Since the DPDP Act was notified, one of the questions I hear most often from business leaders and compliance teams is some version of: “Do we need a Data Protection Officer?”
The honest answer is: it depends — but more organisations need one than currently think they do, and many that do not have a formal obligation would still benefit significantly from the function.
Let me break this down practically.
What the DPDP Act says about DPOs
The DPDP Act introduces a formal DPO requirement for organisations designated as Significant Data Fiduciaries. The criteria for this designation will be specified by the central government and are expected to be based on factors including the volume and sensitivity of personal data processed, the potential risk to data principals, and the organisation’s national security and public order implications.
For organisations that are designated as Significant Data Fiduciaries, appointing a DPO is a legal obligation — not optional. The DPO must be based in India and must report directly to the board of the organisation. Their role includes acting as a point of contact for data principals and the Data Protection Board, overseeing compliance, and advising on Data Protection Impact Assessments.
For organisations that are not designated as Significant Data Fiduciaries, there is no explicit legal obligation to appoint a DPO. But that does not mean the function is irrelevant to them.
Why the DPO function matters beyond legal obligation
Whether or not your organisation has a formal obligation to appoint a DPO, the functions that role performs are necessary for any serious privacy program.
Someone needs to oversee your consent framework and ensure it meets the standard. Someone needs to manage data subject requests — access, correction, erasure — and ensure they are resolved within the required timeframes. Someone needs to maintain your data inventory and ROPA. Someone needs to be the point of contact for regulatory inquiries. Someone needs to train staff, review new processing activities, and flag risks to leadership.
In large organisations, these functions are typically distributed across a dedicated privacy team. In mid-sized and smaller organisations, they tend to fall between the cracks — partially handled by legal, partially by IT, partially by nobody.
The gap is usually most visible during a regulatory inquiry or a data breach. That is when organisations discover that nobody had clear ownership of the response process, that the data inventory was incomplete, and that the consent records they need to demonstrate compliance do not exist in the form required.
The resourcing question
For most mid-sized Indian organisations, the realistic options for resourcing the DPO function are:
Appoint an internal DPO. This works well for larger organisations with sufficient volume of privacy work to justify a dedicated headcount. The challenge is finding someone with the right combination of legal knowledge, technical understanding, and cross-functional communication skills. Genuine DPO expertise is still scarce in the Indian market.
Assign the function to an existing role. Many organisations ask their General Counsel, Head of Compliance, or CISO to take on DPO responsibilities alongside their existing role. This can work — but only if the individual has genuine privacy expertise and sufficient bandwidth. Adding DPO responsibilities to an already stretched General Counsel without additional support usually means the function gets deprioritised when other matters press.
Engage a virtual or fractional DPO. An outsourced DPO function — sometimes called a vDPO or fractional DPO — provides dedicated expert oversight without the cost and commitment of a full-time hire. This model is well-established in GDPR jurisdictions and is increasingly common in India. It is particularly well-suited to organisations that need genuine DPO-level expertise but cannot justify or afford a full-time appointment.
