Back to Blog
DPDP Act 7 min read

DPDP Data Protection Officer: When You Need One

Who must appoint a Data Protection Officer under the DPDP Act, what the DPO's role is, qualifications required, and how to set up an effective DPO function in an Indian company.

Key Takeaways
  • Only Significant Data Fiduciaries (SDFs) are statutorily required to appoint a DPO under Section 10(2)(a).
  • The DPO must be based in India and represents the SDF before the Data Protection Board.
  • Unlike GDPR, the DPDP Act does not specify minimum qualifications for the DPO — the Rules may address this.
  • Non-SDF companies are not required to appoint a DPO but should designate a privacy lead as best practice.
  • The DPO's contact details must be published in the privacy notice and provided to the Board.

In this guide

  1. When Is a DPO Legally Required?
  2. The DPO's Role Under the DPDP Act
  3. The India-Based Requirement
  4. Qualifications: What the Act and Rules Expect
  5. Internal vs. External DPO: Trade-offs
  6. DPO Governance: Independence and Authority
  7. Non-SDF Companies: The Privacy Lead Approach

When Is a DPO Legally Required?

Section 10(2)(a) of the DPDP Act requires Significant Data Fiduciaries (SDFs) to appoint a Data Protection Officer. The statutory DPO requirement is therefore conditional on SDF classification by the Central Government. Companies that are not classified as SDFs have no statutory obligation to appoint a DPO.

SDF classification has not yet occurred as of April 2026 — it will follow Rules finalisation. However, companies that process large volumes of personal data or highly sensitive data should prepare for SDF classification and begin the DPO selection and appointment process now. The compliance deadline after classification may be as short as 6-12 months.

Note that this is narrower than GDPR's DPO requirement. Under GDPR, any controller or processor that processes special categories of data at large scale, or that systematically monitors individuals, must appoint a DPO — regardless of whether they are a designated "significant" entity. Under the DPDP Act, the DPO obligation is SDF-specific.

The DPO's Role Under the DPDP Act

Section 10(2)(a) requires the SDF to appoint a DPO who represents the Data Fiduciary before the Data Protection Board. This is the DPO's primary statutory function — acting as the authorised representative in Board proceedings, responding to Board inquiries, and coordinating the SDF's engagement with the regulatory body.

Beyond the statutory minimum, the DPO's practical role in a well-governed SDF should include: overseeing the data protection compliance programme; advising on DPIAs for new processing activities; handling escalated Data Principal grievances; maintaining the privacy notice and consent mechanisms; overseeing processor contracts and compliance; and reporting to senior management and the Board on data protection matters.

The DPO should also serve as the internal data protection champion — training staff, reviewing product features for privacy implications, and building a culture of data protection. A DPO who only handles regulatory correspondence but is not embedded in the product and operations functions will be ineffective.

The India-Based Requirement

The DPDP Act requires the DPO to be "based in India." This means the DPO must be physically present in India — a DPO based in a Singapore or UK parent company does not satisfy the requirement, even if that person is responsible for GDPR compliance covering the Indian subsidiary.

For Indian companies, this requirement is easily satisfied — appoint an India-based employee or external consultant. For foreign companies classified as SDFs (e.g., a US tech company with significant Indian user base), the India-based requirement means appointing a local representative for Board purposes, which has cost and operational implications.

The India-based requirement also serves the Board's enforcement interests: a DPO who is physically in India can be called to appear before the Board, can receive notices, and is subject to Indian jurisdiction. A purely offshore DPO creates enforcement difficulties.

Qualifications: What the Act and Rules Expect

The DPDP Act itself does not specify minimum qualifications for the DPO. The Rules may specify experience or certification requirements. In the absence of specific requirements, appoint someone with: a sound understanding of Indian data protection law (the Act and Rules); knowledge of your company's data processing activities; sufficient technical understanding to evaluate security and privacy controls; and the communication skills to engage effectively with regulators and internally.

GDPR-experienced privacy professionals are in high demand in India. IAPP certifications (CIPP/E, CIPP/A — Asia-Pacific, CIPM, CIPT) are globally recognised and increasingly relevant for Indian DPOs. However, certification is not a statutory requirement — practical experience and India-specific knowledge matter more.

DPO candidates should be able to: read and interpret the DPDP Act and Rules; conduct or oversee a DPIA; review and negotiate DPAs; advise on consent mechanism design; and communicate effectively with the Data Protection Board. Legal training is helpful but not mandatory — many excellent DPOs come from compliance, technology, or risk management backgrounds.

Internal vs. External DPO: Trade-offs

An internal DPO is an employee who serves as DPO alongside (or exclusively as) their primary role. An external DPO is an independent consultant or law firm partner appointed as DPO. Both models are permissible under the DPDP Act — the Act does not require the DPO to be an employee.

Internal DPO advantages: deep knowledge of your systems and processes; availability for day-to-day operational decisions; lower cost at scale; and cultural integration. Disadvantages: risk of conflicts of interest if the DPO also has non-DPO responsibilities that conflict with data protection goals; potential limitation of independence.

External DPO advantages: independence (especially important for Board proceedings); access to specialist legal expertise; no conflicts of interest; and the ability to represent multiple clients provides broader perspective. Disadvantages: less embedded in daily operations; higher cost for intensive involvement; and availability constraints for urgent matters. For startups and mid-size SDFs, an external DPO who is part-time and supported by an internal privacy lead is often the most cost-effective model.

DPO Governance: Independence and Authority

For the DPO to be effective, they must have genuine authority and independence. The DPO should have a direct reporting line to the Board of Directors or senior management — not report through a function that generates data processing activities (e.g., the CTO or CMO). A DPO who reports to the function they are supposed to oversee cannot operate independently.

The DPO must have access to all information needed to fulfil their role: access to your data inventory, to vendor contracts, to product development plans, and to incident reports. Restricting the DPO's access to information is incompatible with effective compliance oversight.

Document the DPO's role in a formal terms of reference or charter: their responsibilities, authorities, reporting lines, access rights, and escalation paths. This document should be board-approved. The DPO should be included in senior management discussions where data protection implications arise — new product launches, major vendor contracts, M&A due diligence.

Non-SDF Companies: The Privacy Lead Approach

Non-SDF companies are not statutorily required to appoint a DPO but should designate a Privacy Lead — an internal person responsible for data protection compliance. This person owns the compliance programme, maintains the data inventory, manages vendor DPAs, handles grievances, and keeps abreast of regulatory developments.

For a startup or SME, the Privacy Lead may be part-time — a senior legal, compliance, or technology person who adds data protection to their portfolio. Supported by a compliance platform like AuditPath, a part-time Privacy Lead can manage a comprehensive DPDP programme without needing a full-time hire.

As your company grows — more users, more data processing, more vendors, more regulatory obligations — the Privacy Lead role should evolve. Companies approaching the scale thresholds likely to trigger SDF classification should begin preparing for a full DPO appointment before classification occurs.

Frequently Asked Questions

Can the DPO also be the General Counsel or Chief Compliance Officer?
Yes, if there are no conflicts of interest between the DPO role and other responsibilities. A General Counsel who also advises the company on business activities that generate data processing risks may face conflicts. An independent Chief Compliance Officer with no conflicting business line responsibilities is a better fit. The key test is whether the DPO can offer independent advice without being overruled by commercial interests.
Does the DPO have personal liability under the DPDP Act?
The Act's penalty regime targets Data Fiduciaries, not individual officers. The DPO does not have direct personal statutory liability under the DPDP Act for the company's compliance failures. However, employment contracts and governance frameworks may create internal accountability. Board-level officers could face scrutiny if they are found to have knowingly directed non-compliant processing.
We have a GDPR DPO based in the UK. Can they also serve as our DPDP DPO?
No. The DPDP Act requires the DPO to be based in India. Your UK-based GDPR DPO cannot serve as your DPDP Act DPO if they are not physically based in India. You need a separate, India-based appointment for DPDP Act purposes — though coordination between the two DPOs is obviously good practice.
What happens if we fail to appoint a DPO after SDF classification?
Failure to comply with SDF obligations (including DPO appointment) attracts a penalty of up to ₹150 crore under Schedule 1, Item 4. The Board can also issue directions requiring compliance within a specified timeframe. Continued non-compliance after a Board direction is likely to attract the maximum penalty.
Can we use a law firm as external DPO?
Yes. A law firm with privacy practice can serve as external DPO, with a named partner or senior associate as the primary contact. Ensure the engagement letter clearly defines the DPO role, authority, and representation before the Board. The DPO's name and contact details (the firm's India office) must be published in your privacy notice.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

Significant Data Fiduciary Under DPDP Act: Are You One?

DPDP Act

DPDP Act Grievance Redressal: Setting Up Your Process

DPDP Act

DPDP Act Implementation Roadmap: 6-Month Action Plan