Introduction to Personal Data Protection

The law 18-07 marks a significant turning point by imposing a strict legal framework for the protection of personal data. It aligns Algeria with international standards, such as the European GDPR. Severe penalties are provided for non-compliance. Therefore, organizations must review their data governance. Data controllers must quickly adapt. They must appoint data protection officers (DPOs). CISOs and other IT/cybersecurity auditors are also involved.

The Role of the DPO in Personal Data Protection

In the context of new regulations on personal data protection, the function of the Data Protection Officer (DPO) has become crucial. Established by law, it plays a central role in ensuring the compliance of organizations. The responsibilities of the DPO cover a wide legal, organizational, and technical field.

Advice and Control for Compliance

One of the main missions of the DPO is to inform and advise the organization on its legal obligations, identify risks, and assist in understanding complex regulations. He controls the effective respect of provisions, particularly in terms of lawfulness of treatments, declarations, and required authorizations. This dual role of advisor and controller makes the DPO a key player in data governance.

Documentation and Mapping of Data

The DPO is also responsible for establishing and maintaining internal documentation required by law: treatment registers, data protection impact assessments, internal procedures, etc. This central mission allows the DPO to map all personal data processing operations carried out by the organization and ensure their traceability.

Training and Awareness of Personal Data Protection

For sustainable compliance, the DPO must ensure continuous training and awareness of teams on data protection issues. By disseminating a data culture within the organization, it contributes to anchoring good practices on a daily basis.

Cooperation with the National Control Authority

Finally, the DPO closely cooperates with the national control authority. It acts as a privileged interlocutor during checks and in case of data breaches to be notified. This strategic mission requires independence, specialized expertise, and influence capacity to be carried out effectively.

The Role of the CISO in Personal Data Protection

The CISO and IT/cybersecurity experts are responsible for implementing a suitable security policy to protect personal data. They must define and deploy a policy adapted to the risks and challenges of the organization, following recognized good practices (security principles, references, certifications, etc.).

Ensuring Confidentiality, Integrity, and Availability of Data

The cornerstone of this policy aims to ensure the confidentiality (access controls, encryption, etc.), integrity (anti-malware, backup, etc.), and availability (redundancy, testing, etc.) of personal data processed. A risk analysis and threat management approach must also be implemented.

Detection and Notification of Personal Data Breaches

Another strong requirement is the ability to detect possible personal data breaches:

• Personal data breaches can take various forms: leaks, losses, or unauthorized access to data.
• Monitoring and log analysis processes allow detecting any suspicious or abnormal activity on IT systems.
• The assessment of the criticality of personal data breaches.
• Organizations must notify personal data breaches to the ANPD and the persons concerned.
• Transparency and trust of the persons concerned are key elements in the management of personal data breaches.

Finally, assess the criticality and notify the breaches in a timely manner to the control authority and the persons concerned. Robust monitoring, log analysis, and incident management processes will be essential.

Securing Transfers and Externalization of Personal Data

Transfers of personal data to third countries will also receive special attention, with reinforced security requirements:

• Encryption of personal data
  • Encryption is a data encryption technique that makes it unreadable to anyone who does not have the decryption key.
  • It protects data against unauthorized access.
  • It is essential for securing transfers of personal data to third countries.
• Contractual framework
  • Specific contracts with data recipients.
  • Definition of treatment conditions and confidentiality and security obligations.
  • Important for securing transfers of personal data to third countries.

Coordination Between the DPO and the CISO

To meet these challenges, the CISO must rely on a multidisciplinary team of technical experts: application, system, network, and infrastructure security, penetration testing, identity and access management, etc. A defense-in-depth approach and permanent vigilance will be essential. By closely coordinating its action with the DPO, the CISO will play a central role in deploying and maintaining a high level of security on personal data processing within the organization.

Conclusion

Ultimately, the law n° 18-07 of 25 Ramadhan 1439 on personal data protection imposes strict requirements on organizations. To comply and avoid heavy penalties, a robust governance must be put in place around three key players:

• The data protection officer (DPO)
• The Chief Information Security Officer (CISO)
• IT/cybersecurity experts

This complementarity between legal expertise/governance on the one hand and operational security on the other will be essential. Close coordination and a shared vision of the challenges by the DPO, the CISO, and IT/cybersecurity experts will be the keys to success. Organizations that will be able to synergize these different profiles in a sustainable way will be able to prevent major sanction risks while making personal data protection a real competitive advantage and trust.