Every Indian board I've sat across from in the last year has tried to solve the DPDP staffing question with a sentence: 'the General Counsel will handle it.' That sentence is going to age very badly. Here's the case for hiring an actual DPO, in language a board can act on.
There is a quiet conversation happening in board meetings across India right now. It goes like this:
"We need someone to own DPDP." "Doesn't the General Counsel handle that?" "Sure, the GC can handle that."
And then the agenda moves on. That two-line exchange is the most expensive misunderstanding I'm watching unfold in 2026, and I want to spend this post arguing — calmly, with numbers — for why a dedicated Data Protection Officer is not a luxury, not a "nice to have once we're bigger," and not a problem you can hand to the General Counsel.
I'll start with the legal frame, because it's the part most boards already know, and then I'll spend most of this post on the parts they haven't thought about: the operational frame, the personality frame, and the cost frame. The legal frame is the only one that gets discussed publicly. The other three are the ones that actually determine whether your DPDP programme works.
The legal frame (the part you already know)
Section 10 of the Digital Personal Data Protection Act, 2023 says that a Significant Data Fiduciary (SDF) shall, among other obligations, "appoint a Data Protection Officer who shall represent the Data Fiduciary under the provisions of this Act" and "be the point of contact for the grievance redressal mechanism." The DPO must be based in India.
Right now, the Government has not yet notified the criteria for SDF designation. The early signals point to: large consumer platforms, banks and NBFCs above a customer-count threshold, telcos, large healthcare providers, and entities handling biometric or financial data at meaningful scale. If your organisation is in any of those buckets and at any meaningful size, you should expect to be designated within the next 12–18 months.
But here's the part most boards miss: Section 10 is the floor, not the ceiling. Even if you are not currently designated as an SDF, you are still on the hook for the rest of the Act — all the consent obligations, all the rights obligations, the breach notification window, the grievance redressal mechanism, the security safeguards, the children's data rules. None of those obligations go away just because you're not an SDF. They just fall on someone whose job it is to actually own them.
If that someone is not a DPO, who is it? The answer in most organisations today is: nobody. Or worse: everybody.
The operational frame (the part nobody talks about)
Let me describe the operational reality of DPDP compliance, hour by hour, in a typical mid-sized Indian company.
Monday morning, 9 am: Marketing wants to launch a new email campaign to a list they bought from a third party. Someone has to ask: did the people on that list consent to receive marketing emails from us? If not, can we use them at all? If yes, how do we prove the consent if challenged?
Monday afternoon, 2 pm: Engineering wants to copy production data into a staging environment so they can debug a customer issue. Someone has to ask: does that staging environment have the same access controls as production? Is the data anonymised? If not, who has access to it now that didn't have access before?
Tuesday morning, 10 am: A customer emails support with a vague complaint about how their address is being used. Support routes it to legal. Legal isn't sure if it's a grievance under Section 13 or just a regular customer complaint. Someone has to make the call within the SLA window.
Tuesday afternoon, 4 pm: A new SaaS vendor's contract is up for renewal. Procurement is about to click "yes" on a multi-year deal. Someone has to look at the Data Processing Agreement, check the vendor's data residency, check whether the vendor's processors are in any restricted countries, and decide whether the renewal is safe.
Wednesday morning, 8 am: A new product feature ships to staging. Someone has to look at the feature, identify what new personal data it collects, decide whether the existing privacy notice covers it, and either approve the launch or block it pending a notice update.
Wednesday afternoon, 3 pm: HR wants to roll out a new employee monitoring tool. Someone has to assess whether the monitoring is proportionate, whether it requires fresh employee consent or whether it falls under legitimate use, and whether the tool's vendor is compliant.
That's two days. Six decisions. Each one is small, each one is real, each one is the DPO's job. If you don't have a DPO, what actually happens is one of three things:
-
The decision is never made. The marketer launches the campaign. The engineer copies the data. The vendor gets renewed. The feature ships. Each of those is a small Section 33 risk, accumulating quietly.
-
The decision is made by someone unqualified. A junior legal associate, a security analyst, a product manager. They guess. Sometimes they guess right, sometimes they guess wrong, and the organisation has no consistent posture.
-
The decision is escalated to the General Counsel. Who is at that moment dealing with an M&A negotiation, a vendor lawsuit, a board governance question, and an employment dispute. The DPDP question sits in their inbox for three days. The marketer launches the campaign anyway because they have a deadline.
None of these outcomes are acceptable. All of them are what happens by default when there is no dedicated owner.
The personality frame (the part nobody admits)
Here's the part that's hard to put in writing without sounding rude. The skill set required to be a great General Counsel is not the same skill set required to be a great DPO. They overlap, but they're not the same.
A General Counsel is, structurally, a defender. Their job is to keep the company out of trouble in legal proceedings. They are good at responding to threats — drafting contracts to anticipate disputes, arguing positions when challenged, negotiating settlements when caught. The instincts that make them good at that job — caution, ambiguity-tolerance, deference to existing authority, conservative interpretation of unclear rules — are the wrong instincts for running a privacy programme.
A DPO is, structurally, an operator. Their job is to prevent problems from arising in the first place by changing how the organisation works on a daily basis. They need to be opinionated, fast, technically literate, willing to push back on senior leaders, willing to say "no, we cannot ship this" to a product team, willing to walk into a CEO's office and explain why a quarterly target needs to slip. The instincts that make them good at that job — directness, urgency, willingness to be the unpopular person in the room — are not the instincts of a good lawyer.
I've watched a dozen organisations try to solve this by giving the DPO hat to the General Counsel. In every single case, the General Counsel does the role well for the first month, then it gets crowded out by everything else they're responsible for, and within 90 days the DPO function exists in name only. The compliance work doesn't stop — it just stops being done.
I've also watched organisations try to solve this by hiring a "head of compliance" who is neither a lawyer nor an operator but a third thing — usually a former auditor or a former Big-4 consultant. That works slightly better, but those people tend to optimise for audit-ready paperwork rather than for actual operational change. Their reports are beautiful. Their organisations still leak personal data through the back door.
The role you actually need is closer to a product manager who happens to know the law. Someone who can sit down with engineering and rewrite a data flow. Someone who can sit down with marketing and rewrite a campaign brief. Someone who can sit down with the board and translate Section 8(6) into "a 72-hour clock that starts when our CISO has a vibe." Someone whose calendar is full of operational meetings, not legal review meetings.
Those people exist. They are rare. They are not your General Counsel.
The cost frame (the part the CFO will actually read)
Let me put numbers on this. The full-loaded cost of a senior DPO in India in 2026 — including salary, benefits, and tooling — is roughly ₹35-65 lakh per year, depending on city, seniority, and prior experience. Call it ₹50 lakh as the midpoint.
The penalty exposure under Section 33 of the DPDP Act runs as follows:
| Violation type | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards (Section 8(5)) | up to ₹250 crore per instance |
| Failure to notify a personal data breach (Section 8(6)) | up to ₹200 crore per instance |
| Children's data violations (Section 9) | up to ₹200 crore per instance |
| Failure to fulfil SDF obligations (Section 10) | up to ₹150 crore per instance |
| Failure of duties of Data Principal (Section 15) | up to ₹10,000 per instance |
| Other violations (catch-all) | up to ₹50 crore |
Let's be honest about the probabilities. The Data Protection Board is not going to start by issuing the maximum penalty against every Fiduciary in the country. They will pick a small number of high-profile cases in the first 12–24 months, and they will choose cases that are clean, well-documented, and easy to explain. The failure modes most likely to land you in that bucket are:
- A breach that you didn't notify within 72 hours
- A grievance that you didn't respond to within the SLA window
- A widely-reported customer rights violation (e.g., refusing to delete data)
- A children's data violation that gets press attention
Each of those failure modes is exactly the kind of thing a dedicated DPO is supposed to prevent. The DPO's daily work — the breach drills, the grievance routing, the rights workflow, the children's data screening — is the difference between being one of the early case studies and being one of the many anonymous Fiduciaries that the Board never bothers with.
The math: A dedicated DPO costs ₹50 lakh a year. A single Section 8(6) penalty event costs up to ₹200 crore. The DPO pays for themselves 400 times over by preventing one breach notification failure. They pay for themselves 100 times over by preventing one significant rights complaint. They are not an expense. They are insurance.
Compare that to the cost of not hiring a DPO and asking the General Counsel to "handle it." The General Counsel costs more than the DPO would have, doesn't actually handle it, and you still have to hire the DPO in 6-12 months when the first incident lands. You will have spent the GC's time, spent the cost of the eventual DPO, and spent the cost of whatever the incident did to you in the meantime.
The objections you'll hear from the board
When I make this case in board meetings, I get four objections, in roughly this order:
"We're not big enough yet." The size of your organisation is irrelevant to whether the law applies. It is only relevant to whether you have the budget to hire a senior DPO at full cost. You always have the option of hiring a fractional DPO — 30-50% of one person, often via a managed service — for ₹15-25 lakh a year. That's a fraction of what your average enterprise software contract costs, and it gives you a real owner without a senior salary line.
"We can outsource this to a consultancy." You can outsource the project work — the initial gap assessment, the policy drafting, the training rollout. You cannot outsource the operational ownership. The consultancy is not going to be there at 7:42 am on a Saturday when the breach alert fires. The consultancy is not going to walk into the marketing meeting and say no. The consultancy delivers a deck and goes home. The DPO is the person who has to live with the deck.
"Can't we just use software for this?" Software (including, yes, AutoCops) is the tooling of the DPO function. It makes the DPO faster, more consistent, and more auditable. It does not replace the DPO. A compliance platform without a human owner is a dashboard nobody reads.
"We don't know the criteria for SDF designation yet." True. But waiting for the criteria to be published before hiring a DPO is exactly backwards. By the time the criteria are published, the people you want to hire will already have jobs. The market for senior privacy talent in India is small, and it will get smaller fast as enforcement begins. Hire now, while the talent pool is liquid. Worst case: you hired six months early. Best case: you hired six months ahead of every competitor in your sector.
The boring truth
The boring truth is that DPDP compliance is mostly an operational discipline, not a legal one. The Act is a few thousand words long. The Rules are a few thousand more. You can read the entire body of regulation in an afternoon. The hard part is not understanding what the law requires — the hard part is making your organisation do the things the law requires, every day, in every team, on every product.
That work needs an owner. Not a committee. Not a quarterly review. An owner whose performance review is tied to it, whose calendar is full of it, whose name shows up in the incident reports, and whose phone rings at 7:42 am on a Saturday.
If your General Counsel wants the role and has the operational chops for it, great. In my experience, that's about one in twenty. For the other nineteen, you need a real DPO. Hire them now. The case is mathematical, the case is operational, and the case is — frankly — about whether you want to wake up in 2027 as one of the early case studies or as one of the organisations that quietly did the work.
Your board will thank you. So will your General Counsel.
Want help putting this into action?
Run the free DPDP assessment
5 minutes, 40 questions, a posture score, and a PDF report. No signup. No marketing chase.