Centre moves to operationalise Data Protection Board as industry consultations continue

The central government has initiated preparatory steps to operationalise the Data Protection Board of India, including finalising the process for appointing its chairperson and members, even as the digital infrastructure required for a fully online functioning of the body is already in place.

IT Secretary S Krishnan reportedly said the government is currently working on the procedures and approvals needed to identify and nominate members to the Board, which will be responsible for enforcing the Digital Personal Data Protection (DPDP) Act.

DPDP Act goes live with phased implementation over next 18 months

Speaking in an interview with PTI, Krishnan said the effort is focused on ensuring a smooth rollout without causing disruption to the broader digital ecosystem.

According to him, the software needed to run the Data Protection Board as a completely online office has already been developed, and work on the institutional framework is progressing. However, he refrained from committing to a specific launch timeline, indicating that the Board is expected to become functional in the coming months.

On the issue of compliance timelines, particularly for large technology companies, Krishnan said the government is in active discussions with industry stakeholders to gauge their readiness. He noted that companies have not flagged objections to any specific provisions so far, but given the complexity of data protection compliance, the government is taking a consultative approach.

“We have asked stakeholders to share when they believe they will be ready and to flag any specific challenges,” Krishnan said, adding that the government’s priority is to avoid disruptions while implementing the new regime.

The DPDP Act, which governs how entities collect, store and process digital personal data, mandates the establishment of the Data Protection Board of India as an independent regulatory body. The Board will be tasked with monitoring compliance, investigating data breaches, issuing directions for remedial action and imposing financial penalties where violations are found.

Under the recently notified DPDP Rules, the central government will constitute a search-cum-selection committee to recommend candidates for the post of chairperson. This panel will be headed by the Cabinet Secretary and will include the Law Secretary, the IT Secretary and two domain experts. A separate committee, chaired by the IT Secretary and comprising the Law Secretary and two domain experts, will recommend candidates for appointment as Board members.

The rules state that the final appointments will be made by the central government after assessing the suitability of individuals recommended by these committees.

The DPDP Act seeks to strike a balance between safeguarding individual privacy rights and enabling the lawful use of personal data. It clearly defines the obligations of Data Fiduciaries—entities that process personal data—and lays down the rights and duties of Data Principals, or individuals to whom the data relates.

The law also introduces a stringent penalty framework to ensure accountability. Failure to maintain reasonable security safeguards can attract penalties of up to ₹250 crore. Not reporting personal data breaches to the Board or affected individuals, as well as violations related to children’s data, can result in fines of up to ₹200 crore each. Other breaches of the Act or its rules may invite penalties of up to ₹50 crore.

DPDP Enforcement Begins: Penalties up to ₹250 cr breach put entire digital ecosystem on high alert

With the groundwork now under way, the government is moving closer to fully operationalising India’s data protection framework, a key pillar in building trust in the country’s rapidly expanding digital economy.