Rise of the DPO in wake of India’s Data Protection Bill

Clause 40 of the Data Protection Bill mandates every significant data fiduciary to appoint a Data Protection Officer. Here’s what India Inc. has to say about the emergence of the DPO.

DPO homepage
Amit Madhan,Thomas Cook India/Sourabh Chatterjee, Bajaj Allianz General Insurance/Ratan Jyoti, Ujjivan Small Finance Bank/IDG Security Day

India’s Ministry of Electronics and Information Technology has, at long last, acknowledged the need for strong data protection and privacy laws that empowers citizens with complete data protection rights – be it with respect to accessing and correcting data, right to data portability, or the right to be forgotten.

The Data Protection Bill introduced by MeitY was cleared by the Union Cabinet on 4th December 2019 and is expected to soon become an Act following a parliamentary review in the upcoming budget session.

In addition to outlining data protection and privacy mandates, a very important clause in the Bill is expected to transform executive leadership in the Indian enterprise. Clause 40 of the Bill mandates every significant data fiduciary to appoint a Data Protection Officer (DPO).

Clear-cut boundaries: CISO protects the organization’s data; DPO protects customer data

While a CISO is in charge of all cybersecurity operations in an organization, a DPO plays a different ballgame.

A key difference is that a CISO's role is primarily inward-looking – the CISO is charged with protecting the organization. A DPO, on the other hand, is charged with protecting the customer's data. Fundamentally, the DPO looks at data protection from a customer point-of-view.

CSO India speaks to IT and security heads across verticals to get a read on what the Data Protection Bill means for the Indian enterprise and where does a DPO fit into the scheme of things.

Thomas Cook, by cause of EU’s GDPR mandate, is no stranger to data protection regulations. The company believes information security and data protection go hand-in-hand.

amit madhan Amit Madhan/Thomas Cook India/IDG Security Day

“We’re definitely going to see more organizations appoint DPOs. We can start by assigning the role as an additional responsibility to someone and then eventually appoint a dedicated DPO.”

– Amit Madhan, President & Group Head – IT & eBusiness, Thomas Cook India

Amit Madhan, President & Group Head – IT & eBusiness at Thomas Cook India, believes that the role of the CISO and DPO can be bifurcated depending on the scale of operations in the organization. He observes that in small and medium enterprises, which tend to have a lean hierarchy, it's common to see the chief risk officer playing the role of a data protection officer as well as a CISO.

So, when the Data Protection Bill actually becomes an Act, will more organizations appoint a dedicated DPO?

"Most definitely. We can start by assigning the role as an additional responsibility to someone and then eventually appoint a dedicated DPO," says Madhan. However, he believes it would take at least 2-3 years before that we actually start seeing that.

Ratan Jyoti, a veteran security leader in the BFSI space and currently the CISO at Ujjivan Small Finance Bank, believes that irrespective of it being a legal requirement, appointing a dedicated DPO is beneficial for an organization.

“In today’s cyber world data is the focal point and appointing a dedicated Data Protection Officer will help not just in protecting the data but it will facilitate efficient use of data and the better customer service leading to organizational growth,” says Jyoti.

box 1200x800 Table on key takeaways/IDG

Key takeaways on Data Protection Bill and appointment of DPOs

Furthermore, while the roles of a CISO and a DPO are well-defined and fairly unambiguous, some of the responsibilities are concurrent.

Madhan says that at least a third of the responsibilities of a CISO and a DPO overlap. "A common notion in the industry is that a DPO is a subset of a CISO. Now there are certain things a DPO would have to do, but a CISO doesn't. Take for instance a marketing campaign – a DPO has to be cognizant of the data points being used for the campaign," he explains.

Reporting structure: what changes when a DPO joins the ranks?

In Madhan's opinion, the industry, at this point in time, is not mature enough for a DPO to directly report to the CEO. Presently, a DPO could either report to the CISO or a CDO. For organizations that have neither, he believes it's best for the DPO to report to the CIO.

In addition to changes in the organizational hierarchy, the onset of the Data Protection Bill will also impact the way IT teams function. Taking his organization as an example, Madhan says that the IT team at Thomas Cook has become a lot more vigilant about data. 

"In the current scenario, data is freely accessible, but with the Data Protection Bill coming into effect, we'll have to put a lot more restrictions," reveals Madhan. He adds that the bill is also expected to garner a lot of focus on Customer Information Management (CIM) and cloud security.

ratan jyoti Ratan Jyoti/Ujjivan Small Finance Bank/IDG Security Day

“Appointing more people in the C-suite has merits as well as demerits. The DPO must report to the highest management – the independence of a DPO will define his/her success.”

– Ratan Jyoti, CISO, Ujjivan Small Finance Bank

Ujjivan’s CISO, Ratan Jyoti, believes that appointing more people in the C-suite has merits as well as demerits. However, in his opinion, the DPO ought to report to the highest management – the independence of a DPO will define his/her success.

"The best approach organizations can take, to start with, is by having the CISO and the DPO report directly to the CEO, this ensures that the overlap in roles and responsibilities can be minimized," explains Jyoti.

Data protection assessments: who leads the charge? 

No different from penetration testing and security assessments, the onset of privacy and data protection laws will require enterprises to carry out data protection assessments and audits around compliance and data governance. 

Sourabh Chatterjee, President & Head of Technology, Digital Sales and Travel at Bajaj Allianz General Insurance, opines that it's important to be as clear and honest about data protection assessments. "Something that doesn't seem like a risk today can potentially morph into a bigger risk at some point in time. So it's better to be harsh when it comes to conducting assessments," he shares. 

Another important point to bear in mind is that it's not enough to simply look at data inside the organization – data which is within your domain and in your control. DPOs should look at how data travels outside their organization.

sourabh chatterjee Sourabh Chatterjee/Bajaj Allianz General Insurance

“It's important to be clear and honest about data protection assessments. It's better to be harsh when it comes to conducting assessments.”

Sourabh Chatterjee, President & Head of Technology, Digital Sales & Travel, Bajaj Allianz General Insurance

The question now arises on who takes ownership of data protection assessments. Madhan emphasizes that the DPO cannot function independently – the DPO will have to be dependent on the CISO and the CISO, in turn, is dependent on the CIO. 

He or she will also have to work in close collaboration with the Chief Risk Officer to ensure audits are in place.

It's already crowded at the top – will DPO appointments add to the complexity?

The last decade has seen numerous new designations being added to the C-suite - from the Chief Digital Officer to the Chief Data Officer, and from Chief Transformation Officer to the Chief Artificial Intelligence Officer. 

While technological complexities have increased manifold, it's important to reflect on what Amit Madhan had said earlier – a third of the responsibilities of a CISO and a DPO overlap. Added to this is the obvious obstacle stemming from inadequate communication, collaboration, and lack of visibility.

Addressing the problem of collaboration and visibility, Ratan Jyoti believes that communication is the key – conducting regular meetings and having the CEO review the proceedings as well as using a single communication channel to all stakeholders are easily doable, yet significantly impactful.

However, Chatterjee – the man heading technology at Bajaj Allianz, says that the role does exist today in some shape or form, but there's an ongoing debate on whether a dedicated Data Protection Officer is actually required. He explains that a DPO's role primarily requires two chief skills – one is around data governance and the other is around security. 

While there's no mistaking the fact that there's definitely a need for a custodian of customer data, the Data Protection Bill can only be expected to advance the emergence of the DPO.

Furthermore, with more organizations appointing a dedicated DPO, the CISO can focus more on core security measures and operations to protect his or her organization – indisputably the need of the hour in the rapidly-evolving, complex and challenging cybersecurity space.

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?