer be handled in silos. In 2026, organisations still maintaining this split expose themselves to major financial penalties and critical security gaps. The growing number of regulatory frameworks (GDPR, NIS 2, DORA, AI Act) requires a structured, tool-supported DPO and CISO collaboration.

This convergence is not just an administrative constraint. It optimises budgets, avoids duplication and speeds up incident response. The DPO and CISO share a fundamental goal: protecting the company’s information assets. Their approaches complement each other naturally.

Who does what: scope and responsibilities

The CISO (Chief Information Security Officer) steers the technical security of the entire information system. They evaluate threats, deploy protection measures and manage incident response. Their approach covers the classic triad: Confidentiality, Integrity, Availability (CIA).

Concretely, the CISO:

  • Defines the security architecture (firewalls, antivirus, encryption)
  • Oversees systems monitoring (SOC, SIEM)
  • Coordinates security-incident response
  • Evaluates risks tied to IT suppliers
  • Trains technical teams on best practices

The DPO (Data Protection Officer) focuses on regulatory compliance for personal-data processing. They advise the organisation on GDPR implementation and ensure data-subject rights are respected.

The DPO works on:

  • Keeping the record of processing activities
  • Running Data Protection Impact Assessments (DPIAs)
  • Handling data-subject requests
  • Notifying breaches to the CNIL
  • Training business teams on data-protection stakes

These missions overlap naturally. A security incident can impact personal data. A DPIA requires a technical evaluation of protection measures. That is where collaboration becomes essential.

The impact of new regulations

NIS 2 extends considerably the scope of entities subject to cybersecurity obligations. It imposes technical and organisational measures that largely overlap with the requirements of GDPR article 32.

This regulatory convergence creates an opportunity: a single control can serve to demonstrate compliance across multiple frameworks. For example, deploying robust encryption meets NIS 2 system-protection requirements AND GDPR obligations on personal-data security.

DORA (Digital Operational Resilience Act) goes further by requiring financial players to manage IT and operational risks in an integrated way. The CISO can no longer steer technical resilience without coordinating with the DPO on customer-data protection.

This multiplication of frameworks makes manual management impossible. Organisations still clinging to Excel files to steer their compliance expose themselves to major errors and an unsustainable workload.

Lessons learned: when coordination makes the difference

Cdiscount case (January 2021) An employee illegally copies customer data. The IT team quickly detects the anomaly thanks to monitoring tools deployed by the CISO. The DPO can then notify the incident within regulatory deadlines and document the measures taken. The penalty remains measured thanks to this coordinated response.

This case illustrates the importance of technical tooling. Without the CISO’s logs, the DPO could not have accurately evaluated the breach scope or demonstrated damage-limitation actions.

Dedalus Biologie case (February 2021) 500,000 patient records exposed on cybercriminal forums. Record €1.5-million fine. The problem was a coordination failure on supplier evaluation. The DPO had validated the contractual clauses, but no one had checked the technical reality of the provider’s security measures.

This failure could have been avoided with an automated third-party audit process, jointly steered by the DPO (contractual angle) and the CISO (technical angle).

Discord Inc. (November 2022) €800,000 fine for inactive accounts not deleted and failures to inform users. The problem was a coordination failure on data purging. The DPO knew the legal retention periods, but the technical teams had not implemented automatic deletion scripts.

Organising information sharing

Effective collaboration relies on simple but regular rituals. Not endless meetings, but weekly technical check-ins on critical topics:

Weekly incident check-in

  • Review of the week’s security alerts
  • Impact evaluation on personal data
  • Remediation-action follow-up

Monthly project review

  • New application validation (Privacy & Security by Design)
  • New supplier evaluation
  • Updates to the record of processing and risk map

Consolidated quarterly reporting

  • Security and compliance KPIs
  • Audit and corrective-action summary
  • Executive-leadership presentation

Using a collaborative platform breaks you out of email ping-pong. Every change in the record of processing is automatically notified to the CISO. Every new vulnerability identified is evaluated by the DPO for its impact on personal data.

Joint security-incident management

A security incident involving personal data triggers strict legal obligations: CNIL notification within 72 hours, information of data subjects if the risk is high, full event documentation.

This requires millimetre coordination:

H+0: Detection and containment The CISO takes the lead on the technical response: isolate compromised systems, forensic analysis, threat eradication.

H+1: Evaluate personal-data impact The DPO analyses the information collected by the CISO to determine if the incident constitutes a GDPR breach. They evaluate the number of data subjects, data types impacted and risks to rights and freedoms.

H+24: Notification preparation The DPO drafts the CNIL notification using the CISO’s technical analysis. It must precisely describe the security measures that failed, those that limited impact, and the remediation actions.

H+72: Official notification The notification is sent to the CNIL. The technical file consolidated by the CISO and DPO is the basis for any subsequent communication.

This coordination cannot be improvised. It requires documented procedures that are tested regularly.

Pool supplier evaluation

Third-party management is a major challenge for both functions. GDPR requires evaluating processors’ ability to protect personal data. NIS 2 requires evaluating critical suppliers’ cybersecurity level.

Rather than running separate audits, DPO and CISO can pool their questionnaires:

  • Geographical location of processing
  • Retention periods applied
  • Data-subject rights procedures
  • Data-protection contractual clauses

Technical questionnaire (led by the CISO)

  • Security architecture (encryption, access, logs)
  • Backup and business-continuity policy
  • Security-patch management
  • Certifications held (ISO 27001, SOC 2)

Automating this process via tools like Make IT Safe lets you centralise responses and trigger periodic reassessments. No more manually chasing 50 suppliers every year.

The DPIA as a collaborative project

The Data Protection Impact Assessment (DPIA) perfectly illustrates the DPO/CISO complementarity. The DPO identifies the need for a DPIA and defines the legal framework. The CISO brings technical expertise to evaluate risks and propose protection measures.

Phase 1: Scoping (DPO)

  • Identification of personal data processed
  • Purposes and legal basis
  • Retention periods and planned transfers

Phase 2: Technical analysis (CISO)

  • Data-flow mapping
  • IS threat identification
  • Robustness of security measures

Phase 3: Collaborative synthesis

  • Residual-risk evaluation
  • Validation of mitigation measures
  • Final documentation and action follow-up

This approach ensures the DPIA doesn’t stay a theoretical exercise but rests on a rigorous technical analysis.

Move beyond manual management

Excel files have reached their limits. They can’t handle the growing complexity of regulatory obligations or guarantee the consistency of information shared between DPO and CISO.

Mature organisations adopt GRC (Governance, Risk & Compliance) platforms that centralise:

  • The GDPR record of processing
  • The cyber risk map
  • Audit and action-plan follow-up
  • Multi-framework compliance evidence

Make IT Safe answers this need by offering a consolidated view of security and compliance stakes. The DPO and CISO work on the same database, with access rights matching their respective responsibilities.

This centralisation automates a large part of the administrative work: regulatory report generation, automatic action-plan reminders, alerts when indicators drift.

Build a responsible-data culture

Awareness campaigns are a major stake for both functions. Rather than multiplying sometimes contradictory communications, DPO and CISO benefit from delivering a unified message.

Joint awareness campaigns

  • Phishing and personal-data protection
  • Password and confidentiality best practices
  • Secure handling of sensitive documents

Business-team training

  • Privacy & Security by Design in projects
  • Risk evaluation before any new processing
  • Daily security reflexes

This approach avoids employee fatigue from redundant messages and strengthens awareness-action impact.

Remove organisational obstacles

DPO/CISO collaboration sometimes runs into internal resistance. A few success factors to overcome it:

Executive support Cybersecurity and data-protection stakes must be carried at the executive-committee level. Without executive sponsorship, initiatives stay fragile.

Clarify responsibilities A RACI matrix (Responsible, Accountable, Consulted, Informed) avoids grey zones and scope conflicts.

Shared tools Using a common platform removes the friction tied to file exchanges and contradictory versions.

Performance measurement Shared KPIs (compliance rate, incident response time, supplier-audit coverage) objectivise collaboration progress.

The future of data governance

Artificial intelligence is already transforming cyber-risk and compliance management. Tools that automatically detect sensitive data keep the record of processing up to date without massive manual intervention.

AI also helps analyse security logs to identify anomalies that could impact personal data. This automation frees up time for high-value-added work: business-team advisory, supplier negotiation, strategic thinking on data governance.

Digital sovereignty is becoming a major selection criterion. Entrusting vulnerability management and GDPR records to tools whose hosting you do not control raises obvious consistency questions. French and European solutions are gaining maturity and offer a credible alternative to US platforms.

Expected concrete outcomes

A well-structured DPO/CISO collaboration generates measurable benefits:

Shorter delays

  • Incident notification: from 5 days to 24 hours
  • DPIA delivery: from 3 months to 3 weeks
  • New supplier evaluation: from 6 weeks to 2 weeks

Better coverage

  • 100% of at-risk processing activities covered by a DPIA
  • 95% of suppliers evaluated annually
  • 0 incident undetected beyond 48 hours

Cost optimisation

  • Pooled supplier audits (-30% on external costs)
  • Automated regulatory reporting (-50% on administrative load)
  • Reduced fines through better risk control

Related articles

9 best practices to strengthen cybersecurity in your company

9 best practices to strengthen cybersecurity in your company

Read →
AI Act: who is concerned, by what, and how to comply

AI Act: who is concerned, by what, and how to comply

Read →
Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Read →