The discussions held on June 6th regarding the role of Independent Data Auditors under DPDPA 2023 generated a number of insightful observations. Among them, two issues stood out as being particularly significant for the future evolution of DPDPA compliance and audit practices in India.
The first concerns the role of the Data Protection Officer (DPO) and whether a person whose primary responsibility is Information Security—such as a Chief Information Security Officer (CISO)—can effectively discharge the responsibilities of a DPO.
The second concerns the independence of the DPDPA audit process itself. If compliance audits are expected to protect the interests of Data Principals in addition to the interests of the organization, should the scope of the audit be determined solely by management, or should there be an independent validation of the scoping assumptions?
At first glance these may appear to be unrelated questions. However, both arise from a common concern: the need to balance the interests of the Data Fiduciary with the interests of the Data Principal.
A DPDPA compliance framework cannot be viewed merely as an extension of Information Security. Nor can a DPDPA audit be viewed merely as another management-controlled assurance exercise. The Act introduces a new stakeholder into governance discussions—the Data Principal—and requires organizations to consciously account for that stakeholder’s rights and interests.
In this context, it is useful to separately examine:
- Why the objectives of the CISO and the DPO may diverge, and whether the two roles should be combined; and
- Whether management should have unrestricted authority to define the scope of a DPDPA audit.
The next two blogs attempts to initiate a discussion on these issues. The observations are exploratory and are intended to stimulate debate among privacy professionals, auditors, DPOs, CISOs, and policy makers.
Naavi
