Internal & External Interactions
Internal Interaction With:
- CMD – Reporting line for DPO; receives strategic direction and escalates critical privacy matters.
- Field Operations & Survey Teams – Governs on-ground data collection practices, consent mechanism deployment, and surveyor training.
- Data Analysis & Research Teams – Oversees lawful processing, purpose limitation, and data minimisation at the analytics layer.
- IT & Information Security Teams – Collaborates on technical safeguards, encryption, access controls, and breach response.
- Legal & Contract Teams – Reviews vendor contracts, data processing agreements, and cross-border transfer clauses.
- HR & Training Teams – Co-designs and mandates DPDP awareness training across the organisation.
- Product & Technology Teams – Provides privacy-by-design oversight for any digital tools, apps, or platforms used in survey operations.
External Interaction With:
- Data Protection Board of India (DPBI) – Primary regulatory liaison; handles notices, complaints, and audit correspondence.
- Survey Respondents (Data Principals) – Manages grievance redressal, responds to access/correction/erasure requests under Sections 11–13.
- Client Organisations (Brands, Institutions, Governments) – Negotiates data processing agreements and manages purpose-limited disclosures.
- Third-Party Vendors & Data Processors – Audits data processors for compliance and enforces contractual data protection obligations.
- Independent Data Auditors – Facilitates statutory annual audits as required under SDF obligations.
- Legal Counsel & External Privacy Advisors – Engages on complex regulatory matters, litigation support, and emerging compliance questions.
- Government & Regulatory Bodies – Engages with MeitY and sector regulators on policy consultations relevant to consumer data intelligence.
Requirements & Skills
1. Regulatory Compliance & Legal Interpretation -
Serve as the organisation's authoritative expert on the DPDP Act, 2023, DPDP Rules, 2025, and all subordinate regulations, guidelines, and circulars issued by MeitY and the Data Protection Board of India.
-
Provide binding legal interpretation on data protection obligations applicable to AXIS MY INDIA's survey and analytics operations.
-
Monitor regulatory developments and proactively update compliance policies before statutory deadlines.
-
Advise on lawful bases for processing — including consent management, legitimate use, and obligations under Section 7 and Section 8 of the DPDP Act.
2. Consent Management & Data Principal Rights
-
Design and implement a robust consent management framework for field survey operations, ensuring notices are clear, specific, and provided in the local language of the respondent.
-
Establish mechanisms for respondents to withdraw consent, access their data, seek correction, erasure, and grievance redressal as mandated under Sections 11–13 of the DPDP Act.
-
Maintain auditable records of consent collection across all field survey touchpoints — both digital and paper-based.
-
Respond to Data Principal requests within the timelines stipulated by the DPDP Rules.
3. Data Protection Impact Assessments (DPIAs)
-
Lead periodic DPIAs for all high-risk processing activities — including large-scale village surveys, biometric data collection (if any), analytics profiling, and cross-border data transfers.
-
Identify residual risks and design mitigation measures in collaboration with IT, Legal, and Operations.
-
Maintain DPIA registers and ensure they are reviewed on a defined schedule or triggered by material changes in processing activities.
4. Information Security & Technical Safeguards
-
Work with IT teams to ensure appropriate technical and organisational measures are implemented — including encryption of survey data, role-based access controls, data masking in analytics systems, and secure transmission of field data.
-
Oversee the organisation's data breach detection, reporting, and response procedures as per Section 8(6) of the DPDP Act and CERT-In Directions.
-
Ensure personal data is not retained beyond the purpose for which it was collected — enforce data retention and deletion schedules.
5. Third-Party & Vendor Compliance
-
Review and approve all Data Processing Agreements (DPAs) entered into with clients, sub-processors, cloud vendors, analytics partners, and government agencies.
-
Conduct regular vendor due diligence and audits to verify that data processors comply with AXIS MY INDIA's contractual data protection obligations.
-
Maintain a Register of Processing Activities (RoPA) documenting all internal and external data flows.
-
Manage cross-border transfer compliance for any data shared with international clients or processed on overseas platforms.
6. Training, Awareness & Culture
-
Design and deliver mandatory DPDP training programmes for field surveyors, data analysts, operations staff, and senior management.
-
Build a privacy-by-design culture across product and technology development, ensuring data minimisation is embedded from the outset.
-
Publish internal privacy bulletins and handle ad-hoc advisory queries from business units.
7. Regulatory Liaison & Grievance Management
-
Act as the sole authorised point of contact for the Data Protection Board of India — receive, acknowledge, and respond to regulatory notices within prescribed timeframes.
-
Maintain and operate a structured Grievance Redressal Mechanism accessible to all survey respondents.
-
Log, investigate, and resolve all privacy complaints within the time limits mandated by the DPDP Rules.
-
Represent AXIS MY INDIA in any inquiry, investigation, or adjudicatory proceedings before the Data Protection Board.
8. Independent Audits & Reporting
-
Facilitate and co-ordinate the annual Independent Data Audit as required for Significant Data Fiduciaries under DPDP Rules.
-
Prepare and present quarterly and annual data protection compliance reports to the Board of Directors.
-
Track and report on key privacy KPIs — consent rates, DPIA completion, breach response times, Data Principal request resolution, and audit findings.
Roles & Responsibilities
Ensure —
✔ Full organisational compliance with the DPDP Act, 2023 and DPDP Rules, 2025 at all times.
✔ Valid, informed, and auditable consent is obtained from every survey respondent before personal data collection.
✔ Data Principals' rights — access, correction, erasure, grievance — are honoured within regulatory timelines.
✔ Data breaches are identified, contained, and reported to the Data Protection Board within 72 hours of discovery.
✔ All vendors and data processors are contractually bound and monitored for DPDP compliance.
✔ DPIAs are completed for all new, modified, or high-risk processing activities before they go live.
✔ AXIS MY INDIA's privacy notices are accurate, current, and available in accessible formats and local languages.
Carry Out —
✔ Periodic internal audits and privacy health checks across field operations, IT systems, and analytics processes.
✔ Annual co-ordination of the Independent Data Audit mandated for SDFs.
✔ DPDP training and sensitisation programmes for all staff who handle personal data.
✔ Maintenance and regular update of the Register of Processing Activities (RoPA).
✔ Review of all new contracts, product features, or processing activities for privacy compliance before sign-off.
✔ Regulatory correspondence and representation before the Data Protection Board of India.
Contribute —
✔ Strategic input to the Board on emerging privacy risks, regulatory changes, and compliance investment priorities.
✔ Privacy-by-design recommendations at the ideation stage of new survey methodologies, digital tools, or analytics products.
✔ Industry-level engagement on data protection policy in the market research and consumer intelligence sector.
✔ Continuous improvement of AXIS MY INDIA's data governance maturity — targeting recognised frameworks such as ISO 27701.
Competencies
Technical Competencies
Behavioural Competencies
DPDP Act & DPDP Rules Mastery
High Personal Integrity & Independence
Consent Architecture & Management
Courageous Communication — Board Advisory & Pushbacks
DPIA & Risk Assessment Methodology
Stakeholder Influence & Collaboration
Information Security Governance
Analytical Thinking & Risk Judgement
Data Breach Management & CERT-In Compliance
Empathy for Data Principals (Rural/Vulnerable)
Vendor Due Diligence & DPA Drafting
Cross-functional Leadership
Privacy-by-design & Data Minimisation
Attention to Detail & Documentation Discipline
RoPA Management & Record Keeping
Education & Experience
-
Degree (Essential): Bachelor’s degree in law, Information Technology, Computer Science, Cybersecurity, Business Administration, or a related field. Postgraduate diploma or Master's degree in Data Privacy, Information Security, or Cyber Law (preferred).
-
Degree (Preferred): MBA with specialization in Compliance / Risk Management.
-
Experience: Minimum 8–12 years in data protection, privacy law, information security compliance, or regulatory affairs — of which at least 3 years in a DPO, Privacy Counsel, or equivalent senior role.
-
Sector Exposure: Prior experience in market research, consumer intelligence, FMCG data, telecom, healthcare, or large-scale field data operations is highly desirable.
-
Certifications (Essential): CIPP/A (Certified Information Privacy Professional – Asia) or equivalent; and / or FIP (Fellow of Information Privacy) from IAPP.
-
Certifications (Preferred): CIPM, CIPT, ISO 27001 Lead Implementer / Auditor, CDPSE (Certified Data Privacy Solutions Engineer).
-
Regulatory Knowledge: Deep expertise in DPDP Act 2023, DPDP Rules 2025; working knowledge of IT Act 2000, IT (Amendment) Act 2008, CERT-In Directions, and awareness of GDPR for cross-border context.
Key Metrics for Success
Consent Collection Rate across all field surveys
100% of surveys — zero data collection without valid consent
Data Principal Requests Resolved
100% resolved within DPDP Rules prescribed period (Access/Correction/Erasure)
Data Breach Reporting to DPBI
100% reported within 72 hours of confirmed detection
Annual Independent Data Audit completion
Completed before regulatory deadline each year, zero critical findings unresolved
DPIA completion for processing activities
100% completed prior to go-live of any new survey or analytics process
Vendor / Data Processor compliance audit coverage
100% of Tier-1 data processors audited annually
Employee DPDP Training completion rate
100% of data-handling staff trained within 30 days of joining and annually
Grievance Resolution Rate (respondents)
100% acknowledged within 48 hours; resolved within statutory timelines
Regulatory Penalties / Adverse orders from DPBI
Zero uncontested penalty orders
Board Privacy Compliance Report
Quarterly reports submitted on time with zero critical overdue action items