India is aptly placed to learn the nuances regarding the appointment of Data Protection Officers from the settled data protection laws such as the General Data Protection Regulation (GDPR).
Nikhil Naren, Assistant Professor, Jindal Global Law School, O.P. Jindal Global University, Sonipat, Haryana, India.
The Data Protection Officer (DPO) is tasked with significant responsibilities that concern compliance with the data protection obligations, and reports to the highest management in an organisation. The requirements of the DPO are duly outlined under Articles 37-39 of the General Data Protection Regulation (GDPR) and Section 10(2) of India’s newly enacted Digital Personal Data Protection Act (DPDPA).
It must be kept in mind that the requirements of appointing a DPO outlined under the GDPR apply equally to controllers and processors, but in the case of DPDPA, the statute only emphasises significant data fiduciaries. In this article, I take inspiration from the settled provisions of the GDPR on the appointment of DPO, albeit without provisions under the GDPR for the necessary power or resources to perform the role.
It is vital for organisations to strike a cut between the role of a DPO, not only in accordance with the law but also the internal management structure of the organisation. DPOs are also a point of contact for the data principals’ rights for handling their requests, and may give their views on the responses being sent to the data principals.
Moreover, the appointment of such dedicated roles for ensuring compliance with a law is an approach that we may have come across in various sectors. DPOs vis-à-vis private regulation When we look at the GDPR, we can reasonably infer that the rules surrounding the role of DPOs are primarily aimed at keeping the DPO independent of the senior board members or the management of an organisation.
Published in: MillenniumPost
To read the full article, please click here.