# DPO vs CISO — Role Differences and Conflict of Interest

> What is the difference between a DPO (Data Protection Officer) and a CISO (Chief Information Security Officer)? Can the same person serve both roles? Conflict of interest, role separation, and Amendment 13 to the Israeli Privacy Protection Law. Practical guide with RACI matrix and examples.

**Canonical:** https://dpoisrael.com/en/learn/dpo-vs-ciso/  
**Locale:** en-IL

---
Both roles sound similar. Both are "information officers". But in practice they are **from different worlds**: the **DPO** (Data Protection Officer) deals with _data subject rights_ and privacy law; the **CISO** (Chief Information Security Officer) deals with _protecting information assets_ against cyber threats. Practical guide with comparison, RACI, and a solution for: _can both roles be the same person?_

## DPO vs CISO — quick facts

- **DPO:** Privacy role (Amendment 13)
- **CISO:** Security role (2017 Regs)
- **DPO reports to:** Direct to management, independent
- **CISO reports to:** CTO / CEO / Audit Committee
- **Same person?:** Only in small org without conflict of interest
- **Mid-size org:** Two separate roles
- **Outsourced:** DPOaaS + CISOaaS or combined GRC
- **Large org:** Both internal

## Nine dimensions of difference

| Dimension | DPO | CISO |
| --- | --- | --- |
| Primary role | Protect rights of data subjects and their privacy | Protect organizational information assets |
| Legal basis | Amendment 13 to Privacy Protection Law | 2017 Security Regulations, ISO 27001, banking management |
| Reporting | Direct to management, independent | Reports to CTO / CEO / Audit Committee |
| Expertise | Privacy law + data processing + regulation | Cyber + security + infrastructure |
| Daily task example | Reviews new DPA, responds to access request | Analyzes intrusion alert, runs penetration test |
| Monthly task example | Performs DPIA for new project | Cyber risk review, patching oversight |
| External contact | Privacy Protection Authority | CERT-IL, Bank of Israel (banks), security vendors |
| Independence requirement | Built-in — cannot be decision-maker on processing | Required but less strict |
| Mid-size org model | Outsourced (DPO as a Service) | Internal or outsourced (CISOaaS) |

## Responsibility matrix (RACI)

Who is accountable for what? In a mid-size organization with separate DPO and CISO, here are 12 typical tasks and responsibility split. **R** = Responsible (executes), **A** = Accountable (ultimate owner), **C** = Consulted (advises), **I** = Informed (kept aware).

| Task | DPO | CISO | Other |
| --- | --- | --- | --- |
| DPO appointment and Authority registration | R | \- | CEO: A |
| Personal data asset mapping | R/A | C | IT: C |
| Information security program | C | R/A | IT: R |
| SaaS vendor agreements (DPA) | R/A | C | Legal: C |
| Security incident — Authority notification | R/A | C | CEO: A |
| Security incident — technical investigation | C | R/A | Forensics: R |
| Employee training — privacy | R/A | C | HR: C |
| Employee training — cyber security | C | R/A | HR: C |
| DPIA for new project | R/A | C | PM: C |
| Penetration testing | I | R/A | External vendor: R |
| Response to data-subject request (access/correction) | R/A | I | IT: C |
| ISO 27001 work plan | C | R/A | Auditor: R |

## The conflict question — is it allowed?

### Is CISO who is also DPO a forbidden conflict?

Opinions differ. The Israeli Privacy Authority issued a 2025 opinion that combining the roles is **allowed only in small organizations or where no conflict of interest exists**. In mid-size organizations and above, the CISO makes security decisions the DPO must oversee — a built-in conflict of interest.

### CEO / General Counsel / CIO as DPO

The Authority opinion explicitly disqualified such combinations in most organizations. CEO makes all the decisions the DPO must oversee. CIO is responsible for the systems the DPO audits. GC sometimes represents positions the DPO must challenge.

### In a small organization — what does work

A small organization with 5-20 employees and no sensitive data at scale — usually not required to have a DPO at all. If required — options: (a) combined CISO+DPO only if the role-holder is not an operational decision-maker; (b) [DPO as a Service](/en/services/dpo) external; (c) business partner independent of data-processing decisions.

### The "external DPO, internal CISO" model

Most common model in mid-size organizations. Internal CISO handling cyber and infosec. External DPO (outsourced) handling privacy and law. [GRC + Privacy package](/en/services/grc-privacy) offers both roles from one provider.

## Frequent questions — DPO and CISO

### Can a CISO be a DPO?

Theoretically — yes, in a small organization without conflict of interest. Practically — not recommended in most organizations. The Authority disqualified the combination in conflict-of-interest situations, and in mid-size organizations that is usually the case. Recommendation: two different people, or [combined CISO + DPO as a Service](/en/services/grc-privacy) when they are professionally coordinated but not the same person.

### What is the cost difference between the two roles?

Senior internal CISO — 45,000-70,000 ILS/month salary. Part-time CISOaaS — 8,000-25,000 ILS/month. Senior internal DPO — 40,000-60,000 ILS/month salary. DPO as a Service — 5,000-28,000 ILS/month. In mid-size organization, both senior internal roles = 90,000-130,000 ILS/month. Both outsourced = 13,000-50,000 ILS/month.

### Who handles a security incident?

Both, in coordination. **CISO** handles technical investigation — what happened, where, ongoing, blocking. **DPO** handles regulatory — required notification, drafting, customer communication, PR management. Two non-interchangeable parts.

### Is there a profession combining both?

"GRC Specialist" / "Privacy and Security Consultant" — roles that have become popular in SaaS companies. In practice they perform both functions, but in an organization with clear accountability and a regulatory framework — two separate roles are required.

### What about ISO 27001 and ISO 27701?

ISO 27001 is the CISO standard (information security). ISO 27701 is the privacy extension of ISO 27001 (PIMS). Both require two complementary documentation systems. CISO typically leads 27001, DPO leads 27701.

### Do you have a CISO too?

We are DPOs. The CISO in our bench is a separate professional with deep cyber background. When combined service is needed — [GRC + Privacy package](/en/services/grc-privacy) offers both roles. We don’t offer CISO alone — when a client wants just CISO, we recommend trusted partners.

## Not sure which role you need?

30-minute call, understand the situation, help choose.

[Book a call](/en/contact)