Data Protection Industry is closely related to the Information Security industry on the one hand and the Legal Compliance industry on the other hand.
This industry includes of Data Controllers and Data Processors as envisaged in Data Protection laws such as GDPR but is not limited to this segment alone. Data Protection is required not only for protecting the Privacy of Citizens under the Privacy Protection Objective, but also because Data is an essential raw material of business. Hence We protect data both for the reason of preventing Privacy Breach as well as Cyber Crimes and for protecting business interests.
Different Laws are made for prevention of Cyber Crimes and for the Protection of Privacy Rights of individuals and therefore “Compliance” applies to both segments of activity. Cyber Crime prevention laws have been in existence for some time and have not been in conflict with the business requirements. Hence compliance did not have any conflict either for a Company or for the Compliance managers.
Privacy Protection Laws on the other hand ignore the needs of the business not only for Business Data Protection but also the interests of the Business Development itself except within narrow boundaries. In many cases the law inhibits business development and justifies it in the larger interest of protecting rights of Privacy. Cyber Security is also a secondary objective for most of the Data Protection Laws.
Cyber Crime prevention laws do not ignore Privacy Rights but address both protection of business data as well as personal data to the extent that there is a measurable “Loss” suffered by a Citizen.
Data Protection Laws cannot completely over rule the Cyber Security requirements and hence “Legitimate Interest of the Business”, “Law Enforcement Requirements” , “Legal Defense requirements”, “Vital Interests of other individuals” and ” Public Interest” are provided as exceptions in the law.
However, recognizing the availability of “Exceptions” and applying it in a given scenario where multiple interpretations exist is a difficult proposition for operating Data Protection Professionals. The Business would like to err on the safer side and that “Safe” option is often a business hurdle.
Conflicts will therefore arise when a Data Protection Professional (DPP) tries to balance the Privacy Protection requirements of a data subject along with the legitimate interests of the Data Processing industry. The conflict management will require utmost skill for the DPPs which is a skill to manage not only the technical aspects, but also the legal issues and the managerial concerns involved.
Under GDPR it is envisaged that the DPO is answerable to the Supervisory Authority while working under the salary/financial consideration of the Data Controller/Data Processor. This sort of relationship where there is an inherent conflict is new to the IT professionals. It is a kind of relationship which Chartered Accountants and Company Secretaries tries to manage but not always with success.
It with a recognition of this difficulty, and not letting the DPPs sandwiched between their responsibilities to their bosses vs responsibilities that Naavi has promoted the idea that there is a need for an Indian Association of Data Protection Professionals (IADPP) and along with like-minded individuals is finalizing the formation of a suitable organization.
Explore this idea and contribute by becoming a member of this community today.