HR manager’s guide to data privacy officer role in India

India’s recent introduction of the Digital Personal Data Protection Act of 2023 (DPDPA) has ushered in a new era of data protection regulations for organisations dealing with complex data.

This legislation mandates that organisations classified as a “significant data fiduciary” must establish a dedicated role known as a data protection officer (DPO), responsible for serving as an interface between the company, data subjects and regulatory authorities.

In this article, the author delves into key aspects of the DPO role, helping HR managers better understand requirements of the legislation.

Residency requirements

The laws insist a DPO must be based in India, but the term “based in India” lacks a precise definition, leaving room for interpretation.

For instance, can a foreign citizen on a short-term, six-month assignment in India, drawing their salary in India and residing there, be considered “based in India”?

While this might generally be acceptable, Indian income tax laws necessitate an individual to spend more than 182 days in India during a financial year (April to March) – or a total of 60 days or more in a year, and 365 days or more in the immediately preceding four years – to qualify as a resident for tax purposes. The specific requirements can vary for individuals holding Indian passports.

By strict interpretation of the term “based in India”, it seems that a DPO should be an Indian resident receiving remuneration in India.

If a significant data fiduciary wishes to appoint an international talent as a DPO who does not meet “resident” requirements under the income tax laws, seeking formal exemption from the Ministry of Electronics and Information Technology is advisable.

Independence

Under the DPDP Act, a DPO should operate independently within the organisation, reporting directly to the highest level of management within the significant data fiduciary, such as the board of directors or similar governing body, depending on its legal entity structure.

While this requirement is similar to European legislation, the law does not detail how the DPO’s appraisals or compensation and benefits should be structured.

This may be included in the impending regulations. For now it is best to structure the appraisals, compensation and benefits as overseen by the board of directors or highest level of management, much like a company secretary in a listed company.

Companies committed to data governance may also consider establishing a data governance committee as part of their board structure (where applicable), where the DPO periodically shares the health of data governance or even calls for extraordinary meetings in the event of a data breach.

Grievance redressal role

The DPO is also designated as point of contact for a grievance redressal mechanism. While not expected to directly manage this process, their involvement in it can be central to resolving disputes related to data management. This may include mundane tasks such as serving notices to concerned parties, or representing the company before regulators in data breach investigations.

The role also encompasses responsibilities of a compliance manager. This entails appointing an independent data auditor, conducting periodic data impact assessments, carrying out audits, and adhering to any additional prescribed requirements.

The DPO also shoulders the responsibility of horizon-scanning to anticipate forthcoming regulations or changes that could affect their roles and the operations of significant data fiduciaries. This means they need to be continually in touch with the latest developments.

Key takeaway

In conclusion, introduction of the Digital Personal Data Protection Act marks a significant step towards safeguarding personal data and privacy in India.

Organisations navigating this legal landscape must carefully consider the above-mentioned intricacies when drafting a job description for DPO applicants, as well as positioning this role in the organisation. For now, it looks like a techno-legal talent might be a good fit.

Shailyamanyu Singh is a Partner Designate at Anand and Anand in New Delhi