How to add a Grievance Officer to your website under the DPDP Act (Section 8(10))

Section 8(10) of the DPDP Act is one of the cheapest clauses to comply with and one of the most commonly fumbled. It says every Data Fiduciary must publish the business contact information of a person able to address questions from Data Principals about their personal data. The DPDP Rules 2025 fix the response window at thirty days from receipt of the grievance. The whole thing is a ten-line footer block — but the Board treats its absence as a self-reported failure, because there is no defensible reason for a Fiduciary not to have one.

**Who can be the Grievance Officer.** For an SMB, the founder, the operations lead or the head of customer support is fine. For a Significant Data Fiduciary the calculus changes — Section 10 obligations layer a separate India-resident Data Protection Officer on top, and the two roles are distinct. For everyone else, pick someone reachable. Avoid a role-account alias with no human owner; the Rules expect a named individual who can be contacted.

**What to publish, and where.** Four fields: name, designation, business email, and the response SLA. Three locations: the privacy notice, the website footer on every page, and any rights-request intake form. Use a brand-domain email (grievance@yourdomain.in is the convention), not a personal gmail — phishing scams have already started exploiting Grievance Officer names harvested from real notices, and a brand-domain mailbox is the line that helps users tell real from fake.

**The 30-day SLA.** Treat it as a hard deadline, not a target. Practical setup: route grievance@ to a shared inbox (Help Scout, Front, even a Gmail group), tag every incoming message on receipt, and run a weekly triage so nothing sits past day 20. The Data Protection Board's expected enforcement signal — based on how analogous regulators have behaved elsewhere — is the pattern of missed SLAs, not any single late reply. A documented 95 % on-time rate is a complete defence in most realistic complaint scenarios.

**What 'address the grievance' actually means.** It is not just acknowledging the email. Under Section 13(2) the Data Principal can escalate to the Board only after exhausting the Fiduciary's grievance mechanism, so 'address' means a substantive response: confirm or deny the alleged violation, explain the data flow involved, take corrective action where the complaint is valid, and document everything in case the complaint goes to the Board. A canned 'we have received your query' is not a closure.

**Copy-paste footer block.** Add this to your footer template, swapping in your own values: *Grievance Officer: [Name], [Designation], [Email]. We respond to DPDP grievances within 30 days. For complaints unresolved at our level, you may escalate to the Data Protection Board of India.* That is the entire Section 8(10) and Section 13(2) signal in five lines.

**Common mistakes we see on scans.** A grievance email like info@ that bounces. The same email used for sales and grievance — flagged because no SLA is observable. A Grievance Officer listed only in the privacy notice and not the footer — fails the 'easily accessible' test. A foreign-resident officer for a Significant Data Fiduciary — fails Section 10. A 'we will respond within a reasonable time' phrase instead of the 30-day SLA — fails the Rules.

Once your Grievance Officer is published, run the [checkDPDP scanner](/scan) on your site to confirm the contact is detectable from the public web. The scanner flags this category as Pass / Warn / Fail based on whether it can find a named officer, an email and an SLA — same heuristic the Board's eventual scanners are likely to apply. If you need a starting template, the [find-grievance-officer directory](/find-grievance-officer) shows how the Indian companies that already comply have structured their disclosure.