SDF - Data Protection Officer
Plain English Translation
Under Section 10(2)(a) of the Act, organizations designated as a Significant Data Fiduciary (SDF) must legally appoint a Data Protection Officer based in India. This is not just a standard compliance role; the DPO appointment DPDP mandate requires this individual to report directly to the Board of Directors, ensuring high-level accountability. The role of DPO under DPDP Act is to represent the fiduciary, ensuring significant data fiduciary obligations are met, and acting as the primary point of contact for the grievance redressal mechanism.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Not applicable unless notified as an SDF.
- If notifying proactively, appoint a privacy lead based in India.
- Draft a job description outlining DPO responsibilities.
Required Actions (scaleup)
- Appoint a qualified individual as DPO if approaching SDF thresholds.
- Formalize the DPO reporting line India to the governing body.
- Publish DPO contact details on the privacy policy page.
Required Actions (enterprise)
- Full board accountability for data privacy with quarterly DPO presentations.
- Independent DPO requirement met with no conflict of interest in other duties.
- Automated dashboards providing the DPO with real-time compliance metrics.
Only organizations notified by the Central Government as a 'Significant Data Fiduciary' (SDF) under Section 10(1) are legally required to appoint a Data Protection Officer.
The Act does not specify academic qualifications, but Section 10(2)(a) requires them to be an individual responsible to the Board, implying senior executive standing and expertise to represent the fiduciary.
Yes, Section 10(2)(a)(ii) explicitly mandates that the Data Protection Officer must be based in India.
Section 10(2)(a) states the SDF shall 'appoint' a DPO who is 'an individual'. While the Act doesn't explicitly ban outsourcing, the requirement to report to the Board and be based in India suggests an internal or closely integrated role is expected.
The DPO must be responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary, as per Section 10(2)(a)(iii).
For an SDF, the DPO *is* the point of contact for the grievance redressal mechanism (Section 10(2)(a)(iv)). Non-SDFs need only publish details of an authorized person to answer questions (Section 8(9)).
The Act does not prohibit this, but the DPO must report to the Board. Best practice suggests separating the roles to ensure the independent DPO requirement is met without conflict of interest between security execution and compliance oversight.
Failure to observe additional obligations of a Significant Data Fiduciary, including appointing a DPO, can attract a penalty extending to one hundred and fifty crore rupees under the Schedule.
"The Significant Data Fiduciary shall— (a) appoint a Data Protection Officer who shall— (i) represent the Significant Data Fiduciary under the provisions of this Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act;"
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
