Many companies are trying to do more with less these days. In some cases, they leverage existing resources to play multiple roles in their company. When managing your Privacy Program, you need to be extra careful that your DPO role is not in conflict with the resource being utilized. Case in point is the recent, 3/14/2025, decision of the Data Protection Authority (DPA) in Norway regarding this issue with a local business, Telenor.

Summary of Findings from the Norwegian Data Protection Authority’s Decision on Telenor ASA

The Norwegian Data Protection Authority (Datatilsynet) conducted an inspection of Telenor ASA’s compliance with GDPR requirements for Data Protection Officers (DPOs) and organizational measures. Here are the key findings and implications regarding internal counsel serving as DPO:

Key Findings and Violations

• Article 37 (DPO Designation):
  • Telenor ASA failed to document its assessment of whether it was obligated to appoint a DPO
  • The company’s record of processing activities was incomplete and inconsistent
  • The DPO’s contact information was not properly published (Article 37(7))
• Article 38 (DPO Position):
  • The DPO lacked direct reporting line to highest management level (Article 38(3))
  • Resources allocated to the DPO were insufficient (Article 38(2))
  • Independence and conflict of interest concerns were not properly addressed
• Article 24 (Organizational Measures):
  • Inadequate policies and organizational measures to ensure GDPR compliance
  • Unclear division of controllership responsibilities
  • Lack of documented procedures for DPO involvement

Internal Counsel as DPO – Requirements and Challenges

The decision addresses whether an internal counsel can serve as DPO. While not prohibited, several significant requirements must be in place:

1. Clear Distinction Between Roles

• The job description must clearly distinguish DPO duties from legal counsel duties
• The roles must be formally separated with distinct responsibilities and reporting lines
• Using a separate email address for DPO matters is necessary to differentiate functions clearly

2. Independence Safeguards

• The DPO must be able to provide independent advice that may conflict with business interests
• The supervisor-trainee-lawyer relationship can potentially compromise independence
• Potential conflicts of interest (including share ownership) must be specifically assessed and documented

3. Resource Allocation

• Sufficient time must be allocated for DPO duties – the 50% FTE allocation was found to be insufficient
• The DPO should not face competing priorities between legal counsel work and DPO responsibilities
• The DPO should have access to necessary resources without having to request them from direct superiors

4. Reporting Structure

• A direct reporting line to the “highest management level” must be established and documented
• This reporting line should allow the DPO to bypass intermediate management levels when necessary
• The reporting structure must be formalized in policies, not merely described in presentations

Conclusion

While internal counsel can serve as DPO, Datatilsynet found significant challenges in combining these roles. The decision highlights that:

1. It’s not automatically prohibited for in-house legal counsel to serve as DPO, but robust safeguards must be in place to ensure independence and prevent conflicts of interest.
2. The combination requires clear organizational separation, adequate resource allocation, direct access to top management, and formal policies documenting these arrangements.
3. The company must assess and document potential conflicts of interest, including how the professional dependency relationship related to legal career development might affect DPO independence.
4. The Norwegian authority expressed serious doubts about whether an Associate Lawyer position can be effectively combined with the DPO role, given the inherent tensions between these functions.

You can read the whole story here: https://www.datatilsynet.no/en/news/aktuelle-nyheter-2025/sanctions-imposed-on-telenor-asa-for-lack-in-the-organisation-of-the-data-protection-officer-and-lack-of-internal-control/

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, to mention a few.
To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

We at American Cyber Security Management are happy to announce the release of our newest offering: AI Readiness Assessment.

You can read more here: https://www.americancsm.com/artificial-intelligence-readiness-offering/

The benefits can be extremely substantial as businesses begin using AI, both consciously and unconsciously. And the risks/issues can be just as detrimental and long-lasting. Accelerated AI adoption suffers from as much chance to harm others as it does from lack of strategic vision and follow through.

We are seeing AI being successfully applied to many use cases:

• IT/Security
• Marketing
• Customer Service
• Manufacturing

Being prepared for AI adoption can help business units be more efficient with the application of the technology, ensure proper use of AI, and help the business remain compliant with upcoming regulations.

Our AI Readiness offering can provide the following benefits:

• Knowledge of your AI responsibilities
• Create a custom approach/roadmap for AI compliance
• Testing your Privacy and Security Programs
• Through access to our unique AI talent team

We might even find data sets that are already under AI utilization. Our offering helps provide the business with a roadmap for proper AI utilization with the lowest risk.

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security, and privacy implementation assistance, CISO-as-a-Service, and DPO-as-a-Service, to mention a few.
To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

Happy Data Privacy Day!

Did you know Data Privacy Day has been celebrated in the U.S. since 2008, and the U.S. federal government made it official in 2011?

It is a good time to reflect on the Principals of GDPR, which have now become the core privacy principals all business should follow for Data Privacy:

• Lawfulness, fairness, and transparency: Personal data must be processed in a lawful, fair, and transparent manner. 
• Purpose limitation: Personal data can only be collected for specific, legitimate, and explicit purposes. 
• Data minimization: Personal data processing must be relevant, adequate, and limited to what is necessary. 
• Accuracy: Personal data must be accurate and kept up to date. 
• Storage limitation: Personal data should only be kept for as long as necessary to fulfill the purposes for which it was collected. 
• Integrity and confidentiality: Personal data must be protected with integrity and confidentiality. 
• Accountability: Everyone who processes personal data must be able to demonstrate compliance with the other six principles. 

And of course, here is just a reminder of some critical steps for businesses to take to protect their data:

• Know how your data is collected
• Know your data locations
• Know your data types
• Know where you data is going
• Classify your data
• Secure your data with encryption
• Manage access to your data based on classification and roles
• Delete data as it ages or becomes unnecessary
• Utilize data deliberately

ACSM has been helping businesses protect their assets and improve their security and privacy posture since 2006. Our skilled team can help your business understand its cyber weaknesses and potential threats as well as improve your security, privacy, and compliance postures. Our services include penetration testing, maturity assessments, cyber security and privacy implementation assistance, CISO-as-a-Service and DPO-as-a-Service, to mention a few.

To learn more about how ACSM can help support your cyber defense needs, please use our contact page https://www.americancsm.com/contact-us/ and schedule a free consultation call today.

Building a Privacy-First Organization: Strategies for 2025 and Beyond

In an era where data breaches and privacy scandals make headlines regularly, prioritizing data privacy is no longer just a regulatory necessity—it’s a business imperative. As we enter 2025, companies recognize that embedding privacy into the core of their operations is essential for building trust, protecting sensitive information, and maintaining a competitive edge. (Oh yeah, and it helps with compliance.)

Adopting a privacy-first approach means proactively addressing data protection at every level of the organization, from executive leadership to frontline employees. Here are the key strategies for embedding privacy into your business culture and operations in 2025 and beyond:

1. Develop a Privacy-Driven Culture

Building a privacy-first organization starts with cultivating a culture where privacy is valued by every employee. This requires:

• Executive Buy-In: Leadership must champion privacy initiatives and allocate necessary resources.
• Continuous Training: Regular, engaging training programs should ensure employees understand the importance of privacy and their role in maintaining it.
• Transparent Communication: Create open channels to discuss privacy policies, updates, and potential risks, fostering a sense of collective responsibility.

2. Adopt Privacy by Design and Default

Privacy should not be an afterthought—it must be integrated into product development, IT systems, and business processes from the outset. This concept, known as “Privacy by Design and Default,” includes:

• Data Minimization: Collect only the data you need and retain it for the shortest necessary period.
• Default Protections: Ensure that the most privacy-protective settings are enabled by default in all systems and services.
• Embedded Safeguards: Incorporate encryption, anonymization, and access controls into the design of new technologies and workflows.

3. Enhance Transparency and User Control

Customers and stakeholders increasingly expect transparency about how their data is collected, used, and shared. To meet these expectations:

• Clear Privacy Policies: Draft policies that are concise, easy to understand, and regularly updated to reflect evolving regulations.
• Consent Management: Implement robust systems for managing user consent, ensuring clear options for opting in and out of data collection practices.

4. Strengthen Data Governance and Accountability

A strong governance framework is vital for ensuring data privacy policies are consistently applied across the organization. Key actions include:

• Appoint a Data Protection Officer (DPO): Designate a dedicated professional to oversee privacy initiatives and ensure compliance.
• Conduct Regular Audits: Perform frequent internal and external audits to identify and mitigate potential privacy risks.
• Establish Accountability: Clearly define roles and responsibilities related to data protection at every organizational level.

5. Stay Ahead of Regulatory Changes

Privacy regulations continue to evolve globally, with laws like GDPR, CPRA, CPA and new legislation emerging worldwide. To stay compliant:

• Monitor Regulatory Developments: Dedicate resources to tracking changes in privacy laws and adapting your practices accordingly.
• Participate in Industry Initiatives: Engage with industry groups and privacy coalitions to stay informed and share best practices.
• Engage Legal Experts: Maintain close collaboration with legal teams to ensure policies align with current and upcoming regulations.

Conclusion

Building a privacy-first organization in 2025 is about more than just compliance—it’s about fostering trust, enhancing resilience, and positioning your company as a leader in data protection. By embedding privacy into the core of your operations and culture, you not only safeguard sensitive information but also build stronger relationships with customers and stakeholders. As privacy expectations continue to rise, forward-thinking organizations that prioritize privacy will thrive in the digital landscape.

Sounds like too much to do, remember we can support you in these efforts. We have a full privacy team with experts who live and breathe privacy and keep abreast of the changing laws.  Please contact us via this post or visit: https://www.americancsm.com/

Thank You for an Incredible Year!

As we close out 2024, we at American Cyber Security Management want to take a moment to express our heartfelt gratitude to everyone who has been part of our journey. Your trust, collaboration, and dedication have been the driving force behind our continued success.

To Our Valued Customers

Your confidence in us fuels everything we do. In a world where cybersecurity threats evolve daily, and privacy is constantly invaded, we know that protecting your business, data, and assets is paramount. Thank you for choosing us as your trusted partner in safeguarding what matters most. Your feedback, challenges, and trust push us to innovate, adapt, and constantly improve our services.

From large enterprises to small businesses, each client plays a crucial role in shaping our solutions and approach. This year, your resilience and commitment to strengthening your cyber defenses and protecting your data privacy have been inspiring. We are honored to stand alongside you, providing the tools, strategies, and expertise to keep your operations secure.

Thank you for allowing us to be part of your cybersecurity and/or privacy journey. We look forward to continuing to serve you in the coming year.

To Our Trusted Partners

Our partners play an integral role in our success and ability to offer comprehensive, forward-thinking solutions. Your collaboration and support enable us to expand our reach, enhance our offerings, and provide even greater value to our customers.

The strategic alliances we’ve built this year have driven new innovations and allowed us to tackle complex challenges head-on. Thank you for your unwavering support and shared commitment to advancing cybersecurity and privacy.

To Our Incredible Team

None of this would be possible without our dedicated staff. Your hard work, expertise, and passion for cybersecurity and privacy are the foundation of our company. Every project completed, every threat mitigated, and every client’s success is a testament to your dedication and skill.

Thank you for your relentless pursuit of excellence. Your efforts are shaping the future of cybersecurity, and we are incredibly proud of the work you do.

Looking Ahead

As we step into the new year, we are excited about the opportunities in 2025. Together, we will continue to push boundaries, strengthen defenses, enhance privacy and innovate to stay ahead of emerging threats.

From all of us at American Cyber Security Management, thank you for an incredible year. Here’s to a future of continued partnership, privacy, and security.