DPO (Data Protection Officer): When You Must Appoint One in India
Under the DPDPA, only Significant Data Fiduciaries (SDFs) are required to appoint a DPO. But the path from "regular" Data Fiduciary to SDF can be sudden — a single Government notification — and you should plan ahead. This is the practitioner's guide to the DPO role under Indian law.
Who is a Significant Data Fiduciary?
Section 10 empowers the Government to notify a Data Fiduciary or class of Data Fiduciaries as "significant" based on:
- Volume and sensitivity of personal data processed
- Risk to the rights of Data Principals
- Potential impact on India's sovereignty and integrity
- Risk to electoral democracy
- Security of the State
- Public order
Likely candidates for early SDF notification: large social platforms, fintechs (Paytm, PhonePe, GPay), e-commerce giants (Flipkart, Amazon, Meesho), telcos (Jio, Airtel), and the credit-reporting bureaus. Any business processing 5M+ users or sensitive (health, financial, biometric) data should plan for SDF status.
What an SDF must do
Section 10 imposes three additional obligations beyond the regular Data Fiduciary baseline:
- Appoint a Data Protection Officer (DPO) based in India who reports to the Board of Directors or equivalent governing body
- Appoint an independent Data Auditor to evaluate compliance
- Conduct Data Protection Impact Assessments (DPIA) and periodic audits
What does the DPO actually do?
The DPO is the senior accountable executive for privacy. Day-to-day responsibilities:
- Maintain the Records of Processing Activities (RoPA)
- Oversee privacy training across the organisation
- Approve new processing activities (especially those involving children, health, biometric data)
- Liaise with the Data Protection Board on inquiries and complaints
- Coordinate breach response and notification
- Approve sub-processor onboarding (DPA review)
- Lead DPIA exercises for high-risk processing
- Sign off on the annual independent audit
DPO requirements under DPDPA
- Must be based in India
- Must report to the Board of Directors (not the CEO, not the CISO)
- Must be the contact point for the Data Protection Board
- Must be the contact point for grievance redressal under Section 13
The Act does not yet specify minimum qualifications, but international best practice (and likely Rules) will expect: legal/privacy background, 5+ years experience, no conflict of interest with revenue functions.
Internal vs. external DPO
For an SDF, an internal full-time DPO is the norm. Salary band in India: ₹40-80 lakh CTC for a senior DPO at a large company. Smaller "non-SDF but cautious" companies sometimes appoint a fractional or external DPO via firms like DSCI, Cyril Amarchand, or boutique privacy consultancies.
DPO vs. Grievance Officer
Every Data Fiduciary (not just SDFs) must have a grievance officer. The grievance officer can be the DPO or a separate role. Practically:
- Non-SDF: appoint a grievance officer (could be any senior employee — head of customer success, COO, etc.)
- SDF: appoint a DPO who is also the grievance officer (or a separate grievance team reporting into the DPO)
How to structure the DPO function
For a 500+ employee SDF, a typical org structure:
- DPO — reports to Board, full P&L for privacy program
- Privacy Counsel (1-2) — handles legal review, contract negotiation
- Privacy Engineer (2-4) — builds DSR tooling, consent management, data discovery
- Privacy Operations (1-3) — handles incoming DSRs, training, vendor reviews
- Independent Data Auditor — appointed annually, can be external (PwC, EY, KPMG, Deloitte)
For smaller SDFs, the DPO may be a single individual with virtual support from external counsel.
Conflict of interest
The DPO must not have responsibilities that conflict with privacy oversight. Avoid having the same person be DPO and Head of Marketing/Growth. The classic safe pairings: DPO + General Counsel, DPO + Chief Compliance Officer, DPO + Head of Information Security (with clear escalation when those duties conflict).
When to start preparing — even if you are not yet an SDF
Three signals that you should have a DPO function ready:
- You are processing data of more than 1 million Indian users
- You handle sensitive data (health, financial, biometric) at any meaningful scale
- You have a regulator-facing function (BFSI, healthcare, telecom)
If any of these is true, the cost of preparing now is far lower than the cost of scrambling after a notification.
Getting started
Even if you are not an SDF, you should at minimum:
- Appoint a grievance officer with a published email and response timeline
- Identify the executive who would become DPO if you were notified as SDF
- Run an annual privacy review (DPIA-lite) for high-risk processing
And of course, publish a DPDPA-compliant privacy policy that lists your grievance officer. Generate one here.
Generate your DPDPA privacy policy
Free. Two minutes. Section-by-section references. English & Hindi.
Open the generator →