When I was going to take over command of my unit, one of my seniors gave one lesson which stuck with me. He said generally behind the commanding officer’s chair is a wall. It is to tell you that all things which flow from higher ups stops at you. You should not let any bad news which affects the morale and motivation of your troops pass this wall and take it on yourself. In essence – The buck stops at you.
If I compare this with the corporate world, this is so true for companies to maintain their reputation and trust of clients. Their leadership has to take the responsibility. The commander (head of organisation / Board) is responsible for everything his unit (company) does or fails to do. A fair comparison isn’t it. So is the fact with application of Digital Personal Data Protection Act (DPDPA) to various institutes. In last one month I have spoken to many companies regarding DPDPA compliance and found very divergent views. Some have already started looking for solutions, but there are also few who are not wanting to view this Elephant in the Room. Their perspective is “Jab hoga dekha jayega” (We will see when it happens). I am surprised at their answers. This is how a typical board meeting must be happening in such organisations
There are numerous parallels I can draw from the defence forces where in, closing eye to a situation has only led to situation getting bad / worse. Its always best to act and act in time. I feel that under the Digital Personal Data Protection Act, a similar doctrine of command responsibility is enshrined where authority for data holding / collection i.e. the data fiduciaries also carry accountability for its misuse.
Data Fiduciary Responsibility: The board and CEO carry the ultimate accountability for how data is handled.
Staff Negligence: If a data breach occurs because staff were untrained or the CEO turned a blind eye, the leadership is held responsible.
Third-Party Risks: Even if an IT vendor or a third party mishandles the data, assuring the implementation of a DPDPA framework remains a Board responsibility.
I am reminded of a military history lesson we all learnt and it goes like this. During World War II, Japanese General Tomoyuki Yamashita was tried by U.S. military commission after atrocities which were committed by troops under his command in the Philippines, where as there was no proof that he directly ordered the crimes. He was charged because he was responsible. This later on became the “Yamashita Standard” which means , that a military commander can be held criminally responsible for atrocities committed by their subordinates if the crimes were widespread and the commander failed to take necessary, reasonable steps to control the troops. This may be too harsh for the civil world, however I want to reframe this for the DPDP Act that a CEO is responsible for data breaches taking place due to his staff and he keeping a blind eye to the same ie has not taken any action to prevent these.
Yes while the fault may be of the IT guys in the company for a breach, it may be a third party handling your data, but assuring implementation of DPDPA is a Board responsibility.
Yes The Buck Stops at You.
