King Stubb & Kasiva Talk to KSK
HomeData PrivacyData Protection Officer (DPO) Services in India under the DPDP Act
Insight · Data Privacy

Data Protection Officer (DPO) Services in India under the DPDP Act

RSBy Rajesh Sivaswamy, KSK Data PrivacyUpdated 16 Jun 20262 min read

Under India’s DPDP Act, 2023, a Data Protection Officer (DPO) is a statutory requirement for every entity designated a Significant Data Fiduciary (SDF). Even where the role is not strictly mandatory, many organisations appoint or outsource a DPO-style function to coordinate compliance. This page explains the legal position and how KSK’s data-privacy team supports the DPO function.

When is a DPO mandatory?

Section 10(2)(a) requires an SDF to appoint a DPO who is based in India and responsible to its Board of Directors or equivalent governing body. Ordinary data fiduciaries are not obliged to appoint a DPO, but must still publish the contact details of a person able to answer data principals’ questions and operate a grievance-redressal mechanism (Sections 8(9)–(10)). For the full picture, see our article on the role and duties of a DPO and on Significant Data Fiduciaries.

Are you a Significant Data Fiduciary?

Answer 25 questions to see your DPDPA risk level and whether the DPO obligation applies to you — free, instant, with a branded PDF.

Check your compliance score →

What the DPO does

  • Acts as the point of contact for the grievance-redressal mechanism and for the Data Protection Board.
  • Reports to the board on data-protection risk and compliance.
  • Oversees notice and consent practices, data-principal rights requests, retention and erasure, and vendor/processor governance.
  • Coordinates breach response and the periodic DPIAs and independent audits that SDFs must conduct.

The Act does not currently prescribe specific qualifications for the role, which gives organisations flexibility in how they resource it.

How KSK supports the DPO function

We help clients stand up and run the DPO function in a way that fits their structure — advising an in-house DPO, supporting the role on an ongoing basis, or providing an external DPO-style function for organisations that prefer to draw on specialist counsel. Typical support includes building the compliance framework the DPO operates, handling data-principal and grievance escalations, advising the board, and managing breach and regulator interactions. We also help businesses assess whether they are likely to be designated an SDF and therefore brought within the mandatory-DPO requirement.

Related reading

See our analysis of the grievance officer’s role and our DPDPA guide. To gauge whether the DPO obligation may apply to you, try the free Compliance Scorecard.

Talk to KSK about your DPDP readiness

Our data-privacy team advises Indian and global businesses on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. To understand where you stand, try our free DPDPA Compliance Scorecard or speak to our team.

This page is general information about Indian data-protection law and is not legal advice or a solicitation. Provisions of the DPDP Act and Rules are subject to phased commencement and further notification.

Explore KSK Data Privacy Hub

Free compliance tools and expert guidance covering 75+ jurisdictions.

Frequently Asked Questions

DPDP Act — quick answers

Is a Data Protection Officer mandatory in India?
A DPO is mandatory only for a Significant Data Fiduciary — an entity the Central Government notifies as high-risk under Section 10. Other data fiduciaries are not required to appoint a DPO but must publish a contact point for queries and run a grievance-redressal mechanism.
Does the DPO have to be based in India?
Yes. Under Section 10(2)(a), an SDF's DPO must be based in India and is responsible to the Board of Directors or equivalent governing body. The DPO is also the point of contact for the grievance mechanism.
Can a company outsource its DPO function?
The Act requires an SDF's DPO to be an India-based individual answerable to its board, so the statutory role sits within the organisation. Many businesses, however, draw on external specialist counsel to build and support the DPO function, advise the role, and manage escalations — particularly before they are formally designated an SDF.
What is the difference between a DPO and a grievance officer?
A DPO is the India-based officer that only SDFs must appoint, answerable to the board. The grievance or contact point is the person every data fiduciary must publish under Section 8(9) so that individuals can raise questions and complaints. In smaller organisations these responsibilities may overlap.

This FAQ is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 — not legal advice. Provisions are subject to phased commencement and further notification. Speak to the KSK data-privacy team for advice on your specific situation.

Continue reading — Latest Insights
Data Privacy

Data Breach Response & Notification Counsel under India’s DPDP Act

16 Jun 2026
Data Privacy

Significant Data Fiduciary (SDF) Readiness, DPIA & Audit under the DPDP Act

16 Jun 2026
Data Privacy

DPDP Act Compliance & Advisory: A Practical Guide for Businesses in India

16 Jun 2026