Data Protection Officer (DPO)
A senior officer appointed by Significant Data Fiduciaries under the DPDP Act to ensure compliance, serve as the Data Principal's point of contact, and oversee data protection practices.
Full Definition
Section 10(2)(a) of the DPDP Act 2023 requires Significant Data Fiduciaries to appoint a Data Protection Officer based in India. The DPO serves as the point of contact for Data Principals exercising their rights and for the Data Protection Board in inquiries. Unlike the GDPR's DPO (which must be independent and cannot be instructed), the DPDP Act's DPO role is defined more generally — the DPO represents the Data Fiduciary before the Board and is the grievance point of contact. The DPO must be a senior management person in the organisation, ensuring accountability at leadership level.
In Indian Law
DPDP Act 2023, Section 10(2)(a). DPO appointment is mandatory for Significant Data Fiduciaries only — ordinary Data Fiduciaries are not required to appoint a DPO but must have a grievance officer under Section 13. Under GDPR, DPO appointment is required for all public authorities and any organisation whose core activities involve large-scale processing of sensitive data — a broader trigger than DPDP's government-designation model.
Related Legal Sections
Frequently Asked Questions
Does every company need to appoint a DPO under the DPDP Act?
No. Only Significant Data Fiduciaries (designated by the Central Government under Section 10) are required to appoint a DPO. However, all Data Fiduciaries must have a grievance mechanism and officer for Data Principal complaints under Section 13.