Skip to main content

Step 04 - Appoint a Grievance Officer or Data Protection Officer

Every organization must designate a point of contact for individuals to exercise their rights.

Grievance Officer

  • Mandatory for all Data Fiduciaries.
  • Addresses customer complaints and ensures timely responses.

Data Protection Officer (DPO)

  • Mandatory for Significant Data Fiduciaries (SDFs) — large organizations handling sensitive or high volumes of data.
  • Must be a senior officer based in India.
  • Acts as the liaison with both individuals and the Data Protection Board.
  • Oversees compliance, audits, and risk assessments.
Example 1

A mid-sized e-commerce firm may appoint its Head of Customer Service as the Grievance Officer.

Example 2

A large social media platform operating in India will likely be designated as an SDF, requiring a full-time DPO who oversees compliance, audits, and risk assessments.

Critical Point

Every organization must have at least a Grievance Officer. If classified as an SDF, it must also appoint a DPO to ensure higher accountability.

By completing these four steps

  1. Gap assessment
  2. Data mapping
  3. Privacy notices
  4. Appointing officers (Grievance Officer/DPO)

— an organization lays the foundation for DPDPA compliance.

These steps not only meet legal requirements but also build customer trust, showing that the organization takes privacy seriously.