wordpress blog stats
Connect with us

Hi, what are you looking for?

Data Protection Bill 2021: What role will Data Protection Officers have to perform

A parliamentary committee recommends who should be a data protection officer and what exactly they should do.

The Data Protection Bill, 2021 presented by the Joint Parliamentary Committee (JPC) talks about Data Protection Officers (DPO) who will be appointed by data fiduciaries and will be responsible for adhering to the provisions of the Bill. The JPC has made it clear that a DPO can only be a person of “key managerial position” such as a Chief Executive Officer, Chief Financial Officer, and other similar roles.

Here’s a detailed look at the various functions of Data Protection Officers employed by data fiduciaries.

Definition of Data Protection Officer (Clause 3)

Clause 3, where the definitions of the key terms in the Acts are provided, finds the inclusion of a Data Protection Officer. The Bill defined a Data Protection Officer as an officer who will be appointed by a significant data fiduciary under Section 30 of the Bill.

Earlier draft: Clause 3 did not have the definition of Data Protection Officer.

Reason for change: The Committee said that since the Data Protection Officer plays an important role in the implementation of the legislation, it was of the view that the definition of the role be added in Clause 3.

Advertisement. Scroll to continue reading.

Functions of Data Protection Officers (Clause 30)

Clause 30 of the draft mandates that every significant data fiduciary shall appoint a data protection officer who will be responsible for carrying out these functions —

  • Providing information and advice to the data fiduciary on matters related to the Act
  • Assisting and cooperating with authority on matters of compliance of data fiduciary
  • Monitoring personal data processing activities of the data fiduciary
  • Providing advice to the fiduciary on carrying out data protection impact assessments
  • Providing advice to data fiduciary on the development of internal mechanisms that satisfy accountability and transparency requirements under Clause 22
  • Providing assistance on matters of compliance with the Act
  • Act as point of contact for data principal for grievance redressal under Section 32
  • Maintaining an inventory of records under Section 28

The draft stated that one cannot be appointed as a data protection officer unless the person is a “senior level officer or key managerial person” having adequate knowledge in technical matters, particularly data protection or privacy. These are the officers which the draft said, falls under the term “key managerial personnel” —

  • Chief Executive Officer or Managing Director or the manager
  • Company secretary
  • Whole time director
  • Chief Financial Officer
  • Others

It has also stated that there should not be any conflict of interest between the DPO and their interest in the data fiduciary when they perform the functions under Clause 30. The draft said that a DPO should be ‘mandatorily be appointed within India’.

Earlier draft: It did not mention that a data protection officer cannot be appointed unless he or she is a key managerial person with knowledge of technical matters, especially on privacy. The functions of a Data Protection Officer earlier did not involve cooperating with the data protection authority on matters of compliance of the data fiduciary. The previous draft did not specify which “key managerial personnel” can be appointed as a Data Protection Officer.

Reasons for change: The Committee found that there is no mention of any specific qualification or position of the officer in the company. “The Committee therefore, desires that since a Data Protection Officer plays a vital role under the provisions of this Bill, he or she should be holding a key position in the management of the Company and must have adequate technical knowledge in the field,” the report read.

For further clarification on the expression of “key managerial personnel”, the committee included the roles of Chief Executive Officer and similar roles for the position of data protection officer, the report added.

Why it is necessary for a DPO to be a “key managerial person”?

“Typically jurisdictions or companies begin by assuming that the privacy leader should be a lawyer…But very quickly, what they discover is that a legal background is probably not sufficient. A full suite of skill sets are necessary,” Justin Weiss, the Global Head of Data Privacy at Naspers Group, said when asked about the role of a Chief Privacy Officer or Data Protection Officer during PrivacyNama.

Here’s a look at why it is necessary for a DPO to be appointed from the higher echelons of a company’s organisational structure —

Advertisement. Scroll to continue reading.
  • Reporting directly to the board: PrivacyNama panelists agreed that the Chief Privacy Officer needs to report directly to the company’s board to avoid interference from other functions within the organisation.
  • Sponsorship from highest levels: A panelist highlighted the need for Chief Privacy Officers to seek sponsorship from the highest level of the organisation for their privacy agenda.

What about the relationship between a DPA and a data protection officer?

During PrivacyNama, Justin Weiss, the Global Head of Data Privacy at Naspers Group described the relation between a CPO and DPA as that of an economy of scale, wherein there is a distributed model for dealing with complaints. “Only those complaints that lead to an escalation, or a conflict or something that can’t be resolved, get referred to the real data protection authority in the government. So that’s that part of the model,” Weiss said.

Chief Privacy Officer at Match Group Idriss Kechida said that the economy of scale model that is in place for handling privacy complaints in countries with data protection laws, and other relevant structures, should not be seen as a way of data protection authorities ‘trying to shift the burden’ of handling complaints on chief privacy officer.

Get our white paper on the Data Protection Bill 2021 in your inbox

We may also reach out occasionally with our coverage of the Data Protection Bill and more.
By filling out this form, you agree to receive a copy of MediaNama's white paper and further information about MediaNama's work and services.

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report:


Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ