← All articles · 6 May 2026 · compliance.hjlabs.in

DPO (Data Protection Officer): When You Must Appoint One in India

Under the DPDPA, only Significant Data Fiduciaries (SDFs) are required to appoint a DPO. But the path from "regular" Data Fiduciary to SDF can be sudden — a single Government notification — and you should plan ahead. This is the practitioner's guide to the DPO role under Indian law.

Who is a Significant Data Fiduciary?

Section 10 empowers the Government to notify a Data Fiduciary or class of Data Fiduciaries as "significant" based on:

Likely candidates for early SDF notification: large social platforms, fintechs (Paytm, PhonePe, GPay), e-commerce giants (Flipkart, Amazon, Meesho), telcos (Jio, Airtel), and the credit-reporting bureaus. Any business processing 5M+ users or sensitive (health, financial, biometric) data should plan for SDF status.

What an SDF must do

Section 10 imposes three additional obligations beyond the regular Data Fiduciary baseline:

What does the DPO actually do?

The DPO is the senior accountable executive for privacy. Day-to-day responsibilities:

  1. Maintain the Records of Processing Activities (RoPA)
  2. Oversee privacy training across the organisation
  3. Approve new processing activities (especially those involving children, health, biometric data)
  4. Liaise with the Data Protection Board on inquiries and complaints
  5. Coordinate breach response and notification
  6. Approve sub-processor onboarding (DPA review)
  7. Lead DPIA exercises for high-risk processing
  8. Sign off on the annual independent audit

DPO requirements under DPDPA

The Act does not yet specify minimum qualifications, but international best practice (and likely Rules) will expect: legal/privacy background, 5+ years experience, no conflict of interest with revenue functions.

Internal vs. external DPO

For an SDF, an internal full-time DPO is the norm. Salary band in India: ₹40-80 lakh CTC for a senior DPO at a large company. Smaller "non-SDF but cautious" companies sometimes appoint a fractional or external DPO via firms like DSCI, Cyril Amarchand, or boutique privacy consultancies.

DPO vs. Grievance Officer

Every Data Fiduciary (not just SDFs) must have a grievance officer. The grievance officer can be the DPO or a separate role. Practically:

How to structure the DPO function

For a 500+ employee SDF, a typical org structure:

For smaller SDFs, the DPO may be a single individual with virtual support from external counsel.

Conflict of interest

The DPO must not have responsibilities that conflict with privacy oversight. Avoid having the same person be DPO and Head of Marketing/Growth. The classic safe pairings: DPO + General Counsel, DPO + Chief Compliance Officer, DPO + Head of Information Security (with clear escalation when those duties conflict).

When to start preparing — even if you are not yet an SDF

Three signals that you should have a DPO function ready:

  1. You are processing data of more than 1 million Indian users
  2. You handle sensitive data (health, financial, biometric) at any meaningful scale
  3. You have a regulator-facing function (BFSI, healthcare, telecom)

If any of these is true, the cost of preparing now is far lower than the cost of scrambling after a notification.

Getting started

Even if you are not an SDF, you should at minimum:

And of course, publish a DPDPA-compliant privacy policy that lists your grievance officer. Generate one here.

Generate your DPDPA privacy policy

Free. Two minutes. Section-by-section references. English & Hindi.

Open the generator →

More from the blog