The Data Protection Bill, 2021 presented by the Joint Parliamentary Committee (JPC) talks about Data Protection Officers (DPO) who will be appointed by data fiduciaries and will be responsible for adhering to the provisions of the Bill. The JPC has made it clear that a DPO can only be a person of “key managerial position” such as a Chief Executive Officer, Chief Financial Officer, and other similar roles.
Here’s a detailed look at the various functions of Data Protection Officers employed by data fiduciaries.
Definition of Data Protection Officer (Clause 3)
Clause 3, where the definitions of the key terms in the Acts are provided, finds the inclusion of a Data Protection Officer. The Bill defined a Data Protection Officer as an officer who will be appointed by a significant data fiduciary under Section 30 of the Bill.
Earlier draft: Clause 3 did not have the definition of Data Protection Officer.
Reason for change: The Committee said that since the Data Protection Officer plays an important role in the implementation of the legislation, it was of the view that the definition of the role be added in Clause 3.
Functions of Data Protection Officers (Clause 30)
Clause 30 of the draft mandates that every significant data fiduciary shall appoint a data protection officer who will be responsible for carrying out these functions —
- Providing information and advice to the data fiduciary on matters related to the Act
- Assisting and cooperating with authority on matters of compliance of data fiduciary
- Monitoring personal data processing activities of the data fiduciary
- Providing advice to the fiduciary on carrying out data protection impact assessments
- Providing advice to data fiduciary on the development of internal mechanisms that satisfy accountability and transparency requirements under Clause 22
- Providing assistance on matters of compliance with the Act
- Act as point of contact for data principal for grievance redressal under Section 32
- Maintaining an inventory of records under Section 28
The draft stated that one cannot be appointed as a data protection officer unless the person is a “senior level officer or key managerial person” having adequate knowledge in technical matters, particularly data protection or privacy. These are the officers which the draft said, falls under the term “key managerial personnel” —
- Chief Executive Officer or Managing Director or the manager
- Company secretary
- Whole time director
- Chief Financial Officer
It has also stated that there should not be any conflict of interest between the DPO and their interest in the data fiduciary when they perform the functions under Clause 30. The draft said that a DPO should be ‘mandatorily be appointed within India’.
Earlier draft: It did not mention that a data protection officer cannot be appointed unless he or she is a key managerial person with knowledge of technical matters, especially on privacy. The functions of a Data Protection Officer earlier did not involve cooperating with the data protection authority on matters of compliance of the data fiduciary. The previous draft did not specify which “key managerial personnel” can be appointed as a Data Protection Officer.
Reasons for change: The Committee found that there is no mention of any specific qualification or position of the officer in the company. “The Committee therefore, desires that since a Data Protection Officer plays a vital role under the provisions of this Bill, he or she should be holding a key position in the management of the Company and must have adequate technical knowledge in the field,” the report read.
For further clarification on the expression of “key managerial personnel”, the committee included the roles of Chief Executive Officer and similar roles for the position of data protection officer, the report added.
Why it is necessary for a DPO to be a “key managerial person”?
“Typically jurisdictions or companies begin by assuming that the privacy leader should be a lawyer…But very quickly, what they discover is that a legal background is probably not sufficient. A full suite of skill sets are necessary,” Justin Weiss, the Global Head of Data Privacy at Naspers Group, said when asked about the role of a Chief Privacy Officer or Data Protection Officer during PrivacyNama.
Here’s a look at why it is necessary for a DPO to be appointed from the higher echelons of a company’s organisational structure —
- Reporting directly to the board: PrivacyNama panelists agreed that the Chief Privacy Officer needs to report directly to the company’s board to avoid interference from other functions within the organisation.
- Sponsorship from highest levels: A panelist highlighted the need for Chief Privacy Officers to seek sponsorship from the highest level of the organisation for their privacy agenda.
What about the relationship between a DPA and a data protection officer?
During PrivacyNama, Justin Weiss, the Global Head of Data Privacy at Naspers Group described the relation between a CPO and DPA as that of an economy of scale, wherein there is a distributed model for dealing with complaints. “Only those complaints that lead to an escalation, or a conflict or something that can’t be resolved, get referred to the real data protection authority in the government. So that’s that part of the model,” Weiss said.
Chief Privacy Officer at Match Group Idriss Kechida said that the economy of scale model that is in place for handling privacy complaints in countries with data protection laws, and other relevant structures, should not be seen as a way of data protection authorities ‘trying to shift the burden’ of handling complaints on chief privacy officer.
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report: