wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill 2021: What role will Data Protection Officers have to perform

A parliamentary committee recommends who should be a data protection officer and what exactly they should do.

The Data Protection Bill, 2021 presented by the Joint Parliamentary Committee (JPC) talks about Data Protection Officers (DPO) who will be appointed by data fiduciaries and will be responsible for adhering to the provisions of the Bill. The JPC has made it clear that a DPO can only be a person of “key managerial position” such as a Chief Executive Officer, Chief Financial Officer, and other similar roles.

Here’s a detailed look at the various functions of Data Protection Officers employed by data fiduciaries.

Definition of Data Protection Officer (Clause 3)

Clause 3, where the definitions of the key terms in the Acts are provided, finds the inclusion of a Data Protection Officer. The Bill defined a Data Protection Officer as an officer who will be appointed by a significant data fiduciary under Section 30 of the Bill.

Earlier draft: Clause 3 did not have the definition of Data Protection Officer.

Reason for change: The Committee said that since the Data Protection Officer plays an important role in the implementation of the legislation, it was of the view that the definition of the role be added in Clause 3.

Advertisement. Scroll to continue reading.

Functions of Data Protection Officers (Clause 30)

Clause 30 of the draft mandates that every significant data fiduciary shall appoint a data protection officer who will be responsible for carrying out these functions —

  • Providing information and advice to the data fiduciary on matters related to the Act
  • Assisting and cooperating with authority on matters of compliance of data fiduciary
  • Monitoring personal data processing activities of the data fiduciary
  • Providing advice to the fiduciary on carrying out data protection impact assessments
  • Providing advice to data fiduciary on the development of internal mechanisms that satisfy accountability and transparency requirements under Clause 22
  • Providing assistance on matters of compliance with the Act
  • Act as point of contact for data principal for grievance redressal under Section 32
  • Maintaining an inventory of records under Section 28

The draft stated that one cannot be appointed as a data protection officer unless the person is a “senior level officer or key managerial person” having adequate knowledge in technical matters, particularly data protection or privacy. These are the officers which the draft said, falls under the term “key managerial personnel” —

  • Chief Executive Officer or Managing Director or the manager
  • Company secretary
  • Whole time director
  • Chief Financial Officer
  • Others

It has also stated that there should not be any conflict of interest between the DPO and their interest in the data fiduciary when they perform the functions under Clause 30. The draft said that a DPO should be ‘mandatorily be appointed within India’.

Earlier draft: It did not mention that a data protection officer cannot be appointed unless he or she is a key managerial person with knowledge of technical matters, especially on privacy. The functions of a Data Protection Officer earlier did not involve cooperating with the data protection authority on matters of compliance of the data fiduciary. The previous draft did not specify which “key managerial personnel” can be appointed as a Data Protection Officer.

Reasons for change: The Committee found that there is no mention of any specific qualification or position of the officer in the company. “The Committee therefore, desires that since a Data Protection Officer plays a vital role under the provisions of this Bill, he or she should be holding a key position in the management of the Company and must have adequate technical knowledge in the field,” the report read.

For further clarification on the expression of “key managerial personnel”, the committee included the roles of Chief Executive Officer and similar roles for the position of data protection officer, the report added.

Why it is necessary for a DPO to be a “key managerial person”?

“Typically jurisdictions or companies begin by assuming that the privacy leader should be a lawyer…But very quickly, what they discover is that a legal background is probably not sufficient. A full suite of skill sets are necessary,” Justin Weiss, the Global Head of Data Privacy at Naspers Group, said when asked about the role of a Chief Privacy Officer or Data Protection Officer during PrivacyNama.

Here’s a look at why it is necessary for a DPO to be appointed from the higher echelons of a company’s organisational structure —

Advertisement. Scroll to continue reading.
  • Reporting directly to the board: PrivacyNama panelists agreed that the Chief Privacy Officer needs to report directly to the company’s board to avoid interference from other functions within the organisation.
  • Sponsorship from highest levels: A panelist highlighted the need for Chief Privacy Officers to seek sponsorship from the highest level of the organisation for their privacy agenda.

What about the relationship between a DPA and a data protection officer?

During PrivacyNama, Justin Weiss, the Global Head of Data Privacy at Naspers Group described the relation between a CPO and DPA as that of an economy of scale, wherein there is a distributed model for dealing with complaints. “Only those complaints that lead to an escalation, or a conflict or something that can’t be resolved, get referred to the real data protection authority in the government. So that’s that part of the model,” Weiss said.

Chief Privacy Officer at Match Group Idriss Kechida said that the economy of scale model that is in place for handling privacy complaints in countries with data protection laws, and other relevant structures, should not be seen as a way of data protection authorities ‘trying to shift the burden’ of handling complaints on chief privacy officer.

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report:

 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

News

The industry's growth is being weighed down by taxation and legal uncertainty.

News

Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.

News

Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ