Differences in the roles and responsibilities of DPO and CISO

By Anuradha Gandhi and Rishabh Gupta

Introduction

The enactment of Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”) has clarified and differentiated the roles of Data Protection Officers (“DPO”) and the Chief Information Security Officer (“CISO”), moving away from the previous tendency of organizations merging these roles or having an overlap in responsibilities. The DPO drives privacy governance at a policy and compliance level, while the CISO ensures that the technical safeguards meet those legal expectations.

Who is a Data Protection Officer?

The concept of Data Protection Officer (hereinafter referred to as “DPO”) has been developed and practiced in many countries over the years. The Working Party Article 29 suggests that in addition to facilitating compliances such as data protection impact assessments or carrying out audits, DPOs may act as intermediaries between relevant stakeholders such as supervisory authorities, data subjects, and business units within an organisation[1].

Under the DPDP Act, a DPO is a person appointed by a Significant Data Fiduciary as a point of contact for the grievance redressal mechanism and an individual responsible to the Board of Directors and the governing body of Significant Data Fiduciary.[2]

Significant Data Fiduciaries (hereinafter referred to as “SDFs”) are appointed by Central government on the fulfilment of following factors:

1. Volume and sensitivity of personal data processed;
2. Risk to the rights of Data Principal (including but not limited to erasure, access, withdrawal of consent)
3. Potential impact on the sovereignty and integrity of India;
4. Risk to electoral democracy;
5. Security of the State; and
6. Public order.

Although the DPDP Act does not require the appointment of a representative, the SDFs are required to appoint a DPO who is based in India. However, for other Data Fiduciaries who are not classified as an SDF, there is no requirement to appoint a DPO or a representative who is based out of India. SDFs bears the legal accountability for compliance, while the DPO is an internal functionary appointed to assist the SDFs in fulfilling these obligations.

Roles and Responsibilities of DPO

The Court of Justice of the European Union has reiterated the role of DPO as specified under Article 39 of GDPR as:

• To inform and advise about data protection provisions to the controller or processor and the employees carrying out processing of personal information;
• To monitor compliance with applicable data protection provisions, policies of controller/processor to protect personal information, assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• To provide advice with respect to data protection impact assessment and monitor its performance;
• To cooperate with the supervisory authority; and
• To act as the contact point for the supervisory authority on issues relating to processing.[3]

As per the Indian context, the role of DPO can be understood in compliance with the DPDP Act and other sector-specific regulations. The key tasks of a DPO are listed below:

1. Mapping of Personal Information

   The primary responsibility of a DPO is to build an understanding over handling of personal information during its complete lifecycle from collection of data to its deletion including types of personal information handled, organizational processes over such information, access and transmission channels, recording and data security. As part of the duties to monitor compliance, a DPO may, in particular:

   1. Identify business processes and activities that deals with personal information
   2. Analyse and assess the compliance of processing activities in relation to data storage, transmission, sharing, analytics and the adequacy of implemented protection measures.
   3. Inform, advise and issue recommendations to the Data Fiduciaries and Processors

2. Give Advice about Data Protection Impact Assessment

   Although the responsibility of carrying out a Data Protection Impact Assessment is upon the SDFs, however, it is essential that the DPO shall advice the SDFs on the following matters:

   1. whether or not to carry out a DPIA
   2. what methodology to follow when carrying out a DPIA
   3. whether to carry out the DPIA in-house or whether to outsource it
   4. what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
   5. whether or not the data protection impact assessment has been correctly carried out and whether its conclusions are in compliance with the DPDP Act[4]

3. Keep records of all data processing activities with their purposes

   A DPO is required to ‘maintain a record of processing operations under its responsibility’ or ‘maintain a record of all categories of processing activities carried out on behalf of a the data fiduciary’. It must create inventories and hold a register of processing operations based on information provided to them by the various departments in their organisation responsible for the processing of personal data.

4. Maintain an incident management plan to ensure timely remediation of incidents related to personal data

   A DPO must evaluate privacy monitoring and incident management capabilities of an organization to detect, contain and communicate privacy breaches or incidents. It must also formulate an incident management plan to respond to a privacy breach. Some of the steps that can be followed are:

   1. Contain the breach immediately to prevent any further compromise of personal information
   2. Assess the risks of harm to affected individuals by investigating the circumstances of the breach;
   3. Timely Notification of data breaches to all relevant stakeholders such as regulatory authorities, Data Principal, law enforcement bodies etc.
   4. Formulating templates for data breach notifications
   5. Review the breach and the organisation’s response to consider longer-term action to prevent future incidents of a similar nature and improve the organisation’s handling of future breaches[5]

5. Ensuring Overall Privacy Compliance Intelligence within the Organization

   A DPO must ensure the following:

   1. Track applicable privacy laws and regulations
   2. Determining consequences of non-compliances
   3. Create privacy awareness and trainings within and outside the organization
   4. Incorporation of privacy requirements in contracts
   5. Ensuring lawful and fair handling of personal information through formulating privacy policies and updating them as per changes.
   6. Privacy initiatives like Privacy by Design or Privacy Enhancing Technologies (PETs)

Is the DPO personally responsible for non-compliance with data protection requirements?

No. A DPO is not personally responsible for non-compliance with data protection requirements. It is the Data Fiduciary who is required to ensure and to be able to demonstrate that processing is performed in accordance with the rules of DPDP Act[6]

The concept of Chief Information Security Officer

The cybersecurity landscape in India has witnessed an unprecedented evolution throughout 2024 with a detection of over 369.01 million security incidents across 8.44 million endpoints. The healthcare industry was the most attacked sector (21.82% of all attacks) followed by banking sector (17.38%) which suggests that attackers are focusing on industries that handle large volumes of personal, financial and health data. Cybercriminals may also use Artificial Intelligence, Machine Learning Technologies or even Deepfakes to deceive individuals and manipulate information.Appointment of CISO

The Appointment of CISO is mandated by sector-specific laws enacted by regulatory bodies such as Reserve Bank of India (“RBI”)[8], Insurance Regulatory and Development Authority of India (“IRDAI”)[9], Indian Computer Emergency Response Team (CERT-In)[10] etc.

Under these laws, a CISO shall be a person who must be a senior level official with requisite technical background and expertise, appointed for a reasonable minimum term and shall report directly to the top executive overseeing the risk management function or in his absence to the CEO directly and shall assume overall responsibility for governance and monitoring of Information Security.

Key Responsibilities of CISO

The National Company Law Tribunal has identified some key roles for a CISO. Inter Alia these are[11]:

1. Maintaining and updating the threat landscape for the organization on a regular basis including staying upto date about the latest security threat environment and technology developments;
2. Establishing cybersecurity programme and business continuity programme and drafting various security policies such as Information security policy, data governance and classification policy, access control policy etc.
3. Establishing and reviewing Risk Assessment Methodology and selection of appropriate controls for risk mitigation
4. Interacting with external agencies and regulatory bodies such as CERT-In
5. Vulnerable Assessment and Penetration Testing (VAPT) of all websites, portals, IT systems on a quarterly basis ensuring that websites are GIGW complaint
6. Web Application Security Assessment (WASA) and white-listing of all web applications in use by the organization annually
7. Issuing and Periodic Review of device hardening guidelines, patch management guidelines, anti-virus/malware guidelines, user access management guidelines, privilege access management guidelines, end point management guidelines etc.
8. Establishing a Cyber Crisis Management Group with the head of the organization and prepare a list of persons to be contacted at the time of crisis with upto date details.
9. Having a Cyber Crisis Management Plan outlining the roles and responsibilities of organizational stakeholders.

Conflicting Interest between the two roles

As far as the conflicting interests between the roles of a DPO and CISO are concerned, the General Data Protection Regulation (“GDPR”) has provided that, a DPO may fulfil other tasks and duties provided such tasks and duties do not result in conflict of interests. It is the responsibility of the Data Controller or Processor to ensure that such conflicting interests do not arise[12].

In this context the Court of Justice of the European Union has highlighted that, the determination of “conflict of interests” as provided Article 38(6), “may exist where a DPO is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organizational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.”[13]

In a similar case, the Belgian Data Protection Authority imposed an administrative fine of EUR 50,000 on a telecom services provider for having appointed as its Data Protection Officer its existing Director for Audit, Risk and Compliance; considering that the combination of roles was a serious breach of Article 38 of the GDPR.[14]

The above ruling implies that the DPO cannot be entrusted to perform tasks or duties which could impair the execution of their functions as a DPO. In India, as mentioned-above, sectoral laws like RBI, CERT-In or IRDAI explicitly requires the appointment of a dedicated CISO, therefore, merging the role with that of a DPO may not satisfy the mandate and may lead to a regulatory actions as specified in such specific sectoral laws.

Conclusion

Even though the DPDP Act does not detail the duties of DPO, their appointment creates a clear compliance contact point, distinct from cybersecurity operations. Unlike a CISO, whose role is technical and security-focused, DPO’s remit is privacy governance i.e. overseeing compliance with data protection principles, managing Data Subject’s rights and liaising with the Data Protection Board.

[1] https://ec.europa.eu/newsroom/article29/items/612048

[2] Section 2(l) of Digital Personal Data Protection Act, 2023

[3] Para 6, X-FAB Dresden GmbH & Co. KG (C‑453/21) dated February 09, 2023, available at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=270323&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3046073

[4] https://ec.europa.eu/newsroom/just/document.cfm?doc_id=44100

[5] https://ovic.vic.gov.au/privacy/resources-for-organisations/managing-the-privacy-impacts-of-a-data-breach/#part-4-responding-to-a-data-breach

[6] Section 8(1) of Digital Personal Data Protection Act, 2023

[7] https://www.dsci.in/resource/content/india-cyber-threat-report-2025

[8] Reserve Bank of India (Information Technology Governance, Risk, Controls and Assurance Practices) Directions, 2022, available at: https://www.rbi.org.in/scripts/bs_viewcontent.aspx?Id=4205

[9] IRDAI Information and Cyber Security Guidelines, 2023, available at:

[10] CERT-In Guidelines on Information Security Practices for Government Entities, 2023, available at: https://www.cert-in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=CISG-2023-01

[11] File No. 10/54/2022-NCLT dated August 03, 2022, available at: https://nclt.gov.in/sites/default/files/tender/circulars/publicnotices/CISO%20NCLT.pdf

[12] Article 38(6) of GDPR, available at: https://gdpr-info.eu/art-38-gdpr/

[13] Para 46, X-FAB Dresden GmbH & Co. KG (C‑453/21) dated February 09, 2023, available at: https://curia.europa.eu/juris/document/document.jsf?text=&docid=270323&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3046073

[14] https://www.debandt.eu/en/node/127