As the personal data protection regime set in India with the Digital Personal Data Protection Act, organizations dealing with personal data are mandated to appoint a Data Protection Officer who would ensure that the organization is compliant with the law and would handle all grievances regarding personal data.
India, Inc., by and large, has yet to appoint its DPOs. Except for Banking, Financial Services, and Insurance (BFSI), few sectors have appointed DPOs. While the IT/ITES industry has quite a few designated DPOs, their prime responsibility is ensuring data protection compliance of their clients overseas. They are concerned about the data protection regulations in their clients' geographies, such as GDPR. In that sense, they have little to do with the DPDP Act of India.
The quest for the ideal DPO
Whenever there is a new opportunity, it usually demands a few different skills and experiences, typically not found in people from any one traditional background. So, there is always a debate about the right candidate for the new position. When companies started hiring Chief Digital Officers, there was a debate about whether marketing or tech professionals would fit the role better. What ultimately happens depends on some factors, including how the expectations around the job evolve. CIO&LEADER's research showed that in the case of CDOs, the core business people initially occupied these positions the most, followed by technology professionals, with very few marketing people seen in those roles. But as the initial concept selling was done, with more than a bit of help from the pandemic, it evolved into an out-and-out technology job. Today, the CIOs occupy the CDO positions.
In the case of DPOs, there are multiple claimants to the position. In the US and Europe, it is the lawyers who have predominantly occupied data privacy roles. Is it going to be the same in India?
Our research shows very different trends (a word of caution: these are very early trends) in India; people with a background in IT/information security are occupying the DPO positions the most. In the 50 large and medium companies we researched, as many as 20 DPOs have a technology background, while 13 have a legal background. Nine DPOs are professionals who have typically handled risk compliance functions. The rest are from core vertical-specific functions or have come from consulting. Interestingly, seven DPOs are currently the company's CISO as well.
Are you game?
Stats apart, the excitement of information security professionals about this 'hot' new opportunity is difficult to miss. DPDP Act is the most discussed topic today in CISO circles. Many IS professionals have updated their LinkedIn profiles to include and prominently display data privacy as a skill they possess. Many have even completed certification in data privacy. Some have even done a Certified Data Protection Officer (CDPO) certification offered by a private Institute.
Prospects of becoming a DPO have certainly charged up the community - for good reasons.
But before pursuing the new opportunity, it's better to demystify it and understand what it is and is not.
An IS professional should ask the following questions before venturing to take the position.
- What are the roles and responsibilities of a DPO?
- What are the skills that I possess?
- What are the skills that I don't have but would be excited to learn?
- What skills do I don't have and need to be more kind to learn, and are they critical for the role?
- Do I want to switch from my current information security role, or do I want to keep both?
- Will I have adequate time and resources if I want to keep both?
Since every question other than the first would have different answers for different individuals, we will not get into them here. We will discuss the roles and responsibilities of DPOs here but will examine them from the viewpoint of the IS professionals' generic roles and skills.
Roles and responsibilities of the DPO
The DPO should ideally have three broad responsibilities. They are
- Ensuring that the law must protect the personal data the company is dealing with. As broad as it sounds, it can be broken down into three specific tasks.
- Ensure data protection by deploying the right technologies and setting up the right processes. DPO or no DPO, this is the CISO's defined role anyway. So, this should not be a problem for the CISO.
- Champion healthy data protection practices within the organization by educating the employees.
- Conduct periodic tests and audits to ensure that compliance is foolproof.
By and large, IS professionals can handle these responsibilities well:
- Handling grievances raised by customers/data principals. This is a different type of responsibility than what CISOs have managed so far. While the volume of such grievances and complaints has yet to be discovered ( traditionally, India has been a privacy-insensitive country), this remains the most challenging responsibility for the CISOs, especially those who want to handle both the CISO and DPO responsibilities. Not only is the area new, but the magnitude of the work is significant.
- Dealing with data protection authority. This is occasional work, and the magnitude is inversely proportional to the quality you achieve in the first responsibility. If you do a good job of that, the need to do this will be minimized. Not too much of a challenge for the CISOs
Critical deciding factors
The Critical question is: Is it the DPO position that you are excited about, or are you looking at furthering your career as an information security professional? If the answer is the latter and the DPO position is just a way to do that, it is a very costly way to achieve that.
However, if you are excited about the DPO position, knowing fully well what it entails, all the best to you. Even if you have not done a certain kind of work, you can always learn.
Having said that, some organizations would surely like their CISOs to handle the DPO position, give them adequate resources, and provide a conducive environment for them to succeed.
The jury is still out on that one.
Image Source: Freepik