We have been discussing the impact of new Data Protection laws on the protection of “Privacy” of individuals ever since the GDPR came into the debate in Corporate circles. The DPO under the GDPR regime became a key player in the corporate management team since he was expected to be senior enough to be reporting directly to the Board.
At present, the CISOs had assumed importance in the Corporate management hierarchy marching ahead of the CTO. The legal fraternity were fighting for a place as Chief Compliance Officers (CCO). The CROs (Chief Risk Officers) in the mean time were working close to the Board management since they were addressing the business concerns of the top management.
The Advent of the DPO into the Corporate management team upset the apple cart of the corporate hierarchy as suddenly the DPO required to some body capable of advising the management on Data Security issues along with the responsibility to be responsible to manage the relationship with the Supervisory authority.
Additionally, Article 38(3) of GDPR mandated
“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”
As a result of the above provision, the DPO suddenly became the most important official in the organization. With the high levels of penalties in the GDPR, and the need for the DPO to report Data Breaches to the DPA, the importance of keeping the DPO happy became a strategic necessity in the GDPR stake holding companies.
GDPR however gave one relief to the Companies by making it possible to appoint an “External” consultant/consultancy firm as the DPO which could be used by the Companies to ensure that the DPO does not become a whistleblower threat at some point of time. However, wherever a company decided to have an in house DPO, the DPO obviously became an official more important than even the CISO.
Since the DPO required “Legal” knowledge, the CCPs looked at occupying this key position. But with most CCPs coming from the legal background and a low technology background, the companies had to search for the right persons beyond the CCPs to fill up the role of DPO.
Amidst the competition between the CISO and the CCP to become the DPO, some companies who had created the role of a CRO had another contender for the post because he was already close to the senior management and carried some influence with the board members.
Now the Indian proposed legislation viz: Personal Data Protection Bill/Act (PDPB/A) has also created the necessity for the DPO in all IT organizations in India handling personal data in some form. PDPB/A required the DPO to be an employee and the engagement of an outside consultant as an option was not available.
If we look at the responsibilities of a DPO, it is clear that he should be an expert in technology and business to be able to guide and monitor the organization’s data processing activities, besides assisting and cooperating the DPA and acting as a single point of contact to the Data Principals.
The skills required to manage this responsibility reminds one of the Indian “Neethi Sara” about the six virtues of a “Wife” which states
‘‘Karyeshu Dasi, Karaneshu Manthri; Bhojeshu Mata, Shayaneshu Rambha, Roopeshu lakshmi, Kshamayeshu Dharitri, Shat dharmayukta, Kuladharma Pathni‘.
Section 36 of PDPB, lists 7 requirements of a DPO which we can call the “Requirements of an ideal DPO”.
Just as it is difficult to find the Kuladharma Patni mentioned in the Neethi Sara, it is not easy to find the right executive who fits the requirements of all the 7 requirements of the DPO as mentioned in the PDPB/A.
Organizations like FDPPI (Foundation of Data Protection Professionals in India) of which the undersigned is the Chairman is setting its sight on creating such ideal DPO material over a period. A number of professionals some with ISO audit backgrounds or certifications in International Privacy laws are presenting themselves to be considered eligible for the position of DPOs in India. But many of them need to re-skill themselves with knowledge of the law in India and it will take some time to get the ideally “Qualified persons” for the position of the DPO. Even if some acquire certifications of various kinds, the need for “Handling the Data Principals”, “DPA” in addition to the Colleagues in the organization pose a challenge to most of the professionals.
In the meantime a new challenge has come up with the Government starting preliminary work on a new regulation that may address the needs of processing “Non Personal Data” which is the raw material for the Big Data industry. The formation of the Kris Gopalakrishna Committee to work on the requirements of a regulation for “Community Privacy” and “Data Governance Framework” is throwing up a new challenge that brings in the “Management” personnel to “Manage the Data” for a productive use as an asset of the organization. These Data Governance Mangers/Officers (DGO) may be another group of people who will put in their hat in the ring to be considered as the people who call the shots for not only protecting the Data technically like the CISOs, but also from the compliance angle like the DPOs.
The DGOs may emerge not from the IT background like the CISOs or the Legal Background like the DPOs nor even the Risk Management background like the CROs but from the “Management Background”. The usual IIM trained management professionals could be the people who would fill in this role of “Managing the Data Asset of an organization”. In the future organizations, we may therefore see a tussle between the DGOs , the DPOs and CROs to occupy the prestigious role as advisors to the Board on Data Management, Data Security and Compliance of Data Security regulations.
It would be interesting to watch who would win the race to the top of the corporate echelon..