👥 DPDP Act Compliance Roles

Successful DPDP compliance requires clear role definitions. Below are the key roles needed — some mandatory (like DPO for SDFs), others recommended best practices. Tailor to the organisation's size: a startup might combine several roles, while a large enterprise will need dedicated headcount for each.

Data Protection Officer (DPO)

Senior Management / VP level

Reports to: CEO or Board of Directors

Time commitment: Full-time (for SDF); Part-time or outsourced (for smaller organisations)

Mandatory when: Mandatory when designated as a Significant Data Fiduciary. Recommended for all medium and large organisations.

Responsibilities

● Serve as the primary point of contact for the Data Protection Board of India
● Represent the SDF in proceedings before the Board
● Oversee the organisation's DPDP compliance programme
● Conduct or oversee Data Protection Impact Assessments
● Advise the Board of Directors on data protection risks and obligations
● Coordinate breach notifications to the DPBI and Data Principals
● Manage relationships with independent auditors

Required Skills

Indian data protection law (DPDP Act and IT Act) Data governance and management Information security fundamentals Risk management Regulatory affairs and compliance Stakeholder management and communication

💡 Hiring Tip: In India, look for candidates with backgrounds in IT Act compliance, GDPR DPO experience, or cybersecurity law. IAPP certifications (CIPP/A, CIPM) are valuable. The DPO must be based in India — this is a legal requirement for SDFs.

Privacy Programme Manager

Manager / Senior Manager

Reports to: Data Protection Officer or General Counsel

Time commitment: Full-time

Mandatory when: Recommended for all organisations with more than 500 employees or significant personal data processing.

Responsibilities

● Manage the day-to-day execution of the DPDP compliance programme
● Maintain the Record of Processing Activities (ROPA)
● Coordinate Data Principal rights request fulfilment across departments
● Track compliance metrics and prepare dashboard reports
● Manage vendor data protection assessments and DPA negotiations
● Organise and track compliance training across the organisation

Required Skills

Project management Privacy compliance operations Vendor management Data mapping and inventory tools Report writing and executive communication

💡 Hiring Tip: Look for project managers with GRC (Governance, Risk, Compliance) experience. Candidates who have implemented ISO 27001 or SOC 2 programmes adapt well to privacy programme management.

Privacy Engineer / Privacy-by-Design Lead

Senior Engineer / Tech Lead

Reports to: CTO or Engineering Director (with dotted line to DPO)

Time commitment: Full-time in large organisations; part-time embedded role in smaller ones

Mandatory when: Recommended for organisations with custom-built applications processing significant volumes of personal data.

Responsibilities

● Embed privacy controls into the software development lifecycle
● Design and implement consent management technical solutions
● Build Data Principal rights fulfilment automation (DSAR systems)
● Implement data minimisation, pseudonymisation, and anonymisation techniques
● Conduct privacy-focused code reviews and architecture reviews
● Implement technical retention enforcement and automated purge jobs

Required Skills

Software engineering Privacy-enhancing technologies (PETs) API design Database design and management Encryption and data masking Understanding of consent management platforms

💡 Hiring Tip: Look for senior developers or architects with an interest in privacy and security. IAPP CIPT certification is the gold standard for privacy engineers. In the Indian market, candidates with Aadhaar ecosystem or UPI integration experience understand India-specific identity and consent challenges.

Consent and Data Rights Operations Analyst

Analyst / Associate

Reports to: Privacy Programme Manager

Time commitment: Full-time (scale with request volume)

Mandatory when: Recommended for all consumer-facing businesses with more than 10,000 Data Principals.

Responsibilities

● Process and fulfil Data Principal access, correction, and erasure requests
● Verify requestor identity before processing rights requests
● Maintain consent records and logs
● Coordinate with IT teams for cross-system data retrieval and deletion
● Track and report on request volumes, response times, and trends
● Handle first-level grievance responses

Required Skills

Customer service orientation Attention to detail Data querying (SQL basics) Ticketing system management Understanding of personal data concepts

💡 Hiring Tip: This is an entry-level privacy operations role. Look for candidates from customer support or data entry backgrounds and train them on DPDP requirements. Process documentation and checklists reduce the learning curve.

Information Security Officer (ISO / CISO)

Senior Management / Director level

Reports to: CTO or CEO

Time commitment: Full-time

Mandatory when: Recommended for all organisations. Practically mandatory given DPDP security safeguard and breach notification requirements.

Responsibilities

● Implement and maintain reasonable security safeguards for personal data
● Manage breach detection, assessment, and containment capabilities
● Lead incident response for personal data breaches
● Conduct security risk assessments and penetration testing
● Manage security infrastructure: encryption, access controls, SIEM, DLP
● Coordinate with the DPO on breach notification decisions

Required Skills

Information security management (ISO 27001, NIST) Incident response Security architecture Indian IT Act Section 43A (reasonable security practices) Cloud security Network and application security

💡 Hiring Tip: CISSP, CISM, or CEH certified professionals are well-suited. In India, also look for candidates with experience in CERT-In compliance (Indian Computer Emergency Response Team), as CERT-In breach reporting requirements overlap with DPDP.

Legal Counsel — Data Protection

Senior Associate / Manager

Reports to: General Counsel or DPO

Time commitment: Part-time to full-time (depends on organisation size)

Mandatory when: Recommended for all organisations. Can be in-house or external counsel.

Responsibilities

● Interpret DPDP Act provisions and Rules as they are notified
● Draft and review privacy notices, consent language, and DPAs
● Advise on lawful basis for processing activities
● Manage legal aspects of Data Principal complaints and DPBI proceedings
● Monitor regulatory developments and DPBI decisions
● Advise on cross-border data transfer compliance

Required Skills

Indian data protection law Contract law Regulatory compliance IT Act and associated rules International data protection law (GDPR knowledge is a plus) Legal drafting

💡 Hiring Tip: Look for lawyers with IT law or technology law backgrounds. Law firms specialising in data protection (Nishith Desai, AZB, Khaitan) have built DPDP practices and can provide external counsel support.

Grievance Officer

Manager / Senior Manager

Reports to: DPO or Legal Counsel

Time commitment: Part-time (dedicated email monitoring and response)

Mandatory when: Mandatory for ALL Data Fiduciaries under Section 13. Must be a named individual with published contact details.

Responsibilities

● Receive and acknowledge all Data Principal grievances within prescribed timeframes
● Investigate grievances and coordinate with relevant departments for resolution
● Respond to Data Principals with findings and actions taken
● Maintain a grievance register and report trends to the DPO
● Serve as the first point of contact before escalation to the DPBI

Required Skills

Conflict resolution Communication skills (written and verbal) Understanding of DPDP Act rights Investigation skills Empathy and professionalism

💡 Hiring Tip: The Grievance Officer role can be combined with the DPO role in smaller organisations. In larger ones, assign it to a senior person in Legal, Compliance, or Customer Support who is comfortable being a public-facing contact.