Data Protection: Organization Roles

  • Picture
  • Click to enlarge  Enlarge

To understand the implication of privacy requirements or regulations, there is a need to evaluate what role an organization is performing in respect of handling the personal information. An interface with the end customer or user or consumer for collecting the personal data is one of the factors for identifying the role of an organization from the perspective of data protection. If an organization collects the data directly from the end customer, for the purpose of providing the business services offered, it is called as the data controller. Since the domestic industry segments in India like Banks, Telecom, E-Commerce, and E-Governance collect personal information directly, they can be classified as data controllers.


If an organization receives the personal information from any another organization for processing, as a part of services offered, it becomes the data processor. The IT services and BPO industry fall under this category. An organization, which collects the personal information of its employee, also falls under the category of the ‘data controller’. The individual whose personal information is collected – be it the end customer, consumer, or even an employee, is referred as the ‘data subject’.


The understandings about the role that an organization in a particular data transaction helps establish the applicability of the privacy principles. These principles are advocated by different frameworks and data protection legislations across the globe.


The data controller, who is the owner of the personal data being collected, should adhere to the privacy practices to provide an assurance to the end customer, and be in compliance with the applicable regulations. However, business realities such as outsourcing change the data protection dynamics. The data controller, who avails of external services, extends the liabilities to, and shares the same with the service providers. A service provider, termed as a data processor, thus, should also have the privacy initiatives to comply with data protection requirements of its clients.


The data processor, however, may not be required to adopt all privacy principles that the controller has adopted. Principles such as Notice to the end customer, Collection limitation and Consent of the data subject may not be applicable to the data processor. However, for identifying the role of an organization from the perspective of privacy, there requires a careful study of the nature of its business and its relations with the end customers, clients and service providers.


Growing data protection regimes are raising the liabilities of an organization for improved data protection. An organization, which collects the personal information of its employees, also comes under the purview of these regulations. This provides a reason for an organization to extend the scope of the privacy initiatives to cover the personal data of its employees as well. DSCI Privacy Framework (DPF©) takes a careful note of the business ecosystem, the role of different entities with respect to the transactions in personal data, and the liabilities of these entities hitherto. The Privacy Best Practices provide an approach and detailed guidance that will help establish a mature privacy function.