The recently enacted Digital Personal Data Protection (DPDP) Act of 2023, a specific requirement which necessitates the appointment of a Data Protection Officer (DPO) for ‘significant data fiduciaries’ has been entailed. These entities, due to their data processing operations and heightened compliance requirements, should ideally assign a dedicated and trained professional to oversee data protection matters.
India Inc therefore is on a roll to hire DPOs in their firms to assign multiple data and cyber responsibilities to their existing personnel, the expanded compliance requirements under the new law now demands having dedicated individuals who can handle the roles such as that of a DPO. The demand surge for DPOs is real and will only grow with time within Indian organizations therefore requiring an increase in compliance cost.
“That aside, every other data fiduciary (who is not a ‘significant data fiduciary’), while not required to appoint a formal DPO, is mandated to designate an individual with similar qualifications and expertise to handle inquiries from individuals regarding their personal data. Therefore, the demand for such professionals has increased and is expected to surge further now as the government has announced an expedited rulemaking process under the new law and also establishment of the Data Protection Board of India within a month,” says Supratim Chakraborty, Partner at Khaitan & Co.
The government last week announced that it will set up the data protection board (DPB), the appellate authority for grievance redressal under the Digital Personal Data Protection Act, within the next 30 days, Rajeev Chandrasekhar, minister of state for electronics and information technology said. He reiterated that the first set of ‘necessary rules’ under the Act will also be issued within the same time frame.
The DPDP Act does not necessarily enlist qualifications of a DPO, however it says that every DPO should need to exhibit expertise in data protection law and practices.
Presently, only a few industries need DPOs, they have the most demand for this position and are hiring for the same. Such industries are the Information Technology industry, followed by banking, financial services and Insurance (BFSI) and business process outsourcing (BPO). Companies are therefore approaching law firms to restructure their contracts to make them compliant with the new law. The compliance cost of a company will also increase as a result.
Although India has huge job openings for cybersecurity professionals as of May 2023, only 70% of these openings have been filled. To address cyber security issues, especially relating to the personal data of individuals, the Digital Personal Protection Act, 2023 was enacted. “This act requires appointment of DPOs, it must be ensured that the DPOs appointed are not only IT experts, but are also trained in legal and compliance aspects. This will help in bolstering the cyber security in the country,” Aditya Vardhan Sharma, Counsel, SKV Law Offices
Role of Data Protection Officer in Cos
The role of the Data Protection Officer involves assisting the organizations in monitoring the internal compliances of the organization concerning the protection of sensitive data collected from the clients in the course of their business. They further keep the management apprised of the latest developments in the field of data protection so as to ensure that the internal data security infrastructure is at par with the most current legal compliances.
Given the population of India which currently engages in the digital world at an unprecedented pace, the personal data of an individual floating in the virtual space is prone to being misused more frequently than anywhere else. With the increasing global digitisation, the need for a robust framework of Data Security and data sharing was recognised. However, despite the knowledge, there have been gaping holes in the skill set of the concerned professionals, whether lawyers or software developers.
“The major lacuna emanating from the lack of basic understanding of exactly how the personal data reaches the virtual space, how it can be potentially misused, and what are the means by which such data sharing can be regulated at the end of the consumers. Most importantly, what recourse to adopt in the event of involuntary data breach. While companies require DPOs, the knowledge base currently available does not provide efficient training to prepare for the same,” says Ekta Rai, Advocate, Delhi High Court.
Rai suggests that in order to make professionals job ready for DPOs, they ought to be trained in the space of the basic technical know-how of the virtual data sphere, primarily the difference between personal, sensitive data and publicly available data as well as the legal provisions which regulate data sharing. “While it seems fairly simple, the actual education of the same will require making available good literature and effective training on the topic for the young professionals to understand and successfully execute the role of a DPO,” says Rai.
While Indian organizations usually assign multiple data and cyber responsibilities to their existing personnel, the expanded compliance requirements under the new law now demands having dedicated individuals who can handle the roles such as that of a DPO. “These professionals must possess in-depth knowledge of the new legal requirements and shall have the expertise to address the queries of individuals regarding their personal data. These professionals are expected to play a vital role in making the new Indian data law a success. Summarily speaking, a further substantial increase in demand for such professionals is anticipated in India now,” says Chakraborty.
The DPDP Act, 2023 requires entities to appoint a point of contact responsible to answer questions raised by individuals with regard to personal data processing. However, certain entities classified as Significant Data Fiduciaries are required to appoint a ‘Data Protection Officer’. Such officers must be resident in India, report to the Board of Directors (or equivalent body) and be the point of contact for grievance redressal. The details of such officers must also be specified in notices and consent requests.
“While qualification or appointment details of these Data Protection Officers is not specified in the Act (and remains unclear if it may be specified in the rules), such officers must be equipped to handle compliance and requests from users, stakeholders and legal authorities. This may include a wide variety of responsibilities such as handling data subject rights, ensuring compliance throughout the data life cycle, overseeing technical and organizational measures (including reporting structures) implemented, reporting compliance to key personnel (or Board), periodically reviewing data in/out flows, supervising data protection impact assessments, data audits, apart from handling law enforcement requests,” says Prashant Phillips, Executive Partner, Lakshmikumaran and Sridharan.