IndiaMust companies appoint a Data Protection Officer?
No, Indian law does not currently mandate that companies appoint a Data Protection Officer (DPO). The Digital Personal Data Protection Act, 2023, does not include a DPO requirement.
What the Law Says
The Digital Personal Data Protection Act, 2023 (DPDP Act) — India’s primary data protection law — does not require organisations to appoint a Data Protection Officer.
Unlike the EU’s GDPR or India’s earlier draft Personal Data Protection Bill, 2019 (which proposed mandatory DPOs for significant data fiduciaries), the final DPDP Act, 2023 omits this obligation entirely.
Section 40 of the DPDP Act empowers the Central Government to notify rules on 'data protection safeguards', but the notified Digital Personal Data Protection Rules, 2025 — published on 18 April 2025 — contain no provision requiring a DPO.
The Act focuses instead on accountability through the 'Data Principal' and 'Data Fiduciary' framework, requiring consent, notice, grievance redressal mechanisms, and appointment of an 'authorized representative' only for foreign-based data fiduciaries — not a DPO.
Statutory TextThe Central Government may, by notification, make rules to carry out the provisions of this Act.
— Digital Personal Data Protection Act, 2023, s. 40 — Power to make rules
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.