Skip to main content

news

India’s new data protection law has been months in the making. The Personal Data Protection Bill 2019 was tabled in parliament by the Ministry of Electronics and Information Technology in December that year; since then it is being analysed by a Joint Parliamentary Committee in consultation with experts and stakeholders. Key aspects to the bill include sweeping mechanisms for protection of personal data, setting up a Data Protection Authority of India (DPA), a provision that the central government can exempt any government agency from the bill, and the “Right to Be Forgotten.” Since it was tabled, reaction has been mixed: There is the acknowledgement that India does need to fortify its data protection laws, coupled with the anxiety that the bill could be a serious threat to Indians' privacy. You can play a really cool card game to understand the bill better, and do also read this recent piece about the “arduous task” that lies ahead of the proposed DPA.

 

However, we will focus on the role of the data protection officer (DPO) in organisations, which is expected to grow in importance as the legislation kicks in. “There is a threshold classification for entities beyond which they are required to appoint,” explains Shahana Chatterji, a partner at Shardul Amarchand Mangaldas. “It is significant data fiduciaries, which are data fiduciaries who are notified on the basis of factors including volume and sensitivity of data process by them, that have to appoint DPOs. The DPO is required to be based in India and is expected to the point of contact for data subject grievances.” Eira Mishra, a partner at EPA Law Offices, points out that the DPO’s role “will flow both inwards (providing information, training on best practices, monitoring, assessing and reviewing data processing) and outwards (acting as a point of contact for the customers, assisting the Data Protecting Authority and carrying out statutory compliances).”

If that sounds complex, it is. “The functions specified in the PDP bill appear to require the DPO’s approach to be more customer-centric, and therefore, quite different from that of an information security officer,” says Anshul Sunil Saurastri, a partner at Krishna & Saurastri. “For instance, a DPO is required to act as a data principal’s point of contact for grievance redressal and at the same time assist the DPA on matters relating to compliance by the data fiduciary. Furthermore, the DPO is required to monitor activities of the data fiduciary, advice on development of internal processes for compliance, and so on. Therefore, clearly, the DPO has to wear a lot of hats.”

Saurastri feels that even businesses that do not need to appoint a dedicated DPO will look to do so but finding the “right talent is going to be difficult,” hence the need to hire externally. The race to recruit, it seems, has already begun. Gaurav Chattur, Asia-Pacific managing director at executive search firm Catenon, reveals that he has seen an “evident increase in demand for data privacy professionals” in sectors like BFSI and consumer tech. The personnel in demand appear to possess “the right combination of multiple security skills alongside an overall proficiency in technology and knowledge of risk management and compliance.”

But can businesses still look to hire from within? “Amid this pandemic, many organisations are exploring diverse talent pools across data privacy, compliance, regulations, risk automation and law to hire and build pipelines,” says Chattur. “It should be noted that Europe has already undergone a massive GDPR drive over the last few years. Compliance, strategy and technology folks with experience of implementing this for European organisations will be in high demand.”

 

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Related Articles

SUBMISSIONS OPEN: ALB Firms to Watch (Singapore) 2025

Submissions open for ALB Firm to Watch (Singapore) list. The list will highlight the law firms with a more compact partner structure or focused practice in the country. The list will be published in the January/February 2025 issue of ALB Asia. 

Paul, Weiss, which once led U.S. firms’ China charge, becomes latest domino to fall

New York-based law firm Paul, Weiss, Rifkind, Wharton & Garrison has confirmed to ALB that it will close its Beijing office by the end of 2024. According to records kept by ALB, it will become the 13th U.S. law firm this year to scale back its China operations.

JSM reborn as Mayer Brown HK split comes through

Johnson Stokes & Master (JSM), one of Hong Kong's oldest law firms, has announced its return as a leading independent firm in the region following a previously announced separation from Mayer Brown.