Boards and India's DPDPA
- Boards are holding dedicated sessions to interpret India's Digital Personal Data Protection Act and assign accountability. (x.com) - Reports noted discussions on controller and processor recordkeeping obligations under the NDPA and enforcement risks. (x.com) (x.com) - Advisors urged updating governance frameworks to ensure audit-readiness and regulator-facing evidence of compliance. (x.com) (x.com)
India’s data-protection law has moved from policy debate to boardroom work, with companies now mapping who inside the business will own compliance under the Digital Personal Data Protection Act and its 2025 rules. (indiacode.nic.in) (meity.gov.in) The law, passed on August 11, 2023, covers digital personal data and lets the central government bring different provisions into force on different dates. India’s Ministry of Electronics and Information Technology notified the final Digital Personal Data Protection Rules on November 14, 2025. (indiacode.nic.in) (meity.gov.in) That November 14, 2025 package also established the Data Protection Board of India, the body that will handle enforcement under the statute. A Press Information Bureau note said the rules “fully operationalise” the 2023 law. (meity.gov.in) (pib.gov.in) The core compliance point for boards is simple: the company deciding why and how personal data is used is the “Data Fiduciary,” and it stays responsible even when a vendor processes that data on its behalf. The Act says that responsibility applies “irrespective of any agreement to the contrary.” (indiacode.nic.in) (indiankanoon.org) That is why recordkeeping and governance design have become live board issues. The rules require itemised privacy notices, links for withdrawing consent and complaining to the Board, and breach notices to affected individuals and the Board within 72 hours. (pwc.in) For larger or riskier companies, the burden rises again. The Act allows the government to classify a company as a “Significant Data Fiduciary,” and the rules and guidance summaries say those entities must appoint a data protection officer, run annual data protection impact assessments, and undergo audits. (indiankanoon.org) (ey.com) (pwc.in) The financial exposure is large enough to pull directors in early. The Act’s penalty schedule allows fines that can run as high as ₹250 crore for some breaches, including failures tied to security safeguards. (indiacode.nic.in) (ksandk.com) The timeline is also no longer abstract. MeitY published an enforcement timeline on November 14, 2025, and industry compliance trackers now describe a phased rollout running through 2026 and 2027, which has pushed companies to document decisions before the Board begins testing them in cases. (meity.gov.in) (mitigata.com) So the board question is no longer whether India will enforce a privacy regime. It is whether directors can show, with named owners, vendor controls, notices, audit trails and breach procedures, that the company is ready when the Data Protection Board asks for proof. (indiacode.nic.in) (pib.gov.in)
