“Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.” - Marlon Brando
Privacy is a fundamental right of every individual. However the internet explosion has raised new challenges for privacy protection, on account of which privacy legislation have become even more stringent. In India, the Section 43 (A) of the new IT Amendment Act 2008 clearly states that a body corporate has to protect sensitive personnel data. This leads us to an interesting question of who is responsible for privacy protection within an organization. The Chief Privacy Officer (CPO) role was primarily designated for this purpose.
The post of a Chief Privacy Officer was created to address the complex privacy requirements of clients and also to spread awareness about the need for privacy. For example, IBM has had a Chief Privacy Officer for the last three years. The general feeling is that only those serious about privacy would go in for a Chief Privacy Officer. As Manoj Sarangi, the director for enterprise risk service at a leading consulting firm says, “In most organizations, the CPO's role is driven by regulatory requirements. Hence you may find it common in multinational companies. But as India does not have any privacy law, the momentum is yet slow here”.
India does not have a single law that completely and specifically addresses privacy issues. Therefore, awareness is limited in its scope as well as reach. Organizations that handle outsourced data such as BPOs have to comply with requirements of foreign regulations like HIPAA/HITECH, EU privacy laws and FFIEC requirements. However, organizations handling domestic data are sluggish in their approach to privacy.
Concern about security measures
Nandita Jain Mahajan, the chief privacy and information security officer of IBM India/South Asia and IBM Daksh, however feels that the privacy landscape is rapidly changing in India. This has been case especially after the ITAA 2008 and initiatives by bodies like NASSCOM. For example, NASSCOM set up the Data Security Council of India (DSCI) in 2008 as a Self Regulatory Organization (SRO) to establish, popularize, monitor and enforce privacy and data protection standards for India’s ITeS-BPO industry. Mahajan feels that Indian service providers that cater to domestic market are slowly adopting secure measures for protecting personal privacy. Despite these measures, very few industry verticals like telecom, pharma/life sciences, BPO/KPOs and BFSI organizations that deal in huge amounts of personal data are serious about privacy protection.
If the Chief Privacy Officer’s role is expected to gain prominence in the future, then we need to understand how an organization can establish the need for this designation. Mahajan says, “If your company services clients and handles personally identifiable information such as name, date of birth, address, salary, credit card number, biometrics, social security number, PAN number, and bank account numbers, then an organization must invest in privacy resources.”
CPOs are the public point for a company's privacy initiatives. In other words, their role in the organization has to be the human face for data security and privacy efforts.
Nandita Jain Mahajan, The Chief Privacy and Information Security Officer of IBM India/South Asia and IBM Daksh
The topic privacy falls within the legal ambit. Hence the role of a CPO is also often compliance driven. Satyam Das, the associate vice president for risk management at AXA Business Services Pvt. Ltd, believes that the need for a Chief Privacy Officer primarily rises on two fronts – if there is a local regulation that mandates it, and when the organization gives enough importance to the topic. Organizations dealing in large amount of personal data, whether of customers or employees, may look for privacy. “A Chief Privacy Officer is also needed when the organization complexity increases and there are multiple contracts, from different geographies, which require adherence to privacy requirements,” says Mahajan.
Role and responsibilities of a CPO
It’s imperative that the Chief Privacy Officer’s role will slowly become an integral part of an organization. Das suggests that the Chief Privacy Officer should be a senior level executive in the company with specific responsibilities to manage the risks and business impact arising out of privacy laws and policies. “The person should have expertise on domestic and international privacy laws, as well as be able to formulate privacy policies in line with a company’s kind of business and market presence,” says Das. In mature markets, the Chief Privacy Officer positions are mostly occupied by privacy lawyers who report to the general counsel of the company.
Apart from strong understanding of privacy laws, a Chief Privacy Officer must also have sound technical knowledge and the ability to identify how a company manages information at different stages of its lifecycle. A CPO also needs to be good at general management, as this comes in handy in managing privacy processes.
Can a CISO handle privacy functions?
While Indian organizations are still catching up with the trend of having a Chief Privacy Officer, can Chief Information Security Officers (CISOs) handle privacy function? Das and Sarangi feel that the focus and priorities of a CISO and a CPO cannot be clubbed. Sarangi believes that information security and privacy are two different aspects — a CISO protects an organization’s information infrastructure and data, while a Chief Privacy Officer protects the privacy of customers and employees. “It depends on the kind and volume of data an organization handles,” says Sarangi. “If an enterprise outsources data of 25 countries and 200 customers, there is definitely the need for a CPO. CISO alone cannot handle this responsibility ”
Das feels that the issues and risks that a CPO is expected to manage is a subset of the overall responsibility of a Chief Risk Officer. “Hence it is acceptable to have a direct reporting line of the Chief Privacy Officer to the CRO. However, in most cases, CPOs report to the general counsel in a company, primarily because it is a legal topic,” he says.
Mahajan however does not agree to the above opinions and asserts that a CISO who is also well-versed in the domains of privacy, ethics and legal can handle privacy protection and will be able to discharge the responsibilities of a CPO. He needs to be prepared for at least a couple of years of hard work before achieving adeptness at the role. Having industry vertical exposure, especially in the financial and health care areas, can also be an added advantage. In India, we still do not consider the Chief Privacy Officer in an FTE role, but the situation will improve over time with more awareness at the top level, concludes Das.