One of the first Model Implementation specifications under DGPSI, the compliance framework for DPDPA Compliance by design is
“Organization shall designate/appoint, DPO/Compliance Manager with necessary credentials and provide support in terms of people, budget and technology and external consultancy.”
This specification essentially focusses on “Necessary Credentials” for the compliance manager or the DPO. The discussion on what is the necessary and desirable credentials for a DPO has been a long debate ever since GDPR came into being in 2018. The laws cannot specifically define the credentials. At best it can only list the requirements to be fulfilled by the DPO.
GDPR has been a little more specific on the tasks of the DPO while DPDPA is very crisp and states DPO shall “represent” the Significant Data Fiduciary, be a “point of contact” for grievance redressal and “be responsible” to the Board of Directors.
If we put on the DGPSI’s Jurisprudential lens and start interpreting the words “Represent” and “Be responsible”, and “Point of contact”, we will be able to understand the credentials required for a DPO.
A “Point of Contact” can be just that and can be a postman who passes on grievances to some body who is designated as a Grievance Officer”. On the other hand, the DPO himself can be the Grievance redressal Officer. The ball is now in the court of MeitY that when it releases the much awaited “Rules” it can define the role of a DPO as either the “Postman” or the “Grievance Redressal Officer”. (GRO).
We should note that ITA 2000 already has a need for a “ITA 2000 compliance officer and a Grievance Manager” and hence it is natural to think that there will be a common GRO for both ITA 2000 and DPDPA.
However an organization also has the exposure to other laws such as Environmental laws, labour law or POSH Law, etc.
If labour disputes and POSH disputes are considered one class of disputes, the environmental laws as another class and added on to the ITA 2000 and DPDPA disputes, then a GRO would have to be a legal expert.
If however, ITA 2000 and DPDPA disputes are considered “Data Disputes”, the expertise required are the two laws ITA 2000 and DPDPA with additional knowledge of international laws and the technology aspects.
It is this expertise of ITA 2000 and DPDPA along with international data protection laws that the trainings like C.DPO.DA. try to develop. Most other DPO Certification programs may not even cover ITA 2000.
DGPSI understands and appreciates the need for a single GRO in a company who handles all types of disputes from employees and the public. However considering the requirements of DPDPA and the likely hood of large number of complaints under DPDPA, DGPSI recommends that the DPO himself/herself should be the GRO for data related disputes.
In view of this, DPO should not be considered as a mere postman whose contact information is available on the website just to receive, acknowledge and forward it to the GRO. Instead, the DPO should have the capability of “Dispute/Conflict Resolution Skills” which involve “Negotiation” and “Mediation”. Accordingly this skills is one of the requirements of a good DPO.
The interpretation of the word “Represent” under DGPSI is that DPO shall be the face of the SDF (Significant Data Fiduciary) as far as the external world is concerned. Hence, on the one hand he faces the Data Principals and on the other hand he faces the Regulator and the Media. Hence DGPSI expects that the DPO possesses skills of negotiating with the DPB and later the Appellate Tribunal.
The DPO also needs to face the Media as a PR Manager to handle any Data Breach Crisis. hence his required credentials include the external communication skills.
DPO being a senior person reporting perhaps to the Board directly, questioning the R & D projects, Marketing Contracts etc for compliance deficiencies, often develops conflicts with other CxOs and even with the CEO. Hence, ability to manage the internal relations without sacrificing the commitment of his obligation under law is essential.
At this point of time we donot know if the DPO will be personally held liable for any compliance issues. However DGPSI Jurisprudence suggests that since the organization is a “Fiduciary” the primary responsibility of the DPO is to protect the interest of the data principals and if he fails in this regard because of any reason including the pressure from the organization itself, it is considered as “Breach of Trust”.
In the GDPR there is a provision that DPO shall not be dismissed or penalised for performance of his duties. ICO UK even has a DPO registration system.
At present, India does not have a DPO registration system nor DPO protection system at the level of the Government.
Only organizations like FDPPI are planning to provide such support.
Considering these internal conflicts, ability to effectively communicate internally and maintain internal relationships are considered as other requirements of an ideal DPO.
In view of the above the following six credentials are considered essential for a Good DPO.
- Legal Knowledge of DPDPA and other data protection laws along with ITA 2000
- Understanding of technology to the extent of converting the law into technology practices or identify legal infringements in technology
- Handling of Grievances with skills related to Conflict Resolution, Mediation etc.
- Ability to communicate effectively and negotiate with the Regulators
- Ability to communicate effectively and maintain good internal relationships with other CxOs
- Ability to communicate effectively with the external agencies like Media.
FDPPI through its training programs is trying to provide such skills and expertise and recommend others also to follow suit. Alternatively the management has to ensure that the DPO designate is provided training not only with organizations like FDPPI but additionally appropriate organizations for Conflict Management, Mediation and PR.
Naavi