There will be thousands of new requirements for data protection officers once the Indian personal data protection legislation comes into effect. The IS professionals could be serious contenders to the positions.
Justice BN Srikrishna committee formed to draft India’s privacy legislation has presented its draft bill, called Personal Data Protection Bill 2018. The draft bill has been prepared after public consultation through a discussion white paper. The white paper itself was prepared after reviewing such privacy regulations across the world, with a lot of provisions matching point by point, with the most well-known of them all, the European Union’s General Data Protection Regulation (GDPR).
The bill, when it becomes law, will require the organizations dealing with personal data of individuals (called data fiduciary by the bill) to comply with a number of provisions to ensure that the data principal (whose personal data is being dealt with) has reasonable control over how his/her data is being used. A significant way in which it differs from GDPR is that the Indian draft bill does not acknowledge the data principal to be the ‘owner’ of that data explicitly. One of the major practical implications of this difference is that the Indian data fiduciaries are not required to ensure data erasure—an important and difficult-to-achieve requirement of GDPR.
To ensure that the privacy requirements are adhered to and the obligations in terms of the rights of are met with, the bill (like other privacy legislations) has an approach called ‘privacy by design’. The Indian draft bill, in its Clause VII (36) explicitly mandates that every data fiduciary should appoint a Data Protection Officer.
The Data Protection Officer (DPO), while generally advising the data fiduciary on how to meet with the compliance requirements of the bill, will also be the point of contact of the regulators as well as the data principals (the citizens whose data is being processed). It allows the DPO to carry out any other responsibilities of the company. While there’s nothing in Indian draft bill that explicitly mentions about any role or reporting structure that could be in conflict with the DPO role—like for example RBI and IRDA mandating that CISOs in banks and insurance companies respectively should not report to the CIOs—it is understood that the data fiduciaries have to ensure that in the best interest of their ability to meet the compliance requirements, the DPO role should be as independent as possible of any regular functional role.
Who is suitable for a DPO role?
So, who should be a good candidate for a DPO role? And are information security professionals like CISO a good choice to carry out the responsibility?
To answer the question, we must look at the role specified by the draft bill and examine what skills, knowledge and experience can be useful in fulfilling the duties and if the Information Security (IS) professionals could fit into the role.
Here are the specific roles mentioned by the draft bill:
- Providing information and advice on fulfilling obligations: This is more about knowledge of the legislation and experience. It can be carried out by any professional who has knowledge and experience. This could be a legal professional, IS professional or any other business professional who has worked in compliance.
- Monitoring data processing activities: Typically, IS or quality professionals would be the best suited to carry out this responsibility.
- Providing advice on and carrying out impact assessment: Again, a quality or IS professional should be able to effectively discharge this responsibility.
- Setting internal mechanisms: Operations, Quality and Process professional are the best people to do this. Those IT/IS professionals with considerable experience in process/project management can also be good candidates.
- Providing assistance to Data Protection Authority: Typically, legal professionals can do this role better as it may require them to continuously assess the validity of the request and figuring out how to meet them with minimum effort.
- Act as point of contact for data principals: Traditionally, none of the roles in organizations that are good breeding grounds for DPOs are customer facing roles. So, it is anyone’s guess. Depends on the individual.
- Record keeping of data processing process: This role requires the DPO to keep a record of when and how data is collected, processed, stored and erased. Any good process professional can do the role but IS executives are especially suited for this role, as most challenges regarding technology will arise out of this.
In industries that are regulated and the sectoral regulators have some kind of requirements of data safety/protection, those responsible for complying with the regulation should be an automatic choice for carrying out the DPO responsibility.
What kinds of people are handling the role in large global companies, especially those operating significantly in more mature markets with democratic governments?
To get a cue, we researched the top Fortune 500 companies to find out the trends. Here are some of the findings.
In many large organizations, the role falls under the Compliance function, with a Chief Compliance Officer. In many organizations, the Chief Compliance Officer himself/herself is the DPO accountable. Take Volkswagen, the 7th largest listed corporation according to Fortune 500 2018. The automotive major has a Chief Compliance Officer Kurt Michels who is overall responsible for privacy. Same with Toyota, whose North American business has a Chief Compliance Officer Jacqueline Thomas responsible for data protection and privacy.
But in most large organizations, most notably those who deal primarily with consumer data, have had Chief Privacy Officers for long who are responsible for privacy policies, implementations with responsibilities that include compliance, practices, tech and more. World’s largest corporation, Wal-Mart, has a Chief Privacy Officer Jonathon Avila, who is responsible for privacy and data protection. So, has Royal Dutch Shell, where a Group Chief Privacy Officer, Helen Graham carries out the responsibility. BT, Microsoft, Apple and a host of tech and information-centric companies have such positions. These positions have been there much before the recent wave of data protection legislations.
Recently, most significantly, post GDPR, many have appointed senior executives explicitly carrying the designation of Data Protection Officer/Chief Data Protection Officer/Group Data Protection Officer. Insurance major Allianz (38th in Fortune Global 500) has Dr Philipp Raether who is designated as Group Chief Data Protection Officer. BNP Paribas, the 44th largest global corporation going by Fortune Global 500, has given this responsibility to its Chief Cyber & Technology Risk Officer, Ramy Houssaini.
Most of these positions—be it Chief Compliance Officer or Chief Privacy Officer or Data Protection Officer—are held by legal professionals. Wal-Mart’s Avila, Shell’s Graham, Volkswagen’s Michels, Apple’s Jane Hovarth, Allianz’s Dr Raether, BT’s Emila Chantzi are all attorneys.
The notable exceptions include BNP Pariba’s Housssaini and the Chief Privacy Officer of Microsoft (71st largest corporation in Fortune Global 500) Brendon Lynch. Housssaini is a tech professional while Lynch is a career risk and privacy professional. Interestingly, Microsoft announced appointment of a EU Data Protection Officer, just before GDPR kicked off. Steve May, the person appointed to that position too is a business executive, not from legal profession.
So, here is the summary:
- Many large corporations already had Chief Privacy Officers. Some of them are appointing geography specific DPOs. Indian draft bill also explicitly mandates that non-Indian companies should have a DPO based in India.
- Some have appointed Data Protection Officers now.
- Most of the positions—irrespective of what it is called and how broad/narrow their scope of work is—are from legal backgrounds. There are notable exceptions, though.
Indian companies, who have to comply with GDPR and other country specific regulations also have started appointing their privacy/data protection officers. As can be expected, most of them are IT/BPO companies. Interestingly, these executives appointed by Indian companies have a wide range of different experience and backgrounds that they bring in.
Infosys’ global DPO, Srinivas Poosarla, is a quality professional. So is NIIT’s recently appointed DPO Vivek Kumar. Among those with IT/IS background include L&T Infotech’s DPO Vikarm Patil, and Quatrro’s Chief Privacy Officer Ganesh Viswanathan. Viswanathan is the company’s CISO as well. Ramco’s Global Chief Data Protection Officer, K Satish Kumar is a legal professional. Indians seem to be more open about the background of their DPOs. But there’s a corollary there: so far, it is the IT companies that have appointed people to these positions.
Is there a path for IS professionals?
As can be seen from global practices, it is predominantly legal professionals who dominate the DPOscape. Does it mean that the IS professionals do not have a chance?
We do not think so. This is why.
One, this is the time when privacy regulations are evolving. Most organizations want to do it correctly, and somehow comply with it, as soon as possible. At this time, what they need is people who can understand the legalese and defend them, in case that is required. That explains why so many legal professionals are appointed. As there’s more understanding and appreciation and interpretation of clauses ceases to be an everyday job, organizations may switch over to people who can get the work done, can continuously enhance the capability and ensure that newer targeted attacks to steal personal data get effective thwarted. CISOs/IS professionals would fit the role far better.
Two, in India, there are just not too many legal professionals who are well versed with technology. So, many Indian companies will go for legal consultants even as they go for tech people to carry out the actual tasks to ensure that the non-compliance does not happen. It’s primarily a tech job.
The fact is this job requires knowledge of law, tech and prior experience with compliance. Those legal professionals who familiarize themselves with tech or the IS professionals who familiarize themselves with finer nuances of the law, both have opportunities before them.
Like the CISO role, it is about constant battle. If you love that challenge, this is something you should seriously consider.
A practical tip: Look at the job descriptions of the people in LinkedIn or in positions advertised anywhere in the world. Here’s one such advertisement by Cathay Pacific: https://careers.cathaypacific.com/jobs/data-protection-officer-5790049
That will give you a fair idea about what organizations are looking for.