GDPR Compliance: Why Hiring a DPO Is DifficultLack of Budget and Qualified Candidates Are Challenges in India
With less than a year to go before enforcement of the European Union's General Data Protection Regulation, or GDPR, which applies to any organization that handles Europeans' data, many larger organizations affected in India have yet to make much headway in appointing a data protection officer, or DPO, as required by the law.
Some organizations aren't finding the right talent locally to hire a DPO, so they're looking outside the country. Others haven't even started with the process. And some don't yet understand the skills set needed for the DPO position.
Under GDPR, larger organizations generally must have a DPO, whose duties include working closely with concerned organizations in case of a breach or incident. Organizations must consult their DPO regarding all proceedings related to data protection. GDPR, however, is silent on whether a CISO can double up as a DPO (See: EU Agrees on Data Protection Rule Reboot).
"For a country like ours data protection has never been a concern," says Venugopal N, security engineering manager for India at Check Point Software Technologies.
At many Indian organizations, privacy-related functions are left to the chief risk officer, general counsel or CISO to handle. The main reason, security practitioners say, is the lack of those with privacy-related expertise. "There may be only a handful of people who are qualified for the post and available in the market," says Sivakumar Krishnan, former head IT and information security at M Power Microfinance.
"The skill shortage is a major issue mainly because data privacy is not a specialization offered yet in universities, and India never had a job market for such professionals," says Srinivas Poosarla, vice president and head, global privacy and data protection, at Infosys.
As a result, some companies have begun training programs for DPOs. "Considering the specific and comprehensive requirements of appointing a DPO, organizations have now started with various trainings, certifications and skilling programs while appointing or designating DPOs for their EU-focused projects," says Shivam Satnani, senior analyst at DSCI, an independent self-regulatory organization that promotes data protection in India.
Under GDPR, organizations have the option of contracting with a DPO from outside the organization. "But engaging an external DPO who serves multiple projects from multiple clients would be challenging for any organization complying with GDPR requirements," Satnani says.
As a result, many security experts predict that most large organizations in India that handle Europeans' data will prefer to have an in-house DPO, given the importance of the role and GDPR's compliance challenges. "It will slowly progress to a point where appointing a qualified DPO is seen as part of the organizational strategy, not just a compliance requirement", Satnani says.
"Since there are only a handful of DPOs who are qualified for the post and available in the market, [hiring a DPO is] bound to be a costly affair," Krishnan adds.
Another challenge in India is that privacy protection is generally not a top priority. "Data privacy, protection, security are not seriously taken by Indian organizations, and people still have a casual approach," he adds.
In India, non-government organizations are required to appoint a grievance officer to deal with privacy-related complaints in accordance with Section 43A rules of IT (Amendment) Act, 2008.
However, they do not double up as DPOs as far as having authority or control over data privacy. And many organizations still lack a grievance officer due to ambiguities in the law and a lack of understanding about privacy.
Because GDPR is silent regarding to whom the DPO should report, except for vaguely stating that the position must report to senior management, companies in India aren't clear on how they should incorporate the new role in their structures.
"Organizations never had to think of a DPO position and hence, it's a challenge for them to create this new role and decide on a specific reporting structure," Poosarla says.
"So far, similar roles [like grievance officer] were under the CISO or CRO," says a data security practitioner who requested anonymity. "Though GDPR isn't very clear on the reporting structure, organizations are worried whether the DPO's role will clash with that of the CISO in terms of seniority levels."
Poosarla argues that DPOs should report to top management, such as COO or one of the board members rather than the CISO or CRO. "The main role of a CISO is to ensure data security, and one of the common practice adopted to prevent or detect data leakage and malware attacks is electronic monitoring" he says. "But due to privacy issues associated with monitoring, particularly in the EU where it is either prohibited or permitted only under certain conditions, it will be difficult to balance between security and privacy if the later comes under purview of CISO", he argues..
Satnani says Indian organizations that handle Europeans' data should have internal teams trained in GDPR compliance. "Although qualification for DPOs are not explicitly listed, it is expected that the DPO should have reasonable expertise and understanding of the data privacy domain to deal with fine nuances," he says.