Most Indian companies that appointed a Data Protection Officer did the same thing. They took someone from IT or legal, gave them the title, and filed the appointment letter. That is not compliance. That is theatre.
Section 10(2) of the DPDPA mandates that every Significant Data Fiduciary shall appoint a Data Protection Officer. Rule 11 of the DPDP Rules, 2025 specifies that the DPO must be based in India, must represent the Significant Data Fiduciary, and must be the point of contact for the Data Protection Board. The law does not say "appoint someone." It says appoint someone who can fulfil statutory obligations.
What the Act actually requires
The DPO under DPDPA is not advisory. The DPO is operationally accountable. Section 10 creates a chain of obligations that flow directly through the DPO:
- Data Protection Impact Assessment: Rule 8 requires SDFs to conduct DPIAs before any processing that poses elevated risk. The DPO must oversee this process, ensure its methodology is defensible, and present findings to the Board when requested. A DPO who cannot interpret a DPIA is a DPO who cannot fulfil their statutory function.
- Independent Data Audit: Rule 10 mandates annual audits by a registered independent auditor. The DPO is the organisational interface for these audits — responsible for ensuring audit readiness, providing documentation, and implementing remediation. A DPO who has never managed an audit cycle cannot satisfy this obligation.
- Board-Level Reporting: The DPO must periodically report to the Board of Directors on the organisation's compliance status. This is not an email summary. It is a governance function that requires the DPO to translate technical compliance metrics into board-level risk language.
- Grievance Redressal: Section 13 entitles Data Principals to file complaints. The DPO is the designated recipient. Response timelines are statutory. A DPO who does not have authority to direct operational teams to respond is a DPO who will miss statutory deadlines.
The three appointment failures we see repeatedly
Failure 1 — The dual-hat DPO. The CISO who is also the DPO. The Head of Legal who is also the DPO. The compliance officer who is also the DPO. Dual-hatting creates inherent conflicts. The CISO's priority is security posture. The DPO's priority is data principal rights. When these conflict — and they will — which hat wins?
Failure 2 — The junior DPO. Organisations appoint a mid-level manager as DPO because they do not want to elevate the role to the leadership team. This creates an authority gap. When the DPO needs the engineering team to modify a consent flow or the marketing team to stop a campaign that violates purpose limitation, they lack the organisational authority to compel action.
Failure 3 — The outsourced DPO without integration. Engaging an external DPO-as-a-service without integrating them into operational decision-making. The external DPO reviews policies quarterly but has no visibility into daily processing activities, no access to systems, and no authority to intervene when processing deviates from the documented framework.
What a defensible DPO appointment looks like
The DPO must have direct reporting access to the Board. Not through the CISO. Not through the General Counsel. Direct. The DPO must have documented authority to pause processing activities that contravene the Act. The DPO must have budget authority for compliance tools, training, and external expertise. The DPO must have formal training in Indian data protection law — not a certificate from a two-day workshop, but demonstrated competence in DPDPA provisions, Rules, and enforcement mechanics.
"The Data Protection Board will not ask whether you appointed a DPO. It will ask what your DPO did. The appointment letter is not the evidence. The DPO's operational record is."
— Anandaday Misshra
The penalty for non-compliance with SDF obligations under Section 10 reaches up to ₹150 Crores. That penalty does not distinguish between organisations that had no DPO and organisations that had a DPO in name only. Both are non-compliant. Both face the same exposure.