One of the interesting new propositions in the PDPB 2021 as compared to PDPB 2019 is the professional status of the Data Protection Officer.
In all data protection laws, there is a requirement that data controllers/Fiduciaries who handle large number of personal data or who handle sensitive personal information should designate a special official called the “Data Protection Officer” (DPO) who can be accountable for compliance.
The DPO has to have sufficient knowledge of the data protection law to guide the organization besides having adequate knowledge of security aspects to understand terms like DPIA, Privacy by Design, Data Trust Score etc. Most laws expect the DPO to be also capable of dealing with data subject relationships and also the relationship with the regulators as a single point contact in the company.
While dealing with the regulators, it is not simply a relationship of reporting a data breach. The law expects that the DPO within the company to be an extended arm of the Data Protection authority (DPA).
When a data breach occurs, one of the key decisions to be taken is to report the breach to the DPA and in some cases to the data principals. But when the data breach is first discovered or when there is a suspected data breach, the company may be concerned about the reputation damage to itself with the disclosure of the breach and would like to avoid disclosure if possible. On the other hand the DPO is expected to look at the harm from the perspective of the data subject/data principal and take a view accordingly. In such situations there could be a serious conflict situation of the DPO role with the company itself.
In certain circumstances, there could be a lapse by an influential internal employee who would like the suspected breach to be ignored and prevent the DPO from reporting it either within the organization or to the DPA. In such cases the DPO is required to possess a high degree of interpersonal skills to ensure that he fulfils his duty to the DPA/Data Principal even at the cost of displeasing some body within the organization.
These situations open up a discussion on the exclusive skills that the DPO needs to posess and determining the credentials required for a person to be appointed as a DPO.
One of the additional requirements that a DPO needs to possess to meet such requirements is a high degree of “Interpersonal Skills”. This is a behavioural skill normally possessed by the HR persons. Another skill is the grievance redressal skills normally available with the legal professional. Successful leaders are born with such skills or have such skills developed over time through experience and learning.
Hence when a new DPO needs to be appointed, the organization has to scout for the right skills. If the company tries to find a short cut and designate a CTO, CISO, CCO or CRO as also a DPO, then there could be a conflict with other duties as well as there may be a serious deficiency of “aptitude”.
For example, typically the CISOs are technical experts and perfectionists. Their expertise is focussed on technology. They may not necessarily good in man management. The HR executive or a Marketing person may on the other hand be a good man manager and communication manager but weak in technology. Most of these may not be well versed in the subject of law. Hence it is not always easy to find an internal candidate to fit the DPO role.
Yet another problem in promoting one of the existing members into the DPO position is the seniority at which they can be fixed. The legal officer may be the best person for the job but the current functional level of even the Chief Legal Officer may be at a level below that of a CISO or a CTO in a tech company. The DPO position may however be a level above CISO and not necessarily below the CISO/CTO.
In GDPR, the law suggests…
a) The Organization shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
b) The organization shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
c) The organization shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and he or she shall not be dismissed or penalised by the controller or the processor for performing his tasks.
d) The data protection officer shall directly report to the highest management level of the controller or the processor.
The above requirements indicate that the DPO must be a senior person if he is an employee. GDPR however allows an external consultant to be designated as a DPO which could avoid the conflict arising out of the seniority of the CISO/CTO in the organization who needs to accept suggestions from the DPO.
In the Indian law (PDPB 2021), Section 26 states that the DPO shall be a
“…. a key managerial personnel in relation to a company or such other employee of equivalent capacity in case of other entities, as the case may be, possessing such qualifications and experience as may be prescribed …”
The explanation to the section mentions that
“Key managerial personnel” means—
(i) the Chief Executive Officer or the managing director or the manager;
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; or
(v) such other personnel as may be prescribed.
The Indian law also prescribes that the DPO should be in India and it appears that the person has to be an employee.
A careful examination of the above indicates that the DPO can be the Managing Director or the Company Secretary or a Whole time Director or a CFO. We need to await the regulatory guidelines to understand how the DPA interprets this explanation and whether the law presumes that there is no conflict with DPO roles for the CFO or the Company Secretary and the roles such as CISO are not mentioned because there is a perceived conflict.
Even where an external consultant is appointed by a company for his expertise, it will be necessary for an internal employee to be designated as a DPO and such internal employee has to be a key management personnel.
Because of this provision, it is clear that the law expects the DPO to be a fairly senior person and could even be at the level of the whole-time director.
Additionally, under Section 85 (PDPB2021), if an offence is attributable to the negligence of an official then he may be held liable for criminal punishment.
The position of the DPO is therefore more onerous than that of the CISO and hence it would be inevitable that he is designated at the CxO level with remuneration that matches the responsibility.
It would be interesting therefore to observe how the Indian companies develop their internal employees to fill up this role or bring outsiders at the senior level which could cause some heart burns within the organisation.
It is therefore advisable for CISOs and CTO to quickly gear up their skills and be ready to bid for the position of the DPO. From our experience of GDPR, DPA s may consider providing common designations such as Compliance Officer cum DPO or CISO cum DPO as creating conflicts.
The mention of the “Company Secretary” in the list of key management personnel is interesting since Company Secretaries have the experience of holding a “Fiduciary” relationship where they have to safeguard the interests of share holders and be the whistle-blowers if there are violations of Corporate Governance principles. The “Statutory Auditors” who come from the community of Chartered accountants also are trained to be independent in their views and express qualifications in the audit reports if they find any non compliance issues. The CFOs come from the same community of Chartered Accountants and hence at least a few of them retain the independent attitude to be able to handle the fiduciary responsibilities that a DPO is expected to handle. Perhaps it is the reason why a CFO has been mentioned in the example of key personnel.
However, the CFO and the CEO will have their own business related conflicts with the duties related to the DPO and hence conflicts may continue to be there. A Company Secretary is better placed amongst these executives to be a DPO though in Tech Companies, the Company Secretary may not be a key position at present and elevating him to the level of DPO may ruffle some feathers.
The best solution is therefore to appoint an exclusive person to the DPO position who could be a whole time director or Independent Director of the Company.
It is a challenge that Boards of potential “Significant Data Fiduciaries” need to sort out these issues quickly and be ready for the passage of PDPB 2021.
(Comments welcome)
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data