India
United Kingdom
JamaicaBy Ben Rapp
As indicated in previous blogs, we are covering commonly-held misconceptions to provide clarity over what's important to those embarking upon their DPDPA compliance journey. Our particular focus here is on compliance with India’s new Digital Personal Data Protection Act, but it is worth reiterating that the lessons are globally applicable.
In this week's post, we shine the light on the role of Data Protection Officer (DPO). Appointing a DPO means finding someone who is trained and trusted to be independent, reporting to the highest levels of the organisation.
Misconception 9: The DPO will deal with it (and it's a part-time job)
The role of the Data Protection Officer is commonly misunderstood. In India, a DPO is only required for a Significant Data Fiduciary (SDF) but may be appointed by any fiduciary; their role is to act as the fiduciary’s representative and the point of contact for data principals seeking redress for a grievance and they are required to report to the Board of Directors or a similar level of governance. They are not the person, or function, that is responsible for operational decisions about processing and data protection, for preparing and maintaining compliance documentation and systems or for supporting your team with training and answers to questions.
For an organisation of any significant scale, that privacy operations role – what we call the Privacy Office – is a material undertaking involving a team of people with the right training, systems and support, backed by senior management sponsorship and a network of privacy champions laced throughout the business. Their job is to help you find the right balance that allows your organisation to succeed in a data-driven world while remaining compliant with the rules of Data Protection; this is an ongoing and evolutionary process requiring a combination of skills and informed judgement.
The DPO, on the other hand, in addition to the liaison with data principals, is your point of contact with the regulator and functions to hold you to account for compliance; they are an auditor and verifier, not a decider and doer. In Europe, the DPO is often described as “the embodiment of the regulator within the entity” and you must be able to demonstrate their independence and autonomy. Notably in India, SDFs will also be required to commission an independent auditor who will annually verify compliance and compile a Data Protection Impact Assessment. The interaction between the DPO and the auditor, along with the precise identification of SDFs has yet to be clarified in the rules that have been published to date.
Rather watch as a video? Click below.
-----------------------------------------------------
Read our 10 DPDPA misconceptions series
Interested to read the series in full? Click on the links below.
Misconception 1: data protection is all about breach prevention
Misconception 2: Compliance is just paperwork.
Misconception 3: it’s all about consent
Misconception 4: personal data is PII
Misconception 5: Consumers don’t care about privacy
Misconception 6: No consumers, no problem
Misconception 8: It’s an IT problem, and a GRC system will solve it
Setting off on your DPDPA compliance journey?
If you’d like us to help you achieve DPDPA compliance and transform your data from a risk into an asset, you can Contact Us.
If you are looking for more information regarding DPDPA compliance, visit our DPDPA resources page.
Subscribe by email
