The Data Protection Officer is a role enshrined in the General Data Protection Regulation (GDPR) (Section 4, Articles 37, 38 and 39).
Responsibilities of a DPO include monitoring the organisation’s compliance with GDPR and any other data protection provisions, including policies, procedures and training. The compliance is conducted through assurance and audit activity. In addition to this, supporting data privacy by design efforts at the initial design phase through advice surrounding Data Protection Impact Assessments and informing the Controller or Processor of their obligations under Data Protection law, regulations and guidance. The DPO also aids in communication with the Supervisory Authority on matters related to different enquiries or compliance matters.
In simple terms, a DPO performs the complex task of acting as an agent between the organisation’s supervisory authority and the other departments. He also is a compliance teacher to the employees and a trainer that helps carry out data processing.
It becomes pertinent to mention here that data ownership rests with the business; DPOs don’t own the data. One of the features of DPOs under the GDPR that could significantly decrease the administrative burden on multinational companies is the possibility to appoint a single DPO for a group of undertakings. The GDPR stipulates that this is only possible if the DPO is “easily approachable from each inception”.
Do not doubt the importance of the function of the DPO as it ranking below or equivalent to other security dignitaries in the company like the CISO, CIO or CDO. While these take care of the cybersecurity of and in the company to improve its functioning and reputation, the Data Protection Officer exclusively caters to the responsibility of customer data by acting as its protector, thus making his position and functions essentially distinct from others. The DPO ensures that the use of customer data is limited to its purpose and that it is appropriately taken care of, considering its delicate nature. The Air India case acts as the perfect example to highlight the importance of a Data Protection Officer. In a recent case, Air India suffered from a Data Breach involving the data leak of 45 lakh passengers due to the cyberattack on SITA Passenger Service System, which was inclusive of the personal data of the passengers registered with them from 26th August 2011 to 20th February 2021. The data comprises the credit card details, frequent flyer data, ticket, passport and contact information.
While there was an assurance by the Airline about the data not being subjected to any misuse, the incident of a flyer slapping a lawsuit seeking damage to the tune of 30 Lakhs for the violation of her “Right to Privacy” and the alleged breach of “Right to be forgotten and informational autonomy” enshrined within it, and declared by the apex court as a fundamental right, has seen the light of the day.
Thus in the face of rapid technology development, and associated cyber threats, employing a Data Protection Officer acts as a one-stop solution in order to protect your organisation against data breaches causing a significant violation of your customer’s interests, and the legal consequences that come with it.
Here is the summarized account of the day to day functions of a DPO. Once appointed, the job profile of a DPO focuses specifically on GDPR and serving in the capacity of policing privacy-related activities. A DPO advocates for the rights of data subjects as an independent authority, and acts as an unprejudiced advisor on GDPR compliance. By Law, one cannot give them orders or fire them just for meeting their responsibilities. DPO serves as a point of contact for regulatory authorities and public members concerning their rights under the GDPR.
An ideal candidate for a DPO is the one who knows and understands the General Data Protection Regulation, can interpret it and is capable of applying it to the situation at hand. Though anyone with adequate knowledge of the data privacy regulation and the skills mentioned above can become a DPO, a legal background fits more beautifully than others in this role. As Article 37 of GDPR also states, “The data protection officer shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices”.
Thus, a lawyer having the knowledge of not only GDPR but other legislations is better suited for this role owing to his understanding of all the laws, which might come in handy while solving the privacy concerns of his/her clients. In addition to this :
– A degree in BA or BS in information security, Computer science, IT, a Bachelor’s in Law, or equivalent work experience in the privacy domain is a must.
Having said that, there are no qualifications specified per se to be a Data Protection Officer. DPO shall be designated based on:
– Their knowledge of the company’s business sector and organisation, processing, information technologies and data security.
– Strong experience in the subject and ideally in data protection laws and related disciplines such as information governance, incident response, risk management, etc.
– Ability to promote data protection culture within the company.
Most of the DPOs in India and across the world hail from a security background. If you are a security person, then you can look forward to becoming a DPO.
The DPOs are paid handsomely considering their remuneration, which ranges between 100-200 Euros an hour for non -lawyers and between 300-500 Euros an hour for licensed attorneys. With the developing data privacy infrastructure and expanding IT landscape in India, especially in the post-pandemic era, it is only apparent to perceive the demand for Data Protection Officers. According to Glassdoor, the average salary drawn by a Data Protection Officer in India is Rs.26,58,773.
So if you have the necessary skillset and experience for this esteemed position and want to kickstart your career as a Data Protection Officer, this is the perfect opportunity as every indication suggests that this field shall grow significantly from here on.