The new Digital Personal Data Protection Act mandates a Data Protection Officer for every organization handling the personal data of individuals. As it emerges as a hot role, there are more questions than answers. Our research reveals that the India DPOverse is expected to have its own unique character.
The Digital Personal Data Protection 2023 Act mandates that every Data Fiduciary (entity handling personal data, as defined by the Act) must appoint a Data Protection Officer who shall represent the Data Fiduciary under the provisions of this Act and be based in India. The Data Protection Officer shall be an individual responsible to the Board of Directors or similar governing body of the Data Fiduciary.
The Data Protection officer shall be the point of contact for the grievance redressal mechanism. Understandably, there is a lot of interest around DPOs - what is expected from them, what kind of persons would be the most suitable candidates for DPO roles.
We did some research to understand the early trends. That can give a glimpse into the DPOverse as it stands today. They should be taken for what they are: very early trends and can change.
So, here they are.
Not too many organizations have appointed DPOs yet. We kept our research confined to large and medium commercial organizations. There, too, not many companies that would be required to appoint DPOs have not appointed them. This is a little surprising, considering the personal data protection legislation has been in the process of making for at least five years, even though the bill was passed only recently.
Eight out of ten companies having a designated DPO belong to one of these three categories. For our research, we studied DPO positions of 50 companies. Thirty-nine of them fall into one of these three categories. Interestingly, their prime responsibilities are slightly different.
BFSI: By far, the biggest group to have designated DPOs are the banking, financial services, and insurance companies doing business in India. Of the 50 companies we researched, as many as 16 are from BFSI. They include top Indian banks such as State Bank of India, ICICI Bank, and HDFC Bank, as well as foreign banks such as Deutsche Bank and HSBC. India's largest insurer, Life Insurance Corporation (LIC), has appointed its DPO. All these DPOs' responsibilities include protecting the personal data of Indian citizens. Some Indian financial services companies operating in other geographies have their separate DPOs based in those geographies. For our research, we have not considered them. Other major BFSI companies having a designated DPO include Edelweiss Financial Services, SBI Life Insurance, and National Payment Corporation of India.
IT/ITES: Most IT/BPO companies have had Data Privacy / Protection Officers for some time. These are mostly export-oriented companies, and their DPOs are primarily responsible for protecting the personal data they deal with on behalf of their overseas clients to help the latter comply with the data protection regulations of those geographies where they do business, such as GDPR. In that sense, they have little to do with the DPDP Act unless they do business in India, too, like TCS and Infosys.IT/ITES companies account for India's second-largest chunk of DPOs.
Regional DPOs of MNCs: Unlike the first two categories, this is not mutually exclusive with the other two. There are a few BFSI and IT/ITES companies, too. But beyond these two sectors, there are quite a few other types of companies. Interestingly, many of these DPOs have Asia/APAC Responsibilities, including that of India. We have considered them for the purpose of our research if they are based in India. Some examples include DHL, BNP Paribas, and Whirlpool Corporation.
The sectors that follow BFSI and IT/ITES in having designated DPOs are Pharmaceutical (Merck, Sanofi, Dr. Reddy's), e-commerce (Flipkart, Tata Digital, OLX Autos), and Automobiles (Maruti Suzuki, Renault Group, Spark Minda).
Tech rules DPOverse almost: In sharp contrast to the trends in the US and Europe, where lawyers dominate senior data privacy roles, in India, the early trends show information security professionals having an edge over others in being appointed as DPOs. Our data shows that most DPOs today have a technology background. In our sample of 50 large and medium companies, as many as 20 DPOs come with a technology background, while 13 come with a legal background. Nine DPOs are professionals who have typically handled risk & and compliance functions. The rest are from core vertical-specific functions or have come from consulting.
Interestingly, there are seven DPOs who are currently the company's CISO as well. The trend is not confined to any specific industry or companies of any particular size. Examples include:
- IT companies like Birlasoft, Zensar, and Infogain;
- manufacturers like JK Lakshmi Cements;
- India's largest insurer, Life Insurance Corporation.
Women aplenty: One of the trends to notice in the emerging DPOverse is that there are comparatively more women as DPOs than, say, CIOs and CISOs. As many as 13 of the 50 DPOs we studied are women. That is 26 percent. The corresponding figure for CIOs and CISOs is hardly 3 to 4 percent.
The significant finding is that women as DPOs aren't restricted to any one industry.
While this research was done to understand the trends in the emerging DPOverse, it must be clarified that these are early trends. Considering that many companies are yet to appoint DPOs, these may change. But as they say, morning shows the day.
Image Source: Freepik