Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

GDPR has changed the landscape of Cyber Laws by redefining the priorities of Cyber Laws. So far the concern of the society was mostly on “Preventing Damage to a Citizen” through Cyber Crime laws. This was achieved by defining certain actions as “Contraventions” and/or “Offences” and imposing a “Civil Liability to pay compensation” or treat it as a “Criminal Offence” in which the perpetrator of the crime will “Pay penalty to the Government and face imprisonment”.

“Unauthorized Access” to data was therefore considered as a Cyber Crime and if the person who caused a wrongful loss through an act which contravened the law was asked to pay compensation for which the victim had to prove the extent of damage suffered. If the unauthorized access was intentional and had a “Malicious intent”, it was considered as a “Crime punishable with imprisonment and fine”. Criminal action was a state action and intended to be a deterrent. Civil action was meant to recover the loss suffered by the victim.

When unauthorized access was accompanied by “Data Theft”, “Data Deletion”, “Data Modification”, “Impersonation”, “Cheating”, “Profit making” etc, the crime was considered a higher order crime and the punishment could be harsher. But the civil damages always were based on the actual loss suffered by the victim which he was supposed to prove during the trial.

The Cyber Crime laws focused on providing deterrent punishments that were commensurate with the gravity of the crime and easy grievance redressal procedures through fast court systems, simplified procedures etc.

India provided such measures through ITA 2000 in which “Adjudication” was provided as a fast Court system to compensate the victims of cyber crimes. ITA 2000 was a representative of the first generation of Cyber Crime laws where the target was to provide protection to a victim of Cyber Crime.

Out of necessity, the first generation Cyber Crime laws did address the responsibilities of an “Intermediary” and need for the intermediary to take suitable “Due Diligence” steps to make it harder for criminals to benefit and if they do, provide suitable evidence to the law enforcement to bring the culprits to book. Section 85 and Section 79 in ITA 2000 were meant for this purpose.

In the second generation of Cyber Crime laws represented by ITA 2008 (Amended version of ITA 2000) apart from defining more Cyber Crimes, were fundamentally different from ITA 2000 since there was a greater emphasis on the role of “Information/Cyber Security”. For example, ITA 2008 introduced data protection clauses such as Sections 43A and 72A providing civil and criminal penalties if “Personal/Sensitive personal data” is not protected adequately by a data processor, which term included the Data Controller or Data Consumer or a Data Collecting agent. There were also Data Retention provisions under Section 67C, Regulatory powers to different authorities under Sections 69, 69A ,69B and 70B which represented the requirements of national security and law enforcement requirements.

ITA 2008 was stringent enough in terms of “Non Compliance” but the penalties were not in the form of huge financial penalties that the regulator would collect but in the form of huge imprisonment terms that the act provided for.

GDPR and UK DPA 2018 represent the third generation of Cyber Laws where more than the crime itself, prevention is considered as a greater responsibility and intermediaries will be subject to penalties that could be crippling.

GDPR raises a concern about the power of a “Supervisory Authority” to pursue penalties arising out of non compliance to the extent of 4% of Global turnover of an undertaking which has no relation to the actual damage that the data subjects might have suffered due to the non compliance.

ITA 2008 on the other hand has upto 7 years punishments in the case of Sections 69 and 69A, 3 years under Section 69B and 1 year under 70B. The penalties were in the range of upto Rs 1 lakh or left unstated.

Though the criminal punishments under ITA 2008 are huge, the Courts would evaluate the crime and arrive at the actual punishments both in terms of the imprisonment and the fine. Indian Courts provide enough opportunity for the accused to seek justice based on the actual facts of a case.

However, GDPR has now placed a power to impose a billion dollar fine on an executive and even in cases in which the non compliance can be technical and may not result in significant damage to the citizens whose privacy right is what the act tries to protect.

It appears as if the “Non Compliance” of a regulatory provision is a greater offence than an actual Cyber Crime in which some body is cheated of a million dollar.

This is a wrong prioritization in the justice system where the “Failure to implement Crime prevention” is considered a bigger crime than what the “Criminal” has committed.

An example is to impose an imprisonment of life term to a Security guard who forgot to lock the gates of the godown from which the thief stole some valuables while the thief himself is punishable for an imprisonment of two or three years.

EU authorities may justify their action by stating that the penalty provision in EU is just an enabling provision and would not be imposed in a manner that is unfair.

But there was no need to place such a stringent provision without any checks and balance?. It would have been better to leave the larger amount of penalty to the Courts instead of the executive. GDPR has failed in this regard to have a fair legislation.

We may recall that ITA 2008 has placed a Rs 5 crore cap on the power of the Adjudicator and left the higher penalties to the discretion of the Courts. But EU did not provide for such checks and balances before indicating a threatening level of penalties.

It appears that the Regulators have started considering the penalty provisions as an opportunity for “Profiteering” rather than as a deterrent.

This could well be the tendency of the new generation of Privacy Protection Laws which are actually one part of Cyber Crime laws applicable only to the mis-use of one type of data called “Personal data”. Every data theft is also a cyber crime and there is already a legal penalty for the same. The administrative fines are just one of the penalties that may be imposed on an intermediary in respect of a Cyber Crime and should not ideally be more damaging than the punishments meant for the cyber crimes.

Let’s forget the European Laws since EU is unmindful of the damage they are doing to their own business fabric through such crazy penalties. India is now considering its own Data Protection Law which Justice Srikrishna is in charge of drafting.

We need to watch and see whether Justice Srikrishna Committee would be falling into the trap set by GDPR and the UK DPA 2018 and make data protection legislation over power the Cyber crime laws or keep it as a subordinate law to the Cyber Crime law as it should normally be.

Many suggestions have been made to the Committee in this regard and we need to watch the developments so that India can show to the world of how to frame data protection laws which are fair to all stake holders.

India should also remember that GDPR is a terrorist friendly and Criminal friendly regulation and India cannot afford to toe its line. Hence Right of Erasure must be avoided and Right to restriction and correction should be moderated with appropriate data retention protections. These are required in the interest of national security which GDPR has ignored but we cannot.

Naavi

 

Print Friendly, PDF & Email

GDPR Exclusion

Posted by Vijayashankar Na on May 26, 2018
Posted in Cyber Law  | No Comments yet, please leave one

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail.

In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites.

Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

Naavi

Print Friendly, PDF & Email

Tame the monster of GDPR

Posted by Vijayashankar Na on May 26, 2018
Posted in Cyber Law  | Tagged With: , , | No Comments yet, please leave one

GDPR has come into effect since yesterday along with the UK Data Protection Act 2018. Together these legislation are completely changing the IT business landscape in India.

Already an Austrian Data Privacy Activist Max Schrems has launched three complaints worth a total of Euro 3.9 billion against Facebook, WhatsApp and Instagram through regulators in Austria, Belgium and Germany.

More such insane legal action will follow.

These actions elsewhere in the globe will also have ripple effects in India which is the back end processing center for a large part of personal data processing. To a corporate entity, they can be devastating. Defending such cases particularly in foreign countries could be expensive and it would increase the cost of doing business.

Indian Companies need to be therefore extremely concerned with the damage that motivated activists can do to their business both to boost their ego as well as an instrument of blackmail.

While it is the legitimate right of any individual or an activist to seek legal recourse for any grievance real or imaginary, Courts and Regulatory authorities need to remember that law is there for the benefit of people in general and that “People” include “Legitimate Business”.

But we have to admit that when a primafacie case is made out, the Courts have no option to launch a trial and that itself is a burden on the business.

The first line of defense for Companies is to present it’s case properly to the regulatory authorities so that unfair litigation is killed in the bud.

Knowledge is the tool for such defence and every company and the CEOs and Directors should themselves be reasonably aware of the provisions of data protection laws so that they can ensure that their legal teams find out appropriate solutions to problems that may arise.

I therefore urge the top management team in business to go through an awareness program for themselves before taking action on the basis of recommendations from different consultants and being swayed by the media which will sensationalize most of the issues.

In this direction, Naavi has launched a new online training program on GDPR through Apnacourse.com. I hope it would be of use to companies in first acquiring some basic understanding of GDPR as a regulation and then take steps in compliance.

This online program may not be an end in itself but can be the beginning of a journey in understanding the intricacies of data protection laws essential to protect the existential interest of business.

Naavi

 

Print Friendly, PDF & Email

Today is 25th May 2018. EU is still waking up to this D Day while India is already awake. There is no doubt that today will be considered a historic day in the Data Protection industry since EU GDPR is coming into effect from today.

Two years back the regulations were announced and the dead line was set. But mot companies continued to be complacent. Naavi started actively urging the Indian industry to respond by first opening the Privacy Knowledge Center in September 2016, and following it up with the GDPR Knowledge Center in February 2017.

Since then several articles have been published under www.privacy.ind.in as well as www.naavi.org highlighting the positive and negative features of GDPR.

However, the industry woke up only in the last six months when they saw the potential impact of a huge penalty for non compliance envisaged under the Act and the perception that it may become applicable even for entities outside EU.

During the past one year, since India is itself discussing its own Data Protection law under the Expert Committee Chaired by Justice Srikrishna, I have been urging the committee to ensure that Indian Data Processing industry is provided a protective umbrella in terms of the unreasonable penalties that may be imposed consequent to GDPR and the contractual commitments that Indian Companies may undertake in their anxiety to preserve their business. I have also raised the concern that Indian shareholders of such companies may be adversely impacted if they sign uncapped indemnity clauses that may provide for transfer of liability of their business partners.

I have also expressed my displeasure that EU has drafted the regulations in such a manner that it can be mis-understood as a global law and create a sense of fear amongst the data processors outside EU.

To some extent this sense of fear may not be warranted and I am sure that if challenged, EU will defend and say their law does not impose itself on other countries. But the fact is that perceptions some time cloud the reality and if we do a survey of Indian companies, we find that most IT professionals think that GDPR is mandatory for them.

In the meantime, UK has come up with its own DPA2018 which is perhaps of a greater concern to Indian companies since most Indian companies have established physical presence in UK even to take up business in EU and hence DPA 2018 is applicable to a much larger number of Indian companies. UK law by trying to extend GDPR as part of its own law, creates some additional burden that is beyond GDPR.

All this means that the cost of IT business in India is going up and Indian Companies need to ensure that they donot take up GDPR compliance entirely at their cost and try to load part of it on their international customers.

While I have indicated that in order to effectively defend against the impact of GDPR (and now add UK_DPA2018), industry needs to organize itself and SME data processors as well as Data Protection Professionals need to create some sort of collective bargaining power by creating self interest groups, I have also recognized that GDPR will be also creating business opportunities of different kinds for professionals.

In all such situations, the first industry which will benefit is the Education Industry. Infact, the career of the undersigned itself took off with Cyber Law College when ITA 2000 was enacted and later added consultancy. Similarly, GDPR will also create opportunities for the training industry. Already we have seen people from EU and some enterprising local professionals conducting training programs and charging a bomb. The GDPR itself may give further boost to some of them by creating a “Certification Mechanism” which will provide a false sense of privilege to some organizations established in EU which can claim “Accredited with the Supervisory Authority of …”.

Naavi believes that what is important is “Education” in which we become more knowledgeable. Certifications will follow. Certification without transfer of knowledge is not going to benefit professionals and could actually create traps where a professional may grow to his level of incompetence as Peter’s Principle suggests.

Naavi’s Cyber Law College in association with Apnacourse.com will be launching a training program on GDPR which will go online today to mark the formal coming into effect of GDPR.

(A Link to the course is available here)

The Course will contain about 7 hours of video lectures spread over around 18 modules. Probably this needs to be updated from time to time since this space is dynamic. Even the interpretations under GDPR itself will undergo some changes once the EU Data Protection Board becomes more active. Just as we have updated the Cyber Law Course on Apnacourse.com when some major changes occurred, this course will also undergo some updations from time to time. Presently the Course is being presented for knowledge enhancement. In due course Cyber Law College may introduce a certification of its own to provide recognition of “Course Completion” and recognition of passing a “Basic Awareness Test”.

Cyber Law College and Naavi in association with Apnacourse.com and otherwise would be conducting offline corporate training programs also so that awareness of GDPR would not be a matter of deficiency in the Indian industry.

Implementation is ofcourse a choice that the industry players may have to decide based on their own risk appetite. But I would like to caution the industry that they should not allow the international competitors to use lack of awareness or compliance of GDPR as an excuse to shift outsourcing business from India to elsewhere. For this purpose they need to incorporate a plan of action where by they can provide confidence to all their customers that they are aware of and are compliant with GDPR though we may  assert our “legitimate Interests” and “Application of Local Laws”.

So… interesting days are ahead of us. Whether we like it or dislike it, GDPR is here and we cannot ignore it.

…..So happy GDPR day to all…

Naavi

 

Print Friendly, PDF & Email

UK Data Protection Act 2018 comes into force…

Posted by Vijayashankar Na on May 24, 2018
Posted in Cyber Law  | Tagged With: , | No Comments yet, please leave one

Racing against time with the implementation of GDPR, UK authorities have completed the formalities in introducing the new version of Data Protection legislation effective from 25th May 2018 co-terminus with the applicability of EU GDPR. This will continue even after BREXIT.

UK-DPA 2018 should be considered as an extension of GDPR and entities to whom UK DPA 2018 is applicable may have to read both the DPA 2018 and GDPR side by side.

The office of ICO provides further information about the Act.  (Refer here).

A copy of the Data Protection Act is available here.

The DPA 2018 copy as released on 23rd may 2018 contains 215 articles divided into 7 parts and 20 Schedules.

While Data Protection Legislation advise Companies to make their consents “Simple” and expressed in easily intelligible language, UK’s DPA is as complicated as any legislation can be and alien to the principle of simplicity. It will take some time for the industry to fully digest the provisions and be confident of compliance.

As we have often highlighted, laws that are simple are more likely to be complied with and a complex law will have a lower level of voluntary compliance requiring rigid penalties and enforcement.

India is in the process of completing its Data Protection Act and I wish that Indian legislators donot make the law as huge and as complicated as the UK DPA and opt for a more simpler legislation which can be equally effective.

Law makers need to remember that laws are made not to show how knowledgeable the law maker is, but to ensure that the citizen understands it for compliance.

However we shall continue to try demystifying the UK DPA 2018 over a time.

The PDF version of the Act as made available is a 353 page document that requires a detailed study.

Some of the salient features for immediate consumption is given below:

Applicability:

Under Article 207, this act is applicable to

a) processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom

b) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—

(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—

(i) the offering of goods or services to data subjects in the United
Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United
Kingdom.

The Act is about “Processing of Personal Data” and Personal data is defined as ” any information relating to an identified or identifiable living individual”. The Act does not say whether it is the Personal data of a UK citizen or a citizen of other countries.

Jurisdiction of Courts

The Jurisdiction conferred on a Court under UK_DPA 2018 is excercisable in England and Wales, Northern Ireland and Scotland.

This effectively recognizes the limitations of the law making body which derives its powers from the sovereign Government that it represents. The EU GDPR ignored this limitation and arrogated itself the responsibility for protecting global citizens as if it is a global legislative body.

However as a humble servant of the EU which the majority of UK voters voted to exit, the legislators have vowed to legitimize GDPR within this legislation. Considering the details to which this legislation went, there was no need for making it a subordinate legislation to the GDPR but it appears that the UK legislators were under some thing like a “Stockholm Syndrome” and could not break themselves from expressing their past loyalties to EU by importing GDPR into its own legislation. UK seems to have lost its mental independence to stand up as an independent sovereign country and feels obliged to follow its EU masters.

Part 2 of the Act is devoted to supplement GDPR

Chapter 2 of this part applies to the types of processing of personal data to which GDPR applies by virtue of Article 2 of GDPR. Further the Act confirms that Chapter 2 has to be read with the GDPR.

Chapter 3 of Part 2 has some provisions which is defined as “Applied GDPR”.

Article 21 states

This Chapter applies to the automated or structured processing of personal
data in the course of—

(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (Coming under Treaties of EU),

The term “Outside the scope of European law” is a loose statement that is amenable to mis interpretation.

The Applicability of UK DPA 2018 cannot extend beyond the jurisdiction of Courts as defined under Article 180 and all other narrations represent legislative imperfections.

Penalties:

Penalties as specified in EU GDPR Article 83 are applicable under UK DPA 2018 also.

More Codes to follow

The ICO has to develop certain code of practice such as data sharing code, Direct Marketing Code, age appropriate designing code, Data Protection and Journalism Code etc., These codes need to be approved by the British Parliament and hence the industry needs to await for the codes which will be important from compliance point of view.

DPO

UK DPA 2018 mandates the designation of a DPO by all organizations other than a Court or a Judicial authority. (Article 69)

Principles and Rights

UK DPA 2018 re-states the Principles of Privacy and Data Subject’s Rights as in GDPR.

Cross Border Transfer of Data

Cross border transfer of data is subject to requirements similar to EU which includes “Adequacy Decision” (Article 74) or Safeguards (article 75). Adequacy is as decided by the EU and Safeguard includes a legal instrument that binds the recipient of the data for protection of personal data. Additionally special circumstances such as where the vital interests of the data subject, legitimate interests of the data subject (not the data controller… Ed: Could be a drafting error), public security, law enforcement and legal requirements.

Responsibilities of Controller and Processor

The Act re-states the responsibilities of the Controller and Processor as in GDPR.

Offences

UK DPA 2018 defines the following offences related to personal data

a) Unlawful obtaining of  personal data, selling personal data

b) Re-identification or de-identified personal data

c) Alteration to prevent disclosure

The person who commits the offence is liable for summary conviction to a fine. Prosecution may be instituted only by the Commissioner or with the consent of the Director of Public prosecutions.

The directors of a company maybe liable for offences committed by a body corporate if there is negligence on their part.

These are some preliminary observations and more discussions may follow in due course.

Naavi

 

Print Friendly, PDF & Email

GDPR which is coming into full force on 25th May 2018 is aimed at protecting the Privacy interests of EU citizens under the EU constitution. However, the EU Commission believes that it has a role in protecting the privacy of the global community and uses its commercial clout as a collective economic entity to project as if GDPR is a global law. In pursuance of this belief, GDPR contains provisions to state that even Data Controllers and Data Processors not established in EU are required to be compliant with GDPR and also appoint a representative in EU if they

a) Offer products and services to EU Citizens

b)Monitor the behaviour of natural persons in EU

While it is clear that EU does not have jurisdiction to make laws for other sovereign countries, many data processors in India presume that GDPR is applicable to them. Further the data vendors who provide processing contracts to Indian companies located outside EU also out of their own fear and concern about the penalty clause in GDPR, try to add a GDPR Compliance clause in their contracts with the Indian processors.

As a result, many Indian companies are trying to be compliant with GDPR.

While it is fine if the Indian companies try to provide Privacy Protection as per Global Standard not only to EU Citizen’s data or others, in their enthusiasm to be called “GDPR Compliant”, Indian Companies may try to out of the way to designate representatives in EU and also Data Protection Officers in their establishments in India.

We would like to keep the Indian Companies warned that there are some risks that the Companies would invite if they try to unnecessarily subject themselves voluntarily to GDPR. Further some of the provisions of GDPR may be in conflict with ITA 2000/8. When Indian Data Protection Act gets drafted, there is a possibility that there could be conflicts with GDPR in that legislation also. In such cases, the Companies need to ensure that they need to be first compliant with Indian laws before worrying about being compliant with other laws, unless it is essential for their business.

Similarly, executives would be excited if they are designated as “Data Protection Officers” under GDPR. It would enhance their professional reputation and also expand their global employment opportunities. The first reaction of professionals in the Information Security domain or in similar responsibilities is to therefore grab such opportunities.

In this connection, we need to have a second look at the provisions of GDPR relating to the Data Protection Officers (DPO), their responsibilities.

Article 39 of GDPR defines the tasks of the DPO. It must be noted that DPO under GDPR is not envisaged as an employee of the organization and is not burdened with the “Implementation”. He is expected to be an “Adviser” to the Controller or Processor and an in house representative of the supervisory authority to monitor compliance and act as a contact point of the supervisory authority.

Under Article 38, DPO is also the contact point for Data Subjects. This means that he would be the grievance redressal official to receive complaints from data subjects including requests for exercising of data subject’s rights and ensuring the compliance.

Article 38 of GDPR states further that the DPO does not receive any instructions from the Controller/Processor on his tasks. This means that he would act independently.

Under Article 37, it is indicated that DPO need not be a “Staff”. He can be on a “Service Contract”. This means that DPO may be an external consultant.

If he is a “Staff”, then conflict of interest with other duties need to be avoided. (Article 38).

If we seriously analyze the tasks of the DPO, it does not appear easy to identify that there could be any activity that a staff member can discharge which does not have a conflict of interest with the DPO’s responsibilities. His position will report directly to the CEO and hence he would be above the CISO and CTO in the current structure. His decisions will affect the interest of the Company as a whole and hence even being an advisor to the CEO he has a conflict situation.

For example, if there is a data subject’s complaint, then it is the DPO who based on his assessment has to agree with payment of any compensation and also report to the Supervisory authority who has the right to impose penalties. The DPO may therefore decide how much of cash outgo occurs in any suspected non compliance situation. This is certainly a conflict with the CEO’s own responsibility for revenue management.

Since DPO cannot be a staff higher than the CEO, it is practically not possible to avoid conflict of interest if an internal DPO is appointed. In most cases therefore DPO has to be an external consultant with the necessary professional knowledge and also integrity. Most of the time, Knowledge and Integrity does not go together and Companies will have to struggle to find the right combination at a right price. If they compromise on pricing, there is certainly a possibility of loss of quality. Hence DPO designation is a complex decision that the management has to take.

According to Article 37 the designation of a DPO is not mandatory in all circumstances. The designation of a DPO would be mandatory only if the “Core Activity” of the Data Controller or Data Processor consists of processing such information where there is a “Large scale”, “Regular and Systematic monitoring of EU subjects”.

What amounts to “Large Scale” is a matter of interpretation. An Indian BPO handling data processing of different data subjects in different countries. In such a case, the Core activity may not be processing of GDPR sensitive data. Even if there is a website accessible from EU, the data collected about EU data subjects may only relate to non sensitive data and may be considered as not regular and systematic collection. Hence unless there is an activity that is directed towards EU data subjects alone or where the EU market share is significant, the need for DPO may not be considered mandatory.

Though this is the view of the undersigned, it is possible that many organizations may feel that there is a need to designate a DPO and also designate a EU representative so that they may project their GDPR Ready Profile to the prospective EU business partners. Hence many of the Indian Companies may start designating one of their employees who has undertaken some training and certification as the DPO.

Such DPOs will have to work under an environment of conflict where they are paid by the Company and are junior in terms of organizational hierarchy but are expected to act independently.

The fact that the DPO shal not be dismissed or penalized by the Controller/Processor for performing his tasks makes him a privileged person who in due course become a thorn in the activities of the IT and IS departments if he is honest to his duties. All CISOs and Compliance officials have faced awkward experiences when they have to disagree with a powerful business manager who insists that some decision has to be taken in business interest even if the CISO or the CCO has his objections.

Some of these issues are also faced by Company Secretaries and Auditors who have to manage their statutory responsibilities which may go against the Company which pays them. Recently many auditors have been criminally booked for negligence when they have failed to respond to their duties to the share holders and responsible for frauds going unreported for a long time.

Similar developments can be expected in the case of DPOs.

Presently GDPR does not talk of any liabilities of the DPOs. However, if DPO is a trusted representative of the Supervisory authority, then he would be liable for “Breach of Trust” if he does not discharge his duties to the satisfaction of the Supervisory authorities.

Hence DPOs should be ready for a situation where they are aware of some potential data breach scenario in their company but keep quiet while there is an attempt to brush the incidents under the carpet which blows out on a later day. An investigation in such a situation may reveal that DPO was aware of but did not act diligently and hence was guilty of breach of trust. Even the top management of the Company itself may disown the DPO and insist that it was not kept informed of the accumulating risk. Afterall the management also wants a scapegoat to negotiate with the supervisory authority for lower penalties by blaming the DPO for all the problems.

Some of my readers may say that I am speculating of a scenario with a negative outlook. But any experienced person who has the experience of working in an organization particularly in the internal audit departments would easily recognize the truth about what I am talking above.

While these are developments which are bound to happen in a scenario like this and many would consider this as a part of the “Risk in the Profession” itself and negotiate remuneration packages, severance packages, insurance and indemnity covers to ensure that they will not be personally liable when an adverse situation arises, there would be many not so intelligent, smart and powerful persons who may be working hard and honest only to be blamed one day that they were not able to discharge their responsibilities properly.

I therefore think that there is a need for DPOs to ensure that their professional interests are protected. I therefore propose that “Data Protection Professionals” (Which may include DPOs, Compliance officials, IS officials) to organize themselves by creating an “Indian Association of Data Protection Professionals” (IADPP) on the lines of ICAI, ICS or similar professional organizations.

I invite the views of other professionals in this respect.

Naavi

Print Friendly, PDF & Email