India’s new data protection law has been months in the making. The Personal Data Protection Bill 2019 was tabled in parliament by the Ministry of Electronics and Information Technology in December that year; since then it is being analysed by a Joint Parliamentary Committee in consultation with experts and stakeholders. Key aspects to the bill include sweeping mechanisms for protection of personal data, setting up a Data Protection Authority of India (DPA), a provision that the central government can exempt any government agency from the bill, and the “Right to Be Forgotten.” Since it was tabled, reaction has been mixed: There is the acknowledgement that India does need to fortify its data protection laws, coupled with the anxiety that the bill could be a serious threat to Indians' privacy. You can play a really cool card game to understand the bill better, and do also read this recent piece about the “arduous task” that lies ahead of the proposed DPA.
However, we will focus on the role of the data protection officer (DPO) in organisations, which is expected to grow in importance as the legislation kicks in. “There is a threshold classification for entities beyond which they are required to appoint,” explains Shahana Chatterji, a partner at Shardul Amarchand Mangaldas. “It is significant data fiduciaries, which are data fiduciaries who are notified on the basis of factors including volume and sensitivity of data process by them, that have to appoint DPOs. The DPO is required to be based in India and is expected to the point of contact for data subject grievances.” Eira Mishra, a partner at EPA Law Offices, points out that the DPO’s role “will flow both inwards (providing information, training on best practices, monitoring, assessing and reviewing data processing) and outwards (acting as a point of contact for the customers, assisting the Data Protecting Authority and carrying out statutory compliances).”
If that sounds complex, it is. “The functions specified in the PDP bill appear to require the DPO’s approach to be more customer-centric, and therefore, quite different from that of an information security officer,” says Anshul Sunil Saurastri, a partner at Krishna & Saurastri. “For instance, a DPO is required to act as a data principal’s point of contact for grievance redressal and at the same time assist the DPA on matters relating to compliance by the data fiduciary. Furthermore, the DPO is required to monitor activities of the data fiduciary, advice on development of internal processes for compliance, and so on. Therefore, clearly, the DPO has to wear a lot of hats.”
Saurastri feels that even businesses that do not need to appoint a dedicated DPO will look to do so but finding the “right talent is going to be difficult,” hence the need to hire externally. The race to recruit, it seems, has already begun. Gaurav Chattur, Asia-Pacific managing director at executive search firm Catenon, reveals that he has seen an “evident increase in demand for data privacy professionals” in sectors like BFSI and consumer tech. The personnel in demand appear to possess “the right combination of multiple security skills alongside an overall proficiency in technology and knowledge of risk management and compliance.”
But can businesses still look to hire from within? “Amid this pandemic, many organisations are exploring diverse talent pools across data privacy, compliance, regulations, risk automation and law to hire and build pipelines,” says Chattur. “It should be noted that Europe has already undergone a massive GDPR drive over the last few years. Compliance, strategy and technology folks with experience of implementing this for European organisations will be in high demand.”
To contact the editorial team, please email ALBEditor@thomsonreuters.com.
