What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
India’s Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”) does not contain an official role with the title ‘data protection officer,’ but it does require corporate entities that collect sensitive personal data or information to designate a ‘Grievance Officer’ and publish the officer’s name and contact information on the company’s website. Grievance Officers must redress any issues/complaints associated with personal data processing (employee related or otherwise) within one month from the date the grievance is received. That said, note that if the parties agree on what constitutes reasonable security practices/procedures, the parties can agree to waive the applicability of the Privacy Rules, including the Grievance Officer requirement.
The draft Personal Data Protection Bill, if passed in its current form, will require some organizations to appoint a Data Protection Officer.