Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Data Protection Industry is closely related to the Information Security industry on the one hand and the Legal Compliance industry on the other hand.

This industry includes of Data Controllers and Data Processors as envisaged in Data Protection laws such as GDPR but is not limited to this segment alone. Data Protection is required not only for protecting the Privacy of Citizens under the Privacy Protection Objective, but also because Data is an essential raw material of business. Hence We protect data both for the reason of preventing Privacy Breach as well as Cyber Crimes and for protecting business interests.

Different Laws are made for prevention of Cyber Crimes and for the Protection of Privacy Rights of individuals and therefore “Compliance” applies to both segments of activity. Cyber Crime prevention laws have been in existence for some time and have not been in conflict with the business requirements. Hence compliance did not have any conflict either for a Company or for the Compliance managers.

Privacy Protection Laws on the other hand ignore the needs of the business not only for Business Data Protection but also the interests of the Business Development itself except within  narrow boundaries. In many cases the law inhibits business development and justifies it in the larger interest of protecting rights of Privacy. Cyber Security is also a secondary objective for most of the Data Protection Laws.

Cyber Crime prevention laws do not ignore Privacy Rights but address both protection of business data as well as personal data to the extent that there is a measurable “Loss” suffered by a Citizen.

Data Protection Laws cannot completely over rule the Cyber Security requirements and hence “Legitimate Interest of the Business”, “Law Enforcement Requirements” , “Legal Defense requirements”, “Vital Interests of other individuals” and ” Public Interest” are provided as exceptions in the law.

However, recognizing the availability of “Exceptions” and applying it in a given scenario where multiple interpretations exist is a difficult proposition for operating Data Protection Professionals. The Business would like to err on the safer side and that “Safe” option is often a business hurdle.

Conflicts will therefore arise when a Data Protection Professional (DPP) tries to balance the Privacy Protection requirements of a data subject along with the legitimate interests of the Data Processing industry. The conflict management will require utmost skill for the DPPs which is a skill to manage not only the technical aspects, but also the legal issues  and the managerial concerns involved.

Under GDPR it is envisaged that the DPO is answerable to the Supervisory Authority while working under the salary/financial consideration of the Data Controller/Data Processor. This sort of relationship where there is an inherent conflict is new to the IT professionals. It is a kind of relationship which Chartered Accountants and Company Secretaries tries to manage but not always with success.

It with a recognition of this difficulty, and not letting the DPPs sandwiched between their responsibilities to their bosses vs responsibilities that  Naavi has promoted the idea that there is a need for an Indian Association of Data Protection Professionals (IADPP) and along with like-minded individuals is finalizing the formation of a suitable organization.

Explore this idea and contribute by becoming a member of this community today.

Naavi

 

GDPR which is coming into full force on 25th May 2018 is aimed at protecting the Privacy interests of EU citizens under the EU constitution. However, the EU Commission believes that it has a role in protecting the privacy of the global community and uses its commercial clout as a collective economic entity to project as if GDPR is a global law. In pursuance of this belief, GDPR contains provisions to state that even Data Controllers and Data Processors not established in EU are required to be compliant with GDPR and also appoint a representative in EU if they

a) Offer products and services to EU Citizens

b)Monitor the behaviour of natural persons in EU

While it is clear that EU does not have jurisdiction to make laws for other sovereign countries, many data processors in India presume that GDPR is applicable to them. Further the data vendors who provide processing contracts to Indian companies located outside EU also out of their own fear and concern about the penalty clause in GDPR, try to add a GDPR Compliance clause in their contracts with the Indian processors.

As a result, many Indian companies are trying to be compliant with GDPR.

While it is fine if the Indian companies try to provide Privacy Protection as per Global Standard not only to EU Citizen’s data or others, in their enthusiasm to be called “GDPR Compliant”, Indian Companies may try to out of the way to designate representatives in EU and also Data Protection Officers in their establishments in India.

We would like to keep the Indian Companies warned that there are some risks that the Companies would invite if they try to unnecessarily subject themselves voluntarily to GDPR. Further some of the provisions of GDPR may be in conflict with ITA 2000/8. When Indian Data Protection Act gets drafted, there is a possibility that there could be conflicts with GDPR in that legislation also. In such cases, the Companies need to ensure that they need to be first compliant with Indian laws before worrying about being compliant with other laws, unless it is essential for their business.

Similarly, executives would be excited if they are designated as “Data Protection Officers” under GDPR. It would enhance their professional reputation and also expand their global employment opportunities. The first reaction of professionals in the Information Security domain or in similar responsibilities is to therefore grab such opportunities.

In this connection, we need to have a second look at the provisions of GDPR relating to the Data Protection Officers (DPO), their responsibilities.

Article 39 of GDPR defines the tasks of the DPO. It must be noted that DPO under GDPR is not envisaged as an employee of the organization and is not burdened with the “Implementation”. He is expected to be an “Adviser” to the Controller or Processor and an in house representative of the supervisory authority to monitor compliance and act as a contact point of the supervisory authority.

Under Article 38, DPO is also the contact point for Data Subjects. This means that he would be the grievance redressal official to receive complaints from data subjects including requests for exercising of data subject’s rights and ensuring the compliance.

Article 38 of GDPR states further that the DPO does not receive any instructions from the Controller/Processor on his tasks. This means that he would act independently.

Under Article 37, it is indicated that DPO need not be a “Staff”. He can be on a “Service Contract”. This means that DPO may be an external consultant.

If he is a “Staff”, then conflict of interest with other duties need to be avoided. (Article 38).

If we seriously analyze the tasks of the DPO, it does not appear easy to identify that there could be any activity that a staff member can discharge which does not have a conflict of interest with the DPO’s responsibilities. His position will report directly to the CEO and hence he would be above the CISO and CTO in the current structure. His decisions will affect the interest of the Company as a whole and hence even being an advisor to the CEO he has a conflict situation.

For example, if there is a data subject’s complaint, then it is the DPO who based on his assessment has to agree with payment of any compensation and also report to the Supervisory authority who has the right to impose penalties. The DPO may therefore decide how much of cash outgo occurs in any suspected non compliance situation. This is certainly a conflict with the CEO’s own responsibility for revenue management.

Since DPO cannot be a staff higher than the CEO, it is practically not possible to avoid conflict of interest if an internal DPO is appointed. In most cases therefore DPO has to be an external consultant with the necessary professional knowledge and also integrity. Most of the time, Knowledge and Integrity does not go together and Companies will have to struggle to find the right combination at a right price. If they compromise on pricing, there is certainly a possibility of loss of quality. Hence DPO designation is a complex decision that the management has to take.

According to Article 37 the designation of a DPO is not mandatory in all circumstances. The designation of a DPO would be mandatory only if the “Core Activity” of the Data Controller or Data Processor consists of processing such information where there is a “Large scale”, “Regular and Systematic monitoring of EU subjects”.

What amounts to “Large Scale” is a matter of interpretation. An Indian BPO handling data processing of different data subjects in different countries. In such a case, the Core activity may not be processing of GDPR sensitive data. Even if there is a website accessible from EU, the data collected about EU data subjects may only relate to non sensitive data and may be considered as not regular and systematic collection. Hence unless there is an activity that is directed towards EU data subjects alone or where the EU market share is significant, the need for DPO may not be considered mandatory.

Though this is the view of the undersigned, it is possible that many organizations may feel that there is a need to designate a DPO and also designate a EU representative so that they may project their GDPR Ready Profile to the prospective EU business partners. Hence many of the Indian Companies may start designating one of their employees who has undertaken some training and certification as the DPO.

Such DPOs will have to work under an environment of conflict where they are paid by the Company and are junior in terms of organizational hierarchy but are expected to act independently.

The fact that the DPO shal not be dismissed or penalized by the Controller/Processor for performing his tasks makes him a privileged person who in due course become a thorn in the activities of the IT and IS departments if he is honest to his duties. All CISOs and Compliance officials have faced awkward experiences when they have to disagree with a powerful business manager who insists that some decision has to be taken in business interest even if the CISO or the CCO has his objections.

Some of these issues are also faced by Company Secretaries and Auditors who have to manage their statutory responsibilities which may go against the Company which pays them. Recently many auditors have been criminally booked for negligence when they have failed to respond to their duties to the share holders and responsible for frauds going unreported for a long time.

Similar developments can be expected in the case of DPOs.

Presently GDPR does not talk of any liabilities of the DPOs. However, if DPO is a trusted representative of the Supervisory authority, then he would be liable for “Breach of Trust” if he does not discharge his duties to the satisfaction of the Supervisory authorities.

Hence DPOs should be ready for a situation where they are aware of some potential data breach scenario in their company but keep quiet while there is an attempt to brush the incidents under the carpet which blows out on a later day. An investigation in such a situation may reveal that DPO was aware of but did not act diligently and hence was guilty of breach of trust. Even the top management of the Company itself may disown the DPO and insist that it was not kept informed of the accumulating risk. Afterall the management also wants a scapegoat to negotiate with the supervisory authority for lower penalties by blaming the DPO for all the problems.

Some of my readers may say that I am speculating of a scenario with a negative outlook. But any experienced person who has the experience of working in an organization particularly in the internal audit departments would easily recognize the truth about what I am talking above.

While these are developments which are bound to happen in a scenario like this and many would consider this as a part of the “Risk in the Profession” itself and negotiate remuneration packages, severance packages, insurance and indemnity covers to ensure that they will not be personally liable when an adverse situation arises, there would be many not so intelligent, smart and powerful persons who may be working hard and honest only to be blamed one day that they were not able to discharge their responsibilities properly.

I therefore think that there is a need for DPOs to ensure that their professional interests are protected. I therefore propose that “Data Protection Professionals” (Which may include DPOs, Compliance officials, IS officials) to organize themselves by creating an “Indian Association of Data Protection Professionals” (IADPP) on the lines of ICAI, ICS or similar professional organizations.

I invite the views of other professionals in this respect.

Naavi