Minute Read: 6 minutes

The role of the DPO just got bigger and more powerful

Traditionally, we find the DPO (Data Protection Officer) in large and very large enterprises.

Small and Medium-sized businesses most probably do not have a DPO. But that is going to change now.

Why?

After nearly two years of deliberations, the Joint Parliamentary Committee (JPC) finally chaired the Personal Data Protection (PDP) bill, 2019 in the Indian Parliament. This bill will ultimately pave way for the strongest data protection law in the world’s largest democracy.

One of the key recommendations this committee makes is the mandatory appointment of a DPO. The law provides clarity on who can be a DPO, his role during data transfers, and many other carefully laid clauses.

According to this law, each organization should have a DPO who will be appointed by data fiduciaries, and the DPO liaisons with the Data Protection Authority (DPA) for auditing, grievance redressal, recording maintenance, and more.

The JPC has made it clear that the DPO can only be a person of “Key managerial position” such as the CEO, CFO, and other similar roles.  The role of the DPO has now become bigger and better. Let us first take a deeper look into the role the DPO plays.

What role does DPO play in the organization?

Under this bill, the data fiduciary must appoint a Data Protection Officer (DPO) who is based in India. The DPO has to:

  1. Provide information and advice to the data fiduciary on matters relating to fulfilling its obligations under this act
  2. Monitor personal data processing activities to ensure that such processing does not violate the provisions of this act
  3. Provide advice to the fiduciary on carrying out the data protection impact assessments, and carry out its review
  4. Provide advice on the development of internal mechanisms to satisfy the principles related to the act
  5. Assist and cooperate with the Authority on matters of compliance
  6. Act as a point of contact for the data principal for grievances redressal
  7. Maintaining an inventory of records

It must also be ensured that the DPO does not have a conflict of interest that may prevent him/her from fulfilling his/her duties responsibly.  The DPO plays a very critical role in the organization.

So far, the DPO has only been involved in ensuring that the cybersecurity laws are adhered to and keeping a routine check on whether item A or item B has been followed as per the company’s protocol. But now with the new data protection bill his/her role has just gotten bigger and stronger!

Let’s look at two areas where the DPO plays a very crucial role.

Critical areas that need a DPO’s immediate attention

While the DPO is engaged in the overall cybersecurity strategy and implementation in an organization, his/her presence is very critical in two areas. In these two areas, the DPO has a larger-than-life role to play as when these areas succumb to a cyberattack, it would cause more damage not only in terms of monetary loss but also severe reputational loss.

  • Business/Mission-Critical Systems – Organizations depend on Mission-Critical systems and devices for immediate operations whereas a business-critical system is needed for long-term operations and survival. For example, a financial application that handles monetary transactions. Financial information applications are designed to meet certain needs and are prioritized according to their impact on the business. Additionally, all these financial applications have to ensure the security of transactions, and the privacy of sensitive personal information. ERP systems, commonly based on SAP systems are a central function in almost all organizations. Customer/employee/supplier data (both personal and non-personal), every aspect of production or distribution-based business details will be stored in mission-critical systems like SAP along with other financial details. Even a small downtime or outage may lead to a significant impact and the organization might suffer huge losses. A mission-critical/business-critical system that is not adequately secure is a hackers’ paradise.
  • CAD Design /Engineering systems– A lot of intellectual property which requires protection is in the form of design files. These design applications store drawings, prototypes, trade secrets, design blueprints, production plans, and pricing lists in CAD/PLM systems. Now more than ever these design industries are exposed to cyber breach points, spanning legacy systems, interconnected supply chains to name a few. Also, such industries have to deal with insider threats as well. The already existing technology footprint along with the rapid proliferation of new technologies and changes in the industry will create a tremendous impact in the design industry. Added to this is the complexity of cyber risks that this industry faces that the DPO will have to take care of. They have to build cyber risk strategies and monitor systems and applications, people, and third-party contacts and build resilient strategies to tide the cyber threats.

In these two critical areas, we find that the DPO has a larger role to play. He should be able to evaluate risks related to Intellectual Property (IP) and recognize that this risk is not only related to data at rest but also data in motion as it moves through the organization’s supply chain and when data moves in and out of the organization to third parties, offshore manufacturing, and other services.

DPO Roles and Responsibilities

How does a large enterprise like yours that uses SAP, which has hundreds of application users, who use thousands of reports and transactions, generating tens of thousands of reports and files, resulting in gigabytes of corporate data residing in documents protect its business data?

Moreover, data resides in the business document and can be exported or any number of copies can be made every day. Even a unit of copied data in the wrong hands can cause huge trouble. So how does the DPO assure that all data created, residing, exported are safe – both within the organization and outside the organization?

The only option left for the DPO is to ensure that his organization applies security controls at the data layer- unit of data = file document (.doc/.xls). This can be achieved by adopting Information Rights Technology and employing a Zero Trust strategy.

How HALOCORE AND HALOCAD addresses the data security challenge the DPO faces

With more than two decades of data security expertise, SECUDE’s products HALOCORE and HALOCAD provide a holistic approach to cybersecurity. SECUDE’s flagship product HALOCORE extends Microsoft Information Protection security templates into SAP to extend data security throughout the data file’s lifecycle.

Let’s take for example the case of Infosys. Infosys, a global leader in next-generation digital services serving a client base of 1500 customers has SAP as its core enterprise platform for all its key business areas including finance, HCM, P2P, Planning and budgeting, and data warehousing.

Infosys had already deployed RMS (Right Management Solution) and had migrated to AIP (Azure Information Protection) at an enterprise level but this encryption was not available at the SAP user level and not in an automated rule-based manner.

It is the DPO’s mandate to protect all business data. Therefore, they needed a solution that would meet the above criteria. And HALOCORE was the only solution that met their requirement as it extends the SAP access control shield for intellectual property and other sensitive information beyond SAP boundaries.

Similarly, SECUDE’s HALOCAD leverages Microsoft Information Protection (MIP) to encrypt CAD files and provide CAD file security. It is tightly integrated with MIP and fully supports all implementation scenarios of Azure Information Protection (AIP) and Rights Management Service (RMS).

HALOCAD automatically applies MIP labels to priceless CAD files throughout their lifecycle, even beyond the company’s IT boundaries, and extends data-centric security across PLM and multi-CAD integrations.

Conclusion

Today’s ever-changing business environment with millions of transactions has also simultaneously increased the digital expectations from customers, and therefore requires new cybersecurity practices to be put in place.

The DPO has a dynamic role to play as he/she has to not only address the evolving cyber risk landscape but should be well-prepared even before a cyber-breach occurs and must remain vigilant at all times. However, the DPO cannot be a one-man army and he/she needs the support of the team and must demonstrate due diligence, ownership, and effective management of cyber risk.

Protecting sensitive data is a complex challenge and requires a holistic and comprehensive data protection solution. A good data-centric solution offering digital rights management with Zero Trust principles such as SECUDE’s HALOCORE and HALOCAD will secure data through its entire lifecycle and would ease the burden of protecting sensitive information, especially during data collaboration.

To know how our solutions protect the data at all times and help the DPO send us an email at

Comments are closed.