Shedding the dichotomies

The Data Protection Officer (DPO) is tasked with significant responsibilities that concern compliance with the data protection obligations, and reports to the highest management in an organisation. The requirements of the DPO are duly outlined under Articles 37-39 of the General Data Protection Regulation (GDPR) and Section 10(2) of India’s newly enacted Digital Personal Data Protection Act (DPDPA).

It must be kept in mind that the requirements of appointing a DPO outlined under the GDPR apply equally to controllers and processors, but in the case of DPDPA, the statute only emphasises significant data fiduciaries. In this article, I take inspiration from the settled provisions of the GDPR on the appointment of DPO, albeit without provisions under the GDPR for the necessary power or resources to perform the role.

It is vital for organisations to strike a cut between the role of a DPO, not only in accordance with the law but also the internal management structure of the organisation. DPOs are also a point of contact for the data principals’ rights for handling their requests, and may give their views on the responses being sent to the data principals. Moreover, the appointment of such dedicated roles for ensuring compliance with a law is an approach that we may have come across in various sectors.

DPOs vis-à-vis private regulation

When we look at the GDPR, we can reasonably infer that the rules surrounding the role of DPOs are primarily aimed at keeping the DPO independent of the senior board members or the management of an organisation. In the case of DPDPA, the DPO must report to the highest management level of an organisation and represent the significant data fiduciaries.

It leads us to draw the inference that the power given to the DPO may not justify the role that needs to be carried out by them.

If we analyse the realm of private regulation, there are a variety of schemes that are privately regulated in contemporary times through contracts, memorandums of understanding, codes of conduct, etc., which help assist organisations and different groups to control their activities. In some cases, private regulation is independent of any legislation, and in other cases, it acts as a response to the threat of command-and-control regulation. In the case of the appointments of DPOs, we are confident that it falls into the latter situation. Still, the very same role lacks the ability to enforce its recommendations without the approval of a master [higher management of an organisation in this case].

DPO and its conflicting role

Compliance monitoring under the GDPR does not make the DPO personally responsible in case of non-compliance. The GDPR makes it clear that it is the controller and not the DPO who is required to “implement appropriate technical and organisational measures to ensure and to demonstrate that processing is performed in accordance with the GDPR” [Article 24(1)].

On the other hand, the GDPR mandates the DPOs to cooperate with the supervisory authority and “act as a contact point for the supervisory authority on issues related to processing, and to consult, where appropriate, with regard to any other matter” [Article 39(1)]. Something similar is also laid down under Section 10(2)(a)(i) and Section 10(2)(a)(iv) of the DPDPA.

Apparently, although GDPR and DPDPA dedicate the role of DPO to maintaining compliance, they somehow shield the DPOs from responsibilities. In my personal view, this may be an actual demonstration and a result of the fact that the DPOs are not entrusted with adequate power and responsibilities to carry out their roles and, hence, carry fewer liabilities.

The way forward

Appointment of the DPOs forms an active part of staying compliant with the GDPR or DPDPA. On a larger picture, the role of a DPO forms one of those many tools under the data protection laws to aid the organisation’s management to comply with the data protection law and put such systems in place to keep a check on the processing activities.

In the United Kingdom, The Department for Digital, Culture, Media and Support, in its report titled, ‘Data: A New Direction’, proposed to remove the existing requirements to designate a DPO and instead designate individual(s) to be responsible for the organisation’s privacy management programme and ensuring its compliance with the UK GDPR. In response to this proposal, the Information Commissioner’s Office (ICO) emphasised on the skills, experience, and professionalism DPOs can bring.

However, what becomes most important for us in this scenario is to assess the responsibilities entrusted to a DPO and the necessary powers required for executing the role effectively. Although Article 38(3) and Recital 97 of the GDPR; and Section 10(2)(a)(i) of the DPDPA enable provisions for a DPO to exercise its role independently, due to the existing void between the power and execution of that power, we are still witnessing data fiduciaries and processors taking decisions that may be inconsistent with the provisions of the GDPR, and thereby facing the brunt of penalties. Hence, as a way forward, I believe India is aptly placed to learn the nuances regarding the appointment of DPOs from the settled data protection laws such as the GDPR. It becomes necessary for the organisations to treat the suggestions given by the DPO in an autonomous manner and not on a ‘take it or leave it’ basis.

The writer is a Chevening Scholar; Assistant Professor, Jindal Global Law School; and Of Counsel, Scriboard, New Delhi. Views expressed are personal