GDPR which is coming into full force on 25th May 2018 is aimed at protecting the Privacy interests of EU citizens under the EU constitution. However, the EU Commission believes that it has a role in protecting the privacy of the global community and uses its commercial clout as a collective economic entity to project as if GDPR is a global law. In pursuance of this belief, GDPR contains provisions to state that even Data Controllers and Data Processors not established in EU are required to be compliant with GDPR and also appoint a representative in EU if they
a) Offer products and services to EU Citizens
b)Monitor the behaviour of natural persons in EU
While it is clear that EU does not have jurisdiction to make laws for other sovereign countries, many data processors in India presume that GDPR is applicable to them. Further the data vendors who provide processing contracts to Indian companies located outside EU also out of their own fear and concern about the penalty clause in GDPR, try to add a GDPR Compliance clause in their contracts with the Indian processors.
As a result, many Indian companies are trying to be compliant with GDPR.
While it is fine if the Indian companies try to provide Privacy Protection as per Global Standard not only to EU Citizen’s data or others, in their enthusiasm to be called “GDPR Compliant”, Indian Companies may try to out of the way to designate representatives in EU and also Data Protection Officers in their establishments in India.
We would like to keep the Indian Companies warned that there are some risks that the Companies would invite if they try to unnecessarily subject themselves voluntarily to GDPR. Further some of the provisions of GDPR may be in conflict with ITA 2000/8. When Indian Data Protection Act gets drafted, there is a possibility that there could be conflicts with GDPR in that legislation also. In such cases, the Companies need to ensure that they need to be first compliant with Indian laws before worrying about being compliant with other laws, unless it is essential for their business.
Similarly, executives would be excited if they are designated as “Data Protection Officers” under GDPR. It would enhance their professional reputation and also expand their global employment opportunities. The first reaction of professionals in the Information Security domain or in similar responsibilities is to therefore grab such opportunities.
In this connection, we need to have a second look at the provisions of GDPR relating to the Data Protection Officers (DPO), their responsibilities.
Article 39 of GDPR defines the tasks of the DPO. It must be noted that DPO under GDPR is not envisaged as an employee of the organization and is not burdened with the “Implementation”. He is expected to be an “Adviser” to the Controller or Processor and an in house representative of the supervisory authority to monitor compliance and act as a contact point of the supervisory authority.
Under Article 38, DPO is also the contact point for Data Subjects. This means that he would be the grievance redressal official to receive complaints from data subjects including requests for exercising of data subject’s rights and ensuring the compliance.
Article 38 of GDPR states further that the DPO does not receive any instructions from the Controller/Processor on his tasks. This means that he would act independently.
Under Article 37, it is indicated that DPO need not be a “Staff”. He can be on a “Service Contract”. This means that DPO may be an external consultant.
If he is a “Staff”, then conflict of interest with other duties need to be avoided. (Article 38).
If we seriously analyze the tasks of the DPO, it does not appear easy to identify that there could be any activity that a staff member can discharge which does not have a conflict of interest with the DPO’s responsibilities. His position will report directly to the CEO and hence he would be above the CISO and CTO in the current structure. His decisions will affect the interest of the Company as a whole and hence even being an advisor to the CEO he has a conflict situation.
For example, if there is a data subject’s complaint, then it is the DPO who based on his assessment has to agree with payment of any compensation and also report to the Supervisory authority who has the right to impose penalties. The DPO may therefore decide how much of cash outgo occurs in any suspected non compliance situation. This is certainly a conflict with the CEO’s own responsibility for revenue management.
Since DPO cannot be a staff higher than the CEO, it is practically not possible to avoid conflict of interest if an internal DPO is appointed. In most cases therefore DPO has to be an external consultant with the necessary professional knowledge and also integrity. Most of the time, Knowledge and Integrity does not go together and Companies will have to struggle to find the right combination at a right price. If they compromise on pricing, there is certainly a possibility of loss of quality. Hence DPO designation is a complex decision that the management has to take.
According to Article 37 the designation of a DPO is not mandatory in all circumstances. The designation of a DPO would be mandatory only if the “Core Activity” of the Data Controller or Data Processor consists of processing such information where there is a “Large scale”, “Regular and Systematic monitoring of EU subjects”.
What amounts to “Large Scale” is a matter of interpretation. An Indian BPO handling data processing of different data subjects in different countries. In such a case, the Core activity may not be processing of GDPR sensitive data. Even if there is a website accessible from EU, the data collected about EU data subjects may only relate to non sensitive data and may be considered as not regular and systematic collection. Hence unless there is an activity that is directed towards EU data subjects alone or where the EU market share is significant, the need for DPO may not be considered mandatory.
Though this is the view of the undersigned, it is possible that many organizations may feel that there is a need to designate a DPO and also designate a EU representative so that they may project their GDPR Ready Profile to the prospective EU business partners. Hence many of the Indian Companies may start designating one of their employees who has undertaken some training and certification as the DPO.
Such DPOs will have to work under an environment of conflict where they are paid by the Company and are junior in terms of organizational hierarchy but are expected to act independently.
The fact that the DPO shal not be dismissed or penalized by the Controller/Processor for performing his tasks makes him a privileged person who in due course become a thorn in the activities of the IT and IS departments if he is honest to his duties. All CISOs and Compliance officials have faced awkward experiences when they have to disagree with a powerful business manager who insists that some decision has to be taken in business interest even if the CISO or the CCO has his objections.
Some of these issues are also faced by Company Secretaries and Auditors who have to manage their statutory responsibilities which may go against the Company which pays them. Recently many auditors have been criminally booked for negligence when they have failed to respond to their duties to the share holders and responsible for frauds going unreported for a long time.
Similar developments can be expected in the case of DPOs.
Presently GDPR does not talk of any liabilities of the DPOs. However, if DPO is a trusted representative of the Supervisory authority, then he would be liable for “Breach of Trust” if he does not discharge his duties to the satisfaction of the Supervisory authorities.
Hence DPOs should be ready for a situation where they are aware of some potential data breach scenario in their company but keep quiet while there is an attempt to brush the incidents under the carpet which blows out on a later day. An investigation in such a situation may reveal that DPO was aware of but did not act diligently and hence was guilty of breach of trust. Even the top management of the Company itself may disown the DPO and insist that it was not kept informed of the accumulating risk. Afterall the management also wants a scapegoat to negotiate with the supervisory authority for lower penalties by blaming the DPO for all the problems.
Some of my readers may say that I am speculating of a scenario with a negative outlook. But any experienced person who has the experience of working in an organization particularly in the internal audit departments would easily recognize the truth about what I am talking above.
While these are developments which are bound to happen in a scenario like this and many would consider this as a part of the “Risk in the Profession” itself and negotiate remuneration packages, severance packages, insurance and indemnity covers to ensure that they will not be personally liable when an adverse situation arises, there would be many not so intelligent, smart and powerful persons who may be working hard and honest only to be blamed one day that they were not able to discharge their responsibilities properly.
I therefore think that there is a need for DPOs to ensure that their professional interests are protected. I therefore propose that “Data Protection Professionals” (Which may include DPOs, Compliance officials, IS officials) to organize themselves by creating an “Indian Association of Data Protection Professionals” (IADPP) on the lines of ICAI, ICS or similar professional organizations.
I invite the views of other professionals in this respect.