top of page

How to Appoint a Data Protection Officer Under the DPDPA 2023 in India

  • Writer: Kaustav Chowdhury
    Kaustav Chowdhury
  • 4 minutes ago
  • 2 min read

The Digital Personal Data Protection Act, 2023 (DPDPA) requires every Significant Data Fiduciary (SDF) to appoint a Data Protection Officer (DPO). This guide explains who must appoint a DPO, the qualifications and responsibilities involved, and the step-by-step process for compliance under Section 10 of the Act.


Who Must Appoint a DPO?

Only organisations that have been officially notified as Significant Data Fiduciaries by the Central Government are required to appoint a DPO. The Central Government designates SDFs based on factors including the volume and sensitivity of personal data processed, the risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risks to electoral democracy, and considerations of security of the state and public order.


Regular Data Fiduciaries that do not fall within the SDF classification are not legally required to appoint a DPO, though doing so is considered a best practice for data governance.


Key Requirements for the DPO

Under Section 10(2)(a) of the DPDPA, the DPO must be an individual (not an entity or outsourced firm), must be based in India, must be responsible to the Board of Directors or the governing body of the organisation, and must serve as the point of contact for grievance redressal and for representing the organisation before the Data Protection Board of India.


Step-by-Step Appointment Process

Step 1: Determine SDF Status. Check whether your organisation has been notified as a Significant Data Fiduciary by the Central Government. Monitor official gazette notifications and MeitY communications for SDF classification orders.


Step 2: Define the DPO Role. Draft a detailed job description covering the DPO's responsibilities, which include overseeing compliance with the DPDPA, handling data principal grievances, conducting or overseeing Data Protection Impact Assessments (DPIAs), liaising with the Data Protection Board, and ensuring periodic audits of data processing activities.


Step 3: Select and Appoint. Identify a suitable individual with knowledge of data protection law, information security, and the organisation's data processing operations. Pass a formal board resolution appointing the DPO and ensure the appointment is documented in the organisation's records.


Step 4: Publish Contact Details. Make the DPO's contact information accessible to data principals through the organisation's website and privacy policy. The DPO must be reachable for grievance redressal as mandated under the Act.


Step 5: Integrate the DPO into Governance. Ensure the DPO has direct reporting access to the Board of Directors, is involved in all decisions affecting personal data processing, and has adequate resources and independence to perform their role effectively.


Penalties for Non-Compliance

Failure to appoint a DPO when required under Section 10 can attract penalties of up to Rs 150 crore from the Data Protection Board of India. Organisations should ensure timely compliance once notified as an SDF.


For related guidance on AI governance in legal proceedings and filing regulatory complaints, see our other guides.

Comments


bottom of page