Data Protection Officer Under DPDP

Who must appoint a DPO, what the role requires, and why even smaller businesses benefit from a privacy owner
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

Who Needs a Data Protection Officer Under the DPDP Act?

A Data Protection Officer under DPDP is mandatory for one group only: Significant Data Fiduciaries (SDFs), businesses the government specifically designates based on the volume of personal data they process, its sensitivity, and the risk that processing poses. If you have not been designated an SDF, the law does not force you to appoint a DPO under the DPDP Act.

But the role is worth understanding either way. For SDFs, the requirements are specific: the DPO must be based in India, hold a senior position, be responsible to the board of directors, and have published contact details, including in your privacy notice, so data principals know exactly who to reach. Failing SDF duties like this carries a penalty tier of up to ₹150 crore per violation.

And for everyone else? Someone still has to own consent, notices, grievances, and breach response. A designated privacy owner, even without the formal DPO title, is how compliant businesses actually stay compliant.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

DPO Requirements at a Glance

RequirementWhat It Means
Mandatory only for SDFsApplies once the government designates your business a Significant Data Fiduciary
Based in IndiaThe DPO must be located in India, an offshore privacy lead at a global HQ does not satisfy the rule
Senior, responsible to the boardA senior person who reports to the board of directors, not a junior role buried in a support team
Published contact detailsThe DPO's contact information must be published, including in your privacy notice
Penalty for failureUp to ₹150 crore per violation under the SDF duty-failure tier

What the DPO Actually Does

Three core responsibilities define the role, and they map directly to how the regulator sees your business.

Compliance Monitoring

The DPO keeps watch over the whole DPDP posture: consent records, privacy notices, retention schedules, security safeguards, DPIAs, and annual audits, and reports the state of it to the board.

Grievance Contact Point

The DPO is the published face of your grievance redressal mechanism, the person data principals contact when something goes wrong, with a 90-day clock on every resolution.

Board Liaison

When the Data Protection Board of India comes calling, about a breach report, a complaint, or an inquiry, the DPO is the point of contact who speaks for the business.

DPO vs CISO: Not the Same Job

AspectDPOCISO
ProtectsThe rights of the people behind the dataSystems, networks, and infrastructure
FocusConsent, notices, grievances, lawful processingThreats, vulnerabilities, incident defence
Answers toThe board of directors, and faces the regulatorUsually the CTO or CEO
Nature of roleLegal and governanceTechnical security

The two roles work closely together: the CISO builds the Rule 6 security safeguards, and the DPO makes sure the processing those systems perform is lawful and the people affected can exercise their rights. Handing a CISO the DPO title without the governance mandate leaves the compliance half of the job unowned.

Not an SDF? You Still Need a Privacy Owner

Even without a formal DPO obligation, every Data Fiduciary must run consent workflows, publish a grievance contact, respond to rights requests, report every breach within 72 hours, and keep security safeguards alive. Those duties do not run themselves, and when no one owns them, they quietly decay until an incident exposes the gap.

Naming a designated privacy owner, even part-time, gives your business one accountable person for DPDP: someone who tracks deadlines, owns the grievance inbox, and keeps evidence audit-ready. It also future-proofs you: if your business grows into an SDF designation, you already have the role, the processes, and the paper trail in place.

Governance Roles Take Time to Establish

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and appointing and embedding a privacy owner should happen early in that window.

Assess My DPO Readiness Free

Want the Complete DPDP Picture?

The DPO is one piece of the compliance puzzle. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

Learn Everything About DPDP Compliance

Data Protection Officer: Frequently Asked Questions

Is a Data Protection Officer mandatory under the DPDP Act?

Only for Significant Data Fiduciaries, businesses the government designates based on data volume, sensitivity, and risk. Regular Data Fiduciaries are not required to appoint one, though a designated privacy owner is still a smart move.

Who Owns Privacy at Your Business?

Our free audit checks whether you may face SDF designation, what a DPO would mean for you, and who should own DPDP compliance day to day, with a gap report and roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.