The publication of the Data Protection (Designation, Tasks and Position of Data Protection Officers) Regulations 2026 (the “Regulations”) marks an important development in Mauritius’ data protection framework.
The Regulations give a concrete form to what was previously a broadly stated obligation under the Data Protection Act 2017 (the “DPA”). Under section 22(2)(e) of the DPA, controllers have long been required to designate "an officer responsible for data protection compliance issues" as part of their broader obligation to implement appropriate technical and organisational measures. However, the DPA itself was silent on the qualifications, tasks, and protections to be afforded to such an officer. The Regulations now fill this gap comprehensively by providing a detailed regulatory framework that prescribes who may serve as a data protection officer (“DPO”), what they must do, and how their independence must be safeguarded.
In broad terms, a controller is a person or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data. As such, these requirements will apply to persons and entities that exercise decision-making power over the processing of personal data.
Here are five key takeaways for organisations.
The DPO Role Cannot be Outsourced
One of the most notable features of the Regulations is the requirement that every controller must designate a DPO "from a staff member of the organisation". This is a deliberate departure from the approach taken in certain other jurisdictions, where organisations retain the flexibility to appoint an external consultant or service provider to fulfil the DPO function. While organisations may continue to rely on external advisers, consultants and legal counsel for support, the Regulations suggest that responsibility for the DPO function itself is expected to reside internally. The Mauritian legislator has evidently taken the view that embedding the DPO role within the organisation's own workforce is essential to ensuring proximity to day-to-day processing operations and accountability within the organisational hierarchy and it is now a requirement for the DPO to be involved, in a timely manner, in all issues related to the protection of personal data.
Qualifications and Certification Requirements
The Regulations introduce important qualification criteria for the DPO role. A DPO must be designated on the basis of their professional qualifications and, in particular, must demonstrate expert knowledge of data protection laws and practices applicable in Mauritius, a proven ability to fulfil the tasks specified under the Regulations, and an in-depth understanding of the operational requirements of the organisation and the specific regulatory environment of its business sector. The Regulations also mandate that the DPO must hold evidence of certification issued either by the Office, following the successful completion of training conducted by the Data Protection Office (the “Office”) or by a duly registered and accredited training institution approved by the Office for its expertise in data protection laws. This certification requirement raises the bar considerably and signals the Office's intention to professionalise the DPO function in Mauritius to ensure that those who hold the role possess a verifiable standard of competence.
Safeguards for Independence
The Regulations place substantial obligations on controllers to protect the independence of the DPO. Controllers must ensure that the duties assigned to the DPO are compatible with the regulatory tasks and do not result in any conflict of interest. The controller must also adequately support the DPO by providing the necessary resources and training. The DPO must be permitted to carry out their functions in an independent manner without any unlawful interference, and a controller may not dismiss, suspend, or otherwise penalise a DPO for lawfully performing their duties under the Regulations and the DPA.
Multiple DPOs for Larger Operations
Recognising that organisations vary considerably in their size, structure, and the sensitivity of the personal data they process, the Regulations permit a controller to designate more than one DPO, having regard to its organisational structure, size and scale, complexity, and sensitivity of the processing of personal data. Where multiple DPOs are designated, the controller is required to appoint a lead data protection officer, who serves as the primary point of contact with the Office and with data subjects. This approach is a pragmatic acknowledgment that large or complex organisations especially conglomerates may benefit from distributing data protection responsibilities across several qualified individuals whilst maintaining a single, authoritative channel of communication with the regulator.
Data Protection is Moving Closer to the Boardroom
The Regulations appear to position the DPO as a governance and oversight function within the organisation, sharing many of the characteristics traditionally associated with the compliance function. One such key characteristic is that the DPO is required to report to the highest management level of the organisation. Reporting lines are often one of the clearest indicators of how a regulator expects a function to be treated within an organisation. By requiring access to senior management, the Regulations recognise that data protection compliance is a governance issue capable of exposing organisations to legal, regulatory, operational and reputational risk.
What Should Organisations be Doing Now?
The Regulations mark a welcome maturation of the Mauritian data protection framework. By prescribing detailed requirements for the DPO function, they bring clarity to a role that, until now, lacked regulatory specificity. With the Regulations due to come into force on 1 January 2027, the implementation window to operationalise the new requirements is relatively short. Organisations should begin reviewing their existing data protection arrangements. In particular, consideration should be given to whether the current DPO structure, reporting lines, internal expertise and governance framework align with the expectations reflected in the new Regulations.
--
Read the original publication at ENS


