The Regulatory recognition available to DPO as a custodian of the trust of Data Principals supported by the role of the Independent Data Auditors who are assigned the role of being the eyes and ears of the DPB has placed a question mark on the future role of CISO in an organization Vis-a-Vis the DPO.
CISO is today the custodian of data in a company which includes both Personal Data and Non Personal Data. The regulatory statute for data has been the ITA 2000. The regulatory body is the CERT In. When a Data Breach happens, the notification is required to be made to the CERT IN and if there is any individual who has suffered a loss, he may seek compensation from the Adjudicator.
With the advent of DPDPA, the DPO assumes charge as the custodian of Personal Data and Data Protection Board assumes charge of the adjudicator. Personal Data Breach notification will go to DPB. The DPO is expected to report to the Board.
The role of DPO is a little ambiguous as per the law.
The DPDPA states that the DPO “represent the Significant Data Fiduciary under the provisions of this Act” but for what purpose is not clear. He will be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary. Again what what responsibility is not clear.
What is clear is that he will be based in India and will be the point of contact for the grievance redressal mechanism under the provisions of this Act. The rules donot go beyond the need to provide the business contact.
However, under DGPSI, the role of the DPO is identified as
“A Person who is an employee and is responsible for the implementation of technical and organizational measures for compliance and also representing the organization with the outside world including being responsible to answer the queries of any data principal.”
If we adopt this definition, DPO will be the custodian of personal data in the organisation which includes the employees and outsiders.
Thus an organization will have two custodians of data, the CISO and the DPO. The management has to therefore clearly identify their roles so that there is harmony in their functioning.
If DPO is mandated by law to report to the Board and CISO is not, then it appears that DPO will have a status higher than that of the CISO.
On the functional side it appears that the Information security threats are the consequences of the Privacy threats. In other words, the risk of identity theft of employees and the customers lead to risks of cyber attacks and there after losses that ITA 2000 tries to address.
Hence protection of Personal Data is condition precedent to protection of non personal data.
This could indicate that DPO role is more fundamental than that of CISO.
In the era of AI and Synthetic Identity threats protection of personal data of employees and preventing frauds by fake AI generated persona is part of the responsibility of the DPO. These could be high end technical issues which a DPO may not find it easy to digest.
In this scenario, the need for DPO and CISO to work in unison becomes critical.
While some organizations may try to avoid conflict by designating the CISO himself as the DPO this appears to be incorrect since DPO is a Fiduciary of a Fiduciary and is responsible to the Data Principals also while a CISO is an internal soldier to protect the organisation. They have to be considered distinct. There will be conflict in their purpose and end objective.
Hence the management needs to resolve this issue to ensure that the two senior executives function in harmony. DGPSI system where both report to the Governance Committee headed by an Independent Director is a step that creates equality of status of the two senior executives.
Are there better ways of organizational structure?… Comments are welcome.
Naavi
