Data protection laws such as GDPR or DPO excites professionals who are in the look out for new career opportunities. In particular, the title Data Protection Officer (DPO) is a coveted position which many IT professionals seek. The Legal professionals who normally look at a new law from the perspective of litigation opportunities are also trying to compete with the IT professionals for being a DPO.
We keep getting enquiries from corporate professionals whether they need to be a legal professionals to be a DPO or is it sufficient to acquire a “Certification”. Similarly lawyers working as litigation support executives or “Compliance officers” often question why they are ignored for the position of DPO and feel bad when a technical person who does not know what is the difference between “Consent and Legitimate use” or “Contract and MOU” or “Mediation and Adjudication” is made the DPO and is expected to represent the organization with the DPB on the one hand and the Data Principals on the other hand.
While GDPR being a more prescriptive law than DPDPA, states in greater detail the requirements of a DPO, DPDPA is a law that specifies certain principles and expects the “Data Fiduciaries” to find their own ways to navigate the law.
In GDPR, Articles 37, 38 and 39 talk about the requirements of a DPO.
While DPDPA makes the requirement of DPO mandatory for a Significant Data Fiduciary (SDF), GDPR specifies that where the scope of activities require largescale and systematic monitoring of data subjects or involves special categories of data ( otherwise recognized as sensitive data such as racial or ethnic data, political opinions, religious beliefs, genetic or biometric data, sexual information etc). In a way the requirement of DPO in DPDPA is similar to GDPR except that DPDPA classifies such organizations that require a DPO as a Significant Data Fiduciary rather than the other way round.
DPDPA does not define “Sensitive personal Data” and leaves it to the discretion of the Fiduciary to decide the risks that may be caused by their processing to the rights of a data principal etc.
GDPR prescribes that the DPO shall be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices and the abilities to fulfil the tasks referred. DPDPA places faith on the Fiduciary to exercise “Due Diligence” to select the right person with the right knowledge for the post.
The tasks required to be fulfilled by the DPO under GDPR is indicated under Article 39 and makes the DPO the master of the situation in the Company. He is expected to monitor the compliance inform the employees and organizations about developments, provide advice and also act as the contact person for outsiders including the supervisory authority and the data subjects.
The organization is expected to provide the necessary support to the DPO to enable him discharge his responsibilities and enable him act independently. He is also protected by the provision that “he or she shall not be dismissed or penalized for performing his tasks and he shall report to the highest management level”.
GDPR also has a intriguing provision that the DPO shall be bound by “secrecy or confidentiality concerning the performance of his tasks in accordance with Union or Member State law”. What is intriguing is that the “Confidentiality” is stated as if it is in the interest of the State more than the interest of the Company itself. If it was not in the State’s interest, there was no need to add this as part of GDPR articles and could have been left to the organization to take necessary NDA. Probably this is a drafting error which often creeps in when the law tries to be more descriptive than required. India has tried to avoid this problem by not being too prescriptive.
The DPDPA makes four simple provisions that the DPO shall represent the Significant Data Fiduciary under the Act, be based in India, be responsible to the Board and be a point of contact to the data principal.
GDPR does not state locational requirement and allows one DPO for multiple units of a group and he “May be a staff member”. DPDPA specifies that the DPO should be located in India. It is silent about the possibility of one DPO for multiple group activities.
Since DPDPA specifies a “Independent” role for a Data Auditor and does not use the word “Independent” for the DPO, it is presumed that he should be an employee. It is also presumed that every legal entity which is a “Significant Data Fiduciary” will require to appoint a DPO.
Both GDPR and DPDPA recognize that the DPO needs to report to the Board. The Rules appear to suggest that the DPO is only a person who needs to be a contact person for the Data Principals but the need to “Represent” the company and “responsible to the Board” indicate that a DPO has more responsibilities than what is apparent.
While GDPR restricts the corporate freedom of the Controller to dismiss the DPO if required, considering the possibility of malicious damage that a DPO can cause to an organization, DPDPA does not provide any extra constitutional privileges to the DPO.
In the light of the many changes that a DPO is expected to take into account in India, the “Certification” requirement of an Indian DPO is not fulfilled adequately by creating expertise in GDPR. Hence international certifications are considered inadequate. At present the only certification that is structured for an Indian DPO is the C.DPO.DA. program conducted by FDPPI. GDPR does not recognize a separate role for a “Data Auditor” which is required in India.
Look for such certification if you want to be considered “Qualified” to be an Indian DPO or a Data Auditor.
Naavi