wordpress blog stats
Connect with us

Hi, what are you looking for?

What makes an effective Data Protection Authority tick? #PrivacyNama2021

Data protection commissioners from various countries speak from experience on the makings of an effective DPA.

“A lot of us come from environments where our governments are very quick to pass these (data protection) laws. And invariably it’s a lot easier to push for legislations to be passed. But then, when we setup these institutions, one thing we find is that we do not resource them,” said former Executive Director of Ghana’s Data Protection Commission, Teki Akuetteh Falconer.

Falconer along with Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, and Raymund Liboro, the Chairman of the Philippines’ National Privacy Commission, made these comments in a conversation with Malavika Raghvan (Future of Privacy Forum) at PrivacyNama 2021, a global conference on privacy regulations held on October 6 and 7.

India’s proposed Personal Data Protection Bill has provisions for setting up data protection authorities. Since the bill will be passed sooner or later, it is important to note the kind of problems countries with data protection authorities have faced while trying to set up these institutions. Here’s what the panelists had to say about what makes a DPA tick:

First, get your leadership right

“One of the key recommendations that I will make is that, beyond the passage of the laws, we need the right political buy-in leadership, and by political leadership, I’m not just talking about the executive leaders, but it is also very important to put in place a framework that actually helps operationalise the laws,” said Falconer.

She said it is important to have the right person at the top because a data protection authority would essentially be a new institution and very few people would familiar with it. “We also need the right institutional leadership and, this is very important for a new institution that is being set up. You actually need it to encompass the embodiments of the individuals that are going to actually push and drive other institutions because nobody knows the institution,” Falconer added.

Giving an example from her time in Ghana’s Data Protection Commission, Falconer said:

Advertisement. Scroll to continue reading.

In our case we had a very good driving chair that was a retired Supreme Court justice that was highly respected with a lot of knowledge around human rights issues. We had people like the government, statisticians sitting on our board, and it really gave a lot of credence to the organisation that they created.

Without going into specifics, Liboro said, “There is no particular playbook in organising data protection authority. However for starters, as an authority, you have to assert your leadership. So many of your constituents will be looking to you for leadership and clarity. So really I think the aim always of the DPA is to provide clarity, and that includes now, again breaking down these concepts from really theoretical concepts into something that they can see some benefit from.”

Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.

Resources, resources, and more resources

Falconer recounted how it took more than three years since 2012 before Ghana’s DPA got the first approval to hire permanent staff for the institution. This was mostly because there was not enough financial backing for the institution back then, and also because there was a lack of human resources.

She said, “We started operations somewhere in 2012 and it took us more than three years for final approvals to come through for hiring permanent staff. This affected a number of things. We did not have the adequate financial resources that we needed to equip the organization.”

“Another challenge that you are going to face, is regarding the human resource capacity that is needed. We did not even have the adequate resources to even hire people that had the knowledge and skillset to be able to help us. Putting in place the right resources is really going to help enable the organization,” she said.

How to solve the constraint of resources?

Advertisement. Scroll to continue reading.
  • Strategise: She said one has to strategise and prioritise the “most important things”.
  • Learning from others: She also said that it is important to learn form others.

    In our case the ICO, Information Commissioner’s Office of the UK offered tremendous support to us. And we chose them predominantly because we had similar legal systems and structures. So you could actually see how implementation would work and all that. And we took a lot of learning from then and even tried to have some kind of exchange, and they were very supportive. So, you need to identify the right community and identify somebody that has done it, has done it well, and don’t be afraid to learn from them — Teri Akuetteh Falconer

  • Cooperation and collaboration: Falconer recounted how signing up for a global privacy assembly gave her the chance to meet other people in similar domains and develop relationships.

    I remember I was quite elated in our first meeting of the international conference in Mauritius, where I met the Mauritian DPA who was almost as young as me and she shared her own experiences… So finding like-minded people that have gone through similar experiences and sharing with them, even on an informal level, helps. And the Global Privacy Assembly at that time… the Information Commissioner’s conference, really helped module the kind of DPA that we wanted. — Teri Akuetteh Falconer

Make sure your work is visible

Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein who started working in this field from the 1990s said initially DPAs did not have much power. “They were rather a complaint handling body to de-escalate. During this time there were not high fines, and no big compliance risks.”

She said that this changed in 2018 with the European Union’s General Data Protection Rules, and with that powers of DPAs  have improved. “It also changed the perception of privacy among citizens. Everybody knew they had rights, that they wanted data protection authorities to help them,” Hansen said.

And therefore, you have to tell the stories, you have to be visible, you have to make sure that both privacy disasters are understood and hopefully prevented. It’s my job to prevent disasters, still, if there are no disasters it seems that people don’t learn. And on the other hand, show also the solutions — Marit Hansen

Hansen said that it gets harder for a DPA to work without visibility. “So, make visible what is happening, make visible the risk, and then also make sure that there are solutions, that they present them, and that people have the feeling they can do something and don’t give up. And without visibility it’s much much harder,” she added.

Give time for companies to be compliant

While responding to a question on time needed for companies to be compliant, Falconer said Ghana took at least 5-10 years to ensure operationalisation of the law. “One of the things we realized at that time with a staff of five was that there was no way we could register all data controllers across the country manually. So we had to leverage on technology. But of course we gave ourselves the first 3-4 years of awareness creation and then use the last part of those 3-4 years to start the registration exercise.”

Hensen said since Germany already had a privacy directive prior to the GDPR, and also similar to the GDPR in place since 1995, two years were given for compliance. “I think the two years were fair for the GDPR especially because we had… from 1995 already a directive in principle not so different. So everybody should have had all their safeguards already in place perhaps an another way of phrasing,” she said.

Build awareness to make data privacy legislations more humane

“What we did in the Philippines is that we came up in a very first year with a very strong awareness campaign… Complaints will not happen overnight, Nikhil. It will gradually build up because people become more aware,” Liboro said while explaining the importance of taking out an awareness campaign to kickstart a DPA.

Advertisement. Scroll to continue reading.

He added that while these awareness drives are being carried out, one can use that time to build capacity and train personnel. “That’s why here in the Philippines what we did was really promote the role of data protection officers. We understand that we will never have enough sufficient resources to enforce our law, so we need allies, we need deputies. So we had to deputize, and we did that,” Liboro said.

You have to push in a lot of awareness in demystifying the subjects from the technical point of view to a more humane, a more human-centric environment where people can now personally identify with the data protection issues. That also helps with creation of more awareness and dissemination — Falconer

Falconer also reiterated the need to spread awareness but with the help of media. “We did not have any resources at all, and so we had to even leverage on traditional media, and they become like our partners in disseminating and identifying public issues around data protection, and we always use those opportunities to further heighten awareness,” she said.

Decrease friction with other regulators and reduce turf wars

When one or two government institutions have similar rules, or their functioning clashes with each other, it often turns into a powerplay issue. This is not very uncommon in governments and as Falconer pointed out, it could have very well been possible during her stint in Ghana’s data protection commission if the right appointments had not been made at the beginning.

One of the best ways of handling those power role issue and powerplay challenges around the leadership and institutional drive is to ensure that most of those people in critical institutions had place in the governing structure of the regulator. So, for instance, our regulator had a key institutional role. — Falconer

She further explained, “We had the communications regulator on our board; we had the ICT authority on our board; we had the central bank representative on our board; we even had ICT institutional reps, association reps on our board. And what that meant is that we were then able to, at the board level, create a system of buy-in from these critical sectors and institutional people to actually help push and disseminate the importance of the decisions that we had taken in the board room which was then going to come up.”


MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).

Advertisement. Scroll to continue reading.

Also Read:

Update, October 20, 12.40: Added more details

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

Free Reads


The service from the tie-up will initally be launched at Bengaluru, Bhubaneswar, Vijayawada and Visakhapatnam railway stations


The Minister's response came after an X user posted answers generated by Gemini regarding Prime Minister Narendra Modi.


Vaishnaw said that in the next five years, there will be significant disruptions in the way telecom technology operates.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ