The question I get asked most often after penalty amounts: "Do we need to hire a DPO?"
The short answer is: probably not, unless you are a large enterprise processing massive volumes of personal data. But even if you do not need one legally, you still need someone owning data protection internally.
Let me explain how the DPO requirement works under the DPDP Act and what you should actually do.
The DPDP Act's Approach to DPOs
Unlike GDPR, which requires a DPO for any organisation doing large-scale monitoring or processing sensitive data, the DPDP Act takes a different approach. A Data Protection Officer is mandatory only for organisations classified as "Significant Data Fiduciaries."
Significant Data Fiduciary is a special category. The Central Government will notify which organisations fall into this category based on factors like:
- Volume and sensitivity of personal data processed
- Risk to the rights of Data Principals
- Potential impact on national security and public order
- Whether the processing involves new technologies
As of now, the specific criteria and the list of Significant Data Fiduciaries have not been fully notified. But based on the language of the Act, this category will likely include large telecom companies, major banks, social media platforms, and government bodies with extensive citizen data.
If You ARE a Significant Data Fiduciary
Your DPO must:
- Be based in India
- Be the point of contact for the Data Protection Board
- Represent you in matters before the Board
- Be involved in all data protection decisions
The DPO is personally accountable for ensuring compliance. This is not a ceremonial role — the Board will expect the DPO to have actual authority and involvement in data processing decisions.
If You Are NOT a Significant Data Fiduciary
You do not legally need a DPO. But here is what I strongly recommend based on my consulting experience:
Designate a Privacy Lead
Someone in your organisation — it could be your head of legal, your CTO, or even the founder in a small startup — needs to own data protection. This person should:
- Be the go-to person for privacy questions internally
- Handle data subject rights requests
- Maintain your privacy documentation
- Stay updated on DPDP rule changes
- Coordinate breach response if needed
This does not need to be a full-time role for most companies. In startups, it is typically 5-10% of someone's time. In mid-sized companies, it might be 20-30%.
Publish a Grievance Officer
The Act requires you to publish a grievance redressal mechanism. Even if you do not need a DPO, you must have a named person or contact point where data principals can raise complaints. This person's details should be on your privacy policy page.
What a Good Privacy Lead Actually Does
In the companies I work with, the privacy lead handles five things:
Weekly: Reviews any new data collection or processing activities. Did the marketing team launch a new form? Did engineering add a new analytics tool? The privacy lead needs to know.
Monthly: Checks if any data subject requests came in and whether they were handled within the required timeframe.
Quarterly: Reviews the data map for accuracy, checks vendor compliance, and updates policies if needed.
Annually: Conducts a formal gap assessment, refreshes employee training, and reviews the breach response plan.
As needed: Responds to data breaches, handles regulatory enquiries, and advises on new projects that involve personal data.
Should You Hire or Outsource?
For startups and SMBs, hiring a full-time DPO is usually overkill. The options:
Internal designation: Best for companies with 10-200 employees. Pick someone senior who understands the business and give them basic data protection training.
Fractional/Virtual DPO: A consultant (like myself) who acts as your DPO on a retainer basis. Typical cost: ₹25,000-75,000 per month depending on complexity. Good for mid-sized companies that need expertise but not a full-time hire.
Full-time hire: Makes sense when you are processing data of millions of people, operating in heavily regulated industries (BFSI, healthcare), or expect to be classified as a Significant Data Fiduciary.
Whatever you choose, do not leave data protection ownership undefined. The worst situation is when a breach happens and nobody in the company knows who is supposed to do what.