Naavi.org

(This  is a continuation of the previous article)

During recent discussions on the role of Independent Data Auditors, an interesting debate emerged regarding whether a Chief Information Security Officer (CISO) can effectively discharge the responsibilities of a Data Protection Officer (DPO).

The debate raises a more fundamental question: Do the objectives of the CISO and the DPO naturally converge?

Many organizations assume that they do because both functions deal with information. A closer examination, however, suggests that their primary objectives are significantly different.

The Objective of the CISO

The CISO is fundamentally responsible for protecting the organization’s information assets.

Traditionally this responsibility is expressed through the principles of Confidentiality, Integrity, and Availability (CIA). The CISO seeks to ensure that information is accessible only to authorized persons, remains accurate and trustworthy, and is available when required.

The security architecture, access controls, monitoring mechanisms, logging systems, and incident response frameworks are all designed to support the business objectives of the organization.

The CISO therefore operates primarily from the perspective of organizational risk.

The Objective of the DPO

The DPO operates under a different mandate.

The DPO’s role originates from law rather than from business necessity. Under DPDPA 2023, the processing of personal data is expected to be aligned with the rights of the Data Principal, except in situations specifically exempted by law.

Questions such as:

• • Who may access personal data?
  • For what purpose?
  • For how long?
  • Under what authority?
  • Subject to what rights of correction, access, grievance, or nomination?

are driven not merely by organizational convenience but by the rights recognized under law.

While the DPO is appointed and compensated by the Data Fiduciary, the essence of the role is to ensure that the interests of the Data Principal are respected.

Where the Conflict Arises

The management of an organization naturally seeks to maximize business value from information assets available to it, including customer information wherever legally permissible.

The CISO supports this objective by ensuring that information remains secure and usable.

The DPO, however, must ask a different question.

Not “Can we use this data securely?”

but

“Should we be using this data at all?”

This distinction creates an inherent tension.

A security professional may advocate longer retention periods to support forensic investigations.

A privacy professional may advocate deletion once the original purpose is exhausted.

A security team may seek extensive monitoring to detect insider threats.

A DPO may question whether such monitoring is proportionate and necessary.

The conflict is not accidental. It is built into the governance framework.

Why DPDPA Recognizes Both Perspectives

DPDPA acknowledges that information security is essential and therefore recognizes several legitimate-use situations where security interests may justify processing.

However, the Act does not subordinate privacy rights to security objectives.

Instead, it attempts to balance both interests.

This balancing exercise requires an independent voice within the organization that is capable of representing the perspective of the Data Principal.

Conclusion

The most mature organizations recognize that the CISO and DPO are not substitutes for one another.

The CISO is the guardian of information assets.

The DPO is the guardian of privacy rights.

The Board must balance both perspectives.

When disagreements arise between the two functions, it is often evidence that the governance system is functioning properly. The tension between security and privacy is not a weakness. It is an essential mechanism for ensuring that organizational objectives do not inadvertently override the rights of individuals.

The next question that naturally follows is whether a similar tension should also be reflected in the DPDPA audit process itself.

Naavi

The discussions held on June 6th regarding the role of Independent Data Auditors under DPDPA 2023 generated a number of insightful observations. Among them, two issues stood out as being particularly significant for the future evolution of DPDPA compliance and audit practices in India.

The first concerns the role of the Data Protection Officer (DPO) and whether a person whose primary responsibility is Information Security—such as a Chief Information Security Officer (CISO)—can effectively discharge the responsibilities of a DPO.

The second concerns the independence of the DPDPA audit process itself. If compliance audits are expected to protect the interests of Data Principals in addition to the interests of the organization, should the scope of the audit be determined solely by management, or should there be an independent validation of the scoping assumptions?

At first glance these may appear to be unrelated questions. However, both arise from a common concern: the need to balance the interests of the Data Fiduciary with the interests of the Data Principal.

A DPDPA compliance framework cannot be viewed merely as an extension of Information Security. Nor can a DPDPA audit be viewed merely as another management-controlled assurance exercise. The Act introduces a new stakeholder into governance discussions—the Data Principal—and requires organizations to consciously account for that stakeholder’s rights and interests.

In this context, it is useful to separately examine:

1. Why the objectives of the CISO and the DPO may diverge, and whether the two roles should be combined; and
2. Whether management should have unrestricted authority to define the scope of a DPDPA audit.

The next two blogs attempts to initiate a discussion on these issues. The observations are exploratory and are intended to stimulate debate among privacy professionals, auditors, DPOs, CISOs, and policy makers.

Naavi

The potential conflict between the implementation of the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and the Right to Information Act has already been recognized and is currently under consideration before the Supreme Court. However, another important area of possible regulatory overlap appears to have escaped the attention of both industry and compliance professionals—the interaction between the POSH Act and DPDPA 2023.

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (POSH Act) applies to both public and private sector organizations and imposes several statutory obligations on employers. These include:

• Constituting an Internal Committee (IC) comprising a senior woman employee as Presiding Officer, two employee members, and an external member.
• Providing a safe working environment for women employees.
• Formulating and communicating a POSH policy.
• Conducting awareness and training programs.
• Providing administrative support to the Internal Committee.
• Maintaining confidentiality of complainants and proceedings.
• Providing support and protection to complainants.
• Maintaining records and filing statutory reports.
• Treating sexual harassment as misconduct and imposing appropriate disciplinary action.

While these obligations are well understood from an employment law perspective, the implications under DPDPA 2023 have not yet been adequately examined.

Emerging Areas of Conflict

Several provisions of DPDPA 2023 may create practical challenges when applied to POSH-related investigations and records.

1. Right of the Respondent to Information

DPDPA grants Data Principals the right to know how their personal data is being processed. A respondent in a POSH proceeding may therefore seek details regarding the collection, use, storage, and disclosure of information relating to the complaint.

How should an organization balance such requests with the confidentiality obligations imposed by the POSH Act?

2. Requests for Correction or Erasure

A respondent may exercise rights under DPDPA to seek correction, completion, updating, or erasure of personal data maintained by the organization.

However, records relating to a POSH complaint may need to be preserved for statutory, evidentiary, disciplinary, or appellate purposes. In some situations, the respondent may not even be aware that certain information is being retained as part of an ongoing or concluded POSH process.

Can such requests be denied? If so, under what legal justification?

3. Grievance Redressal Rights

DPDPA requires organizations to establish grievance redressal mechanisms for Data Principals.

If a respondent disputes the handling of his personal data in connection with a POSH investigation, should the matter be addressed through the DPDPA grievance process, the POSH process, or both? The possibility of parallel proceedings cannot be ignored.

4. Rights of Nominees

DPDPA introduces the concept of nomination, under which certain rights may devolve upon a nominee in specified circumstances.

The implications of such rights in relation to sensitive POSH records require careful examination. The confidentiality framework under the POSH Act was never designed with such a concept in mind.

Additional Legal Dimensions

The complexity does not end with DPDPA.

Other laws may also influence the rights and obligations of parties involved in a POSH complaint, including:

• The Information Technology Act, 2000, particularly provisions relating to obscene electronic content.
• Relevant provisions of the Bharatiya Nyaya Sanhita (BNS), including offences such as cyber-stalking and electronic harassment.
• The Bharatiya Sakshya Adhiniyam (BSA), particularly provisions relating to admissibility and certification of electronic evidence.
• Employment and disciplinary laws governing workplace misconduct.

Consequently, a single POSH complaint today may involve a complex interplay of privacy rights, evidentiary requirements, employment obligations, criminal law considerations, and data protection principles.

The Need for a Harmonized Approach

Organizations can no longer treat POSH compliance and DPDPA compliance as independent silos. The preservation of confidentiality under POSH may appear to conflict with transparency obligations under DPDPA. Similarly, data subject rights under DPDPA may collide with statutory record-retention requirements under POSH.

Unless these issues are examined and harmonized, organizations may find themselves caught between competing legal obligations. In practical terms, this could create tensions between the Human Resources function, which is responsible for POSH compliance, and the Data Protection Officer, who is responsible for DPDPA compliance.

The challenge before compliance professionals is therefore not merely to comply with both laws independently, but to develop governance frameworks that enable both statutes to operate without undermining each other.

The issue deserves serious examination before the first major dispute brings these conflicts into sharp focus.

(P.S: Consequent  to this chain of thought, the DGPSI-HR framework may be extended with implementation specifications that addresses conflict with POSH Act, ITA 2000 and RTI Act in the next version.)

Naavi

In continuation of our discussions on how to maintain independence of the “Independent  Data Auditors” in a DPDPA compliance scenario, we discussed the need for share holders to approve the appointment so that the auditor does not feel obligated to the management which makes the payments.

One other best practice criteria which Naavi would like to suggest is  that no Data Auditor should continue to audit the same company for more than  3 consecutive years. This is also consistent with the norms adopted by the statutory financial auditors.

This will be currently suggested for the empanelled auditors of AIDAI as part of the self regulation of the auditors as an ethical conduct.

FDPPI in its mechanism for regulating the Certification partners who conduct their audits would include this as a requirement so that auditors who donot adhere to this norm may lose the accreditation status.

Currently we shall try to include this in the Code of Conduct for AIDAI empanelled Auditors and try to implement it.

Naavi

We are aware that one of the aspects that supports independence of a financial auditor is because the statutory financial auditor is appointed by the share holders of a company. Hence the Auditors are able to qualify the report if required and also report frauds to the regulatory authorities without feeling obligated to the management which may fix their remuneration.

Naavi would like to propose a similar scheme for Independent Data Auditors. What this practically means is that the Independent Data Auditor appointed by a Significant Data Fiduciary should be approved by the share holders of a company (in the case of public limited companies) or through a Board resolution (In the case of private limited companies) and an appropriate  Governance body in the case of Government agencies.

Initially this will be suggested in the engagement contract which an AIDAI empanelled auditor would like to obtain from the management of a company.

This will be a best  practice suggestion for the drafting of the engagement contract (a suggested model contract of which will be shared in the CIDA training.)

Naavi

A recent news report indicates that Anthropic, the company behind Claude AI, has extended access to its highly restricted cybersecurity-focused AI model “Mythos” to a select group of organizations across several countries, including India.

What makes this development noteworthy is that India appears to be the only major non-US allied nation included in the current group, while China remains excluded. This signals a growing international recognition of India’s role in the global cybersecurity ecosystem.

Unlike conventional AI models designed for general-purpose applications, Mythos is reportedly capable of identifying software vulnerabilities at a scale that rivals or exceeds human security researchers. Such capabilities can help organizations discover weaknesses in operating systems, browsers, and enterprise software before malicious actors exploit them.

The significance of this development extends beyond technology.

First, it reflects confidence in India’s software talent pool, digital public infrastructure, and cybersecurity capabilities. India’s vast digital ecosystem—spanning banking, telecommunications, digital identity, payments, and public services—offers a unique environment for testing and improving cyber defence technologies.

Second, the move highlights the growing geopolitical importance of AI. Advanced cybersecurity AI tools are increasingly becoming strategic assets comparable to cryptographic technologies, advanced semiconductors, and other national-security capabilities. India’s inclusion in this restricted circle suggests that it is being viewed as a trusted participant in the emerging global AI-security architecture.

Third, the development should be of particular interest to Indian regulators, DPOs, cybersecurity professionals, and Independent Data Auditors. As AI systems begin to play a direct role in vulnerability discovery, risk assessment, and cyber defence, questions of accountability, transparency, governance, and compliance will become increasingly important.

For India, access to such technologies can provide a significant defensive advantage. At the same time, it underscores the need to develop indigenous capabilities so that cybersecurity resilience is built on sovereign foundations rather than dependence on foreign-controlled platforms.

Whether Mythos ultimately proves as transformative as its proponents claim remains to be seen. However, the message is clear: cybersecurity is rapidly becoming an AI-driven domain, and India has now been invited to participate in shaping that future.

The challenge before India is not merely to use such technologies, but to build the governance, audit, and assurance frameworks necessary to ensure that AI-driven cybersecurity remains accountable, trustworthy, and aligned with national interests.

Naavi