Should CISOs be the Data Protection Officers?

Whether you are the DPO or not, you will have to play a big role as the CISO to ensure that your organization is compliant with the provisions for the privacy laws

India’s privacy legislation is in the making. The draft Personal Data Protection bill has already been released for public comments.

Section 36 of the draft bill mandates that each data fiduciary—entities dealing with personal data of individuals—should have a data protection officer (DPO). Clause 2 of the same section also makes it clear that the position of DPO does not have to be exclusive. An executive with other responsibilities can also carry out the responsibilities of the DPO.

Since the fundamental responsibility of the position is to ensure that individual data being handled by the organization is well-protected, the role will be all about information security and of course, ensuring compliance. As of today, both these roles are handled by the CISOs. The data protection bill just expands the scope to include the data of individuals handled by the organization.

From an organization’s point of view, there are broadly two options—either to appoint a legal professional or to appoint an information security professional. In many American and European business, there are the privacy officers who do similar roles. Many of them are legal professionals. However, in India, legal professionals with the kind of technology understanding the role demands are rare to find. My guess is, most organizations will turn to information security professionals for the job.

From CISO’s point of view, is it a good idea to take up the role? It depends on what kind of jobs you love. The DPO role will have three broad responsibilities:

  • To ensure that the laws are adhered to using tools and technologies. This is similar to traditional CISO role.
  • To be the point of contact for the regulators. It is not the traditional role of CISO but increasingly, they are getting exposed to this
  • To be the point of contact of data principals (consumers). It is a completely new kind of responsibility for the CISO.

However, there is another requirement. Those CISOs who are part of the CIO organization will have a tough job balancing between conflicting responsibilities! Only those CISOs who report directly to CEO/COO/CFO or Head of Risk can effectively carry out the responsibility!

If you think you will love these challenges, go for it. But one thing is for sure, whether you are the DPO or not, you will have to play a big role as the CISO to ensure that your organization is compliant with the provisions for the privacy laws.

The author is Senior Vice President – IT, UTI Mutual Fund

Leave a Reply

Your email address will not be published. Required fields are marked *