Empathy… an Essential requisite of a good DPO

The functions of a Data Protection Officer (DPO) under the emerging Personal Data Protection Act (PDPA), includes the DPO being the single point contact for grievance redressal between the Data Principal and the Data Fiduciary.

In discharging this function, the DPO can chose to be like a post office receiving the grievance and passing it onto some body else in the orgnization for resolution. In that case he does not need to even understand what is the grievance and still call himself the “Contact Person”.

But the intention of PDPA is that the DPO is responsible for ensuring that the rights of the Data Principals is adequately met by the data fiduciary and if in any specific instance the data principal is not satisfied, he can contact the DPO for resolution. If the resolution is not satisfactory, the data principal can take the complaint to the DPA and seek adjudication.

It is the responsibility of the DPO therefore to try and understand the grievance and if possible try to provide a satisfactory resolution at his level itself so that the matter does not have to be escalated to the DPA.

In order to resolve such issues the DPO should be able to come down from his pedestal of a highly paid employee of an IT Company working in the AC cabin and moving around in a chauffeur driven car, and try to appreciate why a data principal is raising a query that he is wronged. It is quite possible that the data principal may be wrong. But the DPO still is responsible to ensure that the data principal is satisfied with whatever resolution he gets.

When the data principal is correct in his complaint, it may be easy to resolve since conflicts if any would be with other internal members all of whom are part of the super ordinate goal of compliance to PDPA.  But when the customer is wrong but is adamant that his right has been infringed, the situation is more challenging.

It is not always easy to deal with people who are wrong but donot know that they are wrong. It often happens when we deal with children who are adamant. A good parent always understands that the Child does not know as much as he/she and hence tries to come down to the level of the child to understand and resolve the issue in a manner in which the child understands. In such cases, we put ourselves in the shoes of the child and try to understand why he/she is adamant. This requires the parent to give up his ego and deal with the child as an equal, gain confidence and then slowly make him/her realise that the parent is providing some thing better than what he himself wanted.

This art of grievance redressal is often critical to any mediation. The ability to step into the shoes of another and understand his concerns and his views is  “Empathy” ,a human skill that is relevant for a good DPO.

Emotion researchers  define empathy as the ability to sense other people’s emotions, coupled with the ability to imagine what someone else might be thinking or feeling.

Two major kinds of empathy are often recognized namely the “Affective Empathy” and “Cognitive Empathy”.

“Affective empathy” refers to the sensations and feelings we get in response to others’ emotions; this can include mirroring what that person is feeling. This could be a dysfunctional response where one can feel stressed if the other is stressed.

“Cognitive empathy,” on the other hand is sometimes called “perspective taking,” and refers to our ability to identify and understand other people’s emotions. This is a positive characteristic of a good leader.

The DPO to be successful has to develop the Cognitive Empathy skills and avoid the affective empathy traits. When a complainant comes to you with a problem, being compassionate is one thing but getting lost in re-living the complainant’s distressed state is another and often, a problem.

An example which most of us might have seen is when a child is in some kind of a distress and the father and mother are both responding to the situation. The mother being compassionate to the suffering of the child starts crying and sobbing and the father contains his own feelings but immediately moves to do what is immediately necessary, such as picking up the child, rushing him to the hospital etc.

In a work situation also, HR managers often find themselves in such situations where they have to be sympathetic and show empathy with the people when they have some problems, but the solution may not be also become miserable themselves.

The “Counsellors” are often trained to react correctly in such situations where they are empathatic but not to the extent of reducing themselves to be mirroring the problems of others.

Understanding the principle of “Empathy” is relevant to appreciate the very definition of “Privacy Protection” itself since “Privacy” is a “State of mind” of another person and when we are trying to protect the Privacy, we are trying to give a feeling of assurance to the data subject that he feels that his privacy has been under his control only.

This principle of “Empathy”, how it differs from “Sympathy” and the benefits of “Cognitive Empathy” are behavioural skills that an effective DPO must posses.

(Comments are welcome)


Reference Article:

Importance and benefits of Empathy.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Crisis Management…An Essential Skill of a DPO

The Corona Crisis is opening the eyes of administrators on the problems that one faces in a situation of crisis.  “Damned if you do and damned if you do not”  is the kind of response the administrators get from the people around us.

A similar crisis often confronts a DPO when the organization faces a “Data Breach”. Suddenly the media will pounce on you, the data subjects will bombard you with e-mails, the DPA will send you a notice, the CEO will shout, your peers will say “I told you so”, the Cyber Insurance company will send a notice, the customers will start reminding you of the indemnity clauses, CFO goes nuts….and  like the German minister who committed suicide not able to face the economic crisis created by the COVID 19,  the DPO will suddenly face a situation which could push any weak person into depression and resignation.

If the DPO speaks out without proper information he could raise the panic levels. If he speaks anything wrong, he can face liabilities for misleading… the problems appear endless.

The DPO in such a situation has to manage the internal and external communications and at the same time initiate necessary corrective actions, maintain the morale both of customers, data subjects and co-workers. This requires a special skill and maturity that most DPOs of the day have not been tested for. We know that our DPO is carrying different knowledge based certifications, has put-in years of service in reputed organizations, but we donot know how he may crumble when despite his honest and tireless work he would be accused by everybody of not being able to prevent the data breach and more importantly prevent the breach of the information of data breach to the media.

“Crisis Management Skill” is therefore an essential requisite of a good DPO.

“Crisis” by definition is an “Unexpected” event of  disruptive proportions exceeding the “Risk Estimates” that are normally considered for mitigation. It carries an existential threat to the organization, and requires an out of box solution to stem the adverse effect quickly.

No amount of policies and procedures would help unless the essence of such policies are ingrained in the thinking process of the DPO. Just as an aircraft pilot faced with an immediate crash cannot think of reading through a voluminous manual and have to take an immediate decision on what to do next, the DPO has to take a quick decision often without any consultation with his superiors.

This calls for a “Decision Making” skill which is part of a good leader. To be able to make a reasonable decision within the capabilities of the person, one has to remain calm and not get panicky. If the DPO gets panicky then he would reduce whatever decision making skill he may actually have. Many drivers who panic in an accident situation often press the accelerator instead of the bake and cause more harm than what they could have done had they simply removed their foot from the peddle even if they had not pressed the brake simultaneously.

“Crisis Prevention” is definitely a strategy to remember and all our Information Security measures and Data Protection regulations are aimed at preventing a crisis from developing. But some day somewhere we may face a situation where the risk mitigation efforts have failed and the crisis has emerged.

Now the option before us is how do we handle the post crisis situation.

The first step in post crisis handling is to identify and control those within and outside the organization who would only worsen the crisis by demoralizing everybody around. Hence the DPO should learn to identify such elements and ignore them. The management should also recognize the possibility that all those who were inimical to the DPO will now take their daggers out and start accusing the DPO. Hence a “Disaster Committee” has to be formed with the CEO, DPO being involved in every decision.

The second step is to ensure that no “Mis information” is spread. At the same time the organization should avoid both false denials as well as pushing the problem under the carpet. Measured communication to the stake holders is of utmost importance. Setting up a Disaster information center to be a single source of contact for the public to know the impact of the disaster is also essential to prevent rumours being spread. Since the DPO’s email could be flooded in such a scenario, immediate technical measures to ensure that the load is disbursed to a back end support team to sift the queries and develop standard approved responses need to be organized.

If necessary the employees of the organization must be locked down in the sense that they should be prevented from communicating with the outside world about the crisis through a strict order whether some body cries out “Freedom of Speech” or “Privacy”. In a crisis situation, the rights of freedom of speech or privacy of the employees have to take a back seat.

It is only after such dousing of fire is attended to, can one focus on analysing the root cause, preventing further damage, making an impact assessment, reporting to regulators etc can take place.

To summarize, the requirements are

a) Stay calm and avoid panic

b) Lock down the systems and people from creating further damage

c) Set up a disaster center with a small number of decision makers like the CEO and DPO with support staff

d) Maintain balanced communication to the stake holders without deception or speculation

e) Ensure a single point information dissemination center to prevent rumors spreading

It is only after  these preliminary efforts that we can consider the “Data Breach Notification”, “Forensic Analysis” etc which are all necessary but need to be prioritized.

Decisive leadership skills including team building, taking tough decisions, absorbing personal risks, not being afraid of failure etc will be required besides the ingrained knowledge and culture that enables the DPO to respond even in sleep in the right direction.

At the end of it all, one can try to draw lessons from the crisis and share it as a knowledge base to address similar situation in future including prevention and monitoring. While we do recommend “Sanctions” for most of the data breach incidents, crisis some times requires a fresh look  since it may so often happen that the standard sanctions may require most employees to resign and go which may not be the solution for building a resilient organization for the future.

Recognizing this need, Naavi has designed the “Certified Expert Data Protection Professional” program to include a module on  behavioural skills required for a DPO. This will be part of the FDPPI’s plans for extending the current knowledge modules such as Module-I, (Indian Laws), Module-G (Global Laws) and Module -T (Technology). The other two modules namely

Module A (Audit) and Module B (behavioural skills) represent skills to be cultivated before some body can be called an “Expert” data protection professional.

At present Naavi’s Cyber Law College in association with FDPPI  is still building the base module of Module-I which focuses on the knowledge part of Indian regulations. Though the importance of behavioural skills and Audit skills are also part of the coverage in the base module, they will be expanded in the coming days with independent modules.



Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

To Be a Leader?… or To Be a Follower?

It is always a dilemma for every professional to decide what is more comfortable…chose to be a leader? or be happy to be a follower?

Obviously if every one is a leader, there would be chaos. So nature has decided that not all would aspire to be the leader. It is also good for the leader that when he occupies the leadership position, there will be some ready to stand in the next line.

A true leader is like an explorer. He often meets challenging situations which others have not seen. He can make mistakes and even get hurt. But as long as he is pursuing the right path and exercising due diligence, as well as being capable of standing up even if he falls down, he is sure to reach the destination ahead of others.

These leadership qualities are necessary for professionals who want to carve out a new path of progress for themselves which no body else have so for pursued.

The above reflections appear appropriate at this point of time as the undersigned pursues the creation of a new set of leading professionals in India  who can hold the mantle of  “Data Protection Professional” .

The course which leads to the conferring of the title “Certified Data Protection Professional”, by FDPPI, the leading Data Protection Organization in India is set to create another batch of qualified professionals who will be aware of the law which India is adopting for personal data protection.

Though some professionals are as lethargic as they have always been and would like to wait…and wait…until the law descends upon them and then scramble to acquire the knowledge, a set of forward-looking professionals have decided to start their learning today.

There is no doubt that we are looking at a dynamic law and it will change in time not only because the final act will adopt some changes from the Bill which is currently being discussed, but even otherwise with the changing perceptions in the environment of What is Privacy?, How can Privacy be protected by Personal Data Protection?, What should be the Rights of the Data owners?, What should be the obligations of the Data handlers? What should be the exemptions to be given for industry and the Government… and so on.

FDPPI ensures that all those who are now opting to take up their certification course will be provided guidance to be made aware of any changes that may occur in the law when the Act is passed….

So the professionals who are currently pursuing the Course second batch of which will commence (Online) on April 4th, will be the early torch bearers of the knowledge of Personal Data Protection Act as it unveils in India.

We welcome all these early adopters who would be the foundation members of the Data Protection Professional community in India.

(P.S: Contact Naavi for more details)


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Certified Data Protection Professional Course to be accelerated

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11 to 12.30 AM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Work From Home Undertaking

In continuation of the discussions on Work From Home requirements and keeping with the spirit of CLCC (Cyber Law Compliance Center), we are adding a draft Employee undertaking that is recommended to be taken for Work from home implementations.

Suggestions are welcome. FDPPI is also working on refining the undertaking as may be required.

The Undertaking suggested is as follows:


Employee Undertaking for Work From Home provided to ………. (The Company)

I, …………………………………………., working as ………………………………………….. at ……………………………………… hereby undertake as follows.

Where as

-a pandemic situation has arisen in the with the outbreak of COVID 19 virus,

-the Government of India has placed certain restrictions on the movement of people in the general interest of public safety,

– the requirement to work from home has arisen out of a public safety requirement,

– the Company has proposed that I shall be allowed to continue to work from home without physically attending the office,

– I as an employee of the company is responsible for the conduct of my activities in complete support of the information security requirements that are adopted by the company both as part of the legal compliance requirements as well as the industry best practices

In consideration of the company agreeing to permit me to work from home and continue to pay my emoluments as if I work from the premises of the Company as I was hither to working,

I voluntarily agree and abide that I am in receipt of a copy of the “Work From Home, Rules 2020” (WFH rules), a copy of which is enclosed in Schedule I and have understood and hereby agree to faithfully follow the instructions contained there in.

In compliance of the WHF rules, during the period this undertaking is in force, I agree that

    1. I shall perform my company work only using the designated computer systems as recommended by the Company, particulars of which is available under Schedule II,
    2. I agree to consider that the designated system/s mentioned in Schedule I as belonging to the Company whether the hardware was purchased by the Company or by myself, and will be considered as the extended computer network of the company
    3. The designated systems would be used in a physical environment which would be considered as the “Extended Office Space” of the company.
    4. The Company may monitor my activities on the system as part of the information security requirements of the Company
    5. The Company may audit my physical and computer facilities as it may find it necessary.
    6. I will personally undertake the responsibilities of maintaining the physical, logical and data security measures in respect of the use of the designated systems that will be required to meet the obligations of the company to its customers and the regulatory authorities.
    7. I will personally undertake that I shall not use any unlicensed software on the device for carrying on any activities of the Company.
    8. I shall at all times be available for communication through e-mail: …….. and mobile number…………….. and authorize the company to contact me.
    9. In the event that I need any clarifications on any of the above, I shall get in touch with the designated coordinator of the Company at e-mail:………………………………….,
    10. In the event that I contravene any part of this undertaking, I shall be liable for necessary disciplinary actions as per the policy of the company.

This undertaking shall be operative immediately until it is cancelled by the Company and  acknowledged through e-mail or otherwise.

Signed by:




Schedule I: Work from home procedure 2020

Schedule II: Detailed of designated systems for use of the employee


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Security in a Work From Home situation

The current crisis created by the Corona virus and the lock down has forced most companies to permit their IT workers to work from home. This has simultaneously created issues in meeting the security requirements related to the operations and also the policy corrections that needs to be made. The two are inter related.

Some of the large companies had already enabled BYOD on their network. Some of them might have also moved to Zero Trust Architecture linking access to device identity and user identity possibly with multi factor authentication. Such companies have allowed the registered devices (Laptops or Desktops) to be carried home so that they can log on to the corporate network as securely as they were otherwise doing except that they will be coming through a public internet access instead of an internal network.

However there is a need to ensure that the working environment within the house is as secure as it can be as per the physical security policies that the organization would be currently adopting. There is no physical guard to prevent entry of unauthorised persons into the work room, there is no guarantee that the worker has not allowed his friends to look over his shoulder on what he is doing and also his network being compromised in some manner.

Some of these issues has to be controlled by making the employee responsible for the physical security as if he is the guard himself. An undertaking to this effect has to be taken along with the awareness training that is required to make the individual realize that the company is today an “Aggregation of Each of its employees” and each work unit represents the employee and his working computer along with its surroundings.

Every employee should be asked to take a video of the surroundings under which he works and register it with the company.

The Company may declare that the surroundings under which the person works will be the “Work place” and “Belongs to the Company”. The work space therefore becomes the extended work space of the organization and the employee continues to work within the “Premises”. The only difference is that the “Premises” has dis-integrated and moved to different locations.

In a way the “Virtualization” concept gets re-defined by virtualization of the work space surrounding the virtual data space.

If possible, the Company should incorporate this in the Work From Home (WFH) Policy.

The Company should also declare in the WHF policy that until further notice the employee would be the  IS manager for his work environment and would be personally responsible for any data breach arising out of his negligence.

In order to enable the individual to understand his IS role, an immediate training of the broad requirements of the employee in his extended role should be provided.

If the working person and work place is secured from intrusion, then the device security can be handled through appropriate software devices that create a secure connectivity and also enabling the centralized IS team to audit each device remotely to ensure that the individual has not compromised the configuration that has been set by the company.

If the devices used are enabled with audio and video capabilities, the security agent should be enabled for auditing the environment by randomly taking a snap of the employee and listening to sounds captured by the device to ensure that no third party is shoulder surfing.

Yes..this is spying on the employee… not permitted under Privacy considerations…but essential in the extraordinary circumstances in which we are now functioning.



Print Friendly, PDF & Email
Posted in Cyber Law | 2 Comments