The Indian government has initiated the foundational work to establish the procedures and modalities for appointing members to the new Data Protection Board (DPB). In a recent update, IT Secretary S. Krishnan confirmed that the specialised software required for the Board’s "fully digital" office has already been developed.
Compliance and industry consultations
Addressing concerns regarding the potential for shortened compliance timelines for Big Tech, Krishnan noted that the government is currently consulting with industry stakeholders to evaluate their readiness. He emphasised that given the complexity of the digital ecosystem, the government’s primary goal is to ensure a smooth transition without operational disruptions.
"On the data protection board, we've started the process of putting in place the way to identify members and call for their nomination to put them in the positions and posts which the board would need...we are working on that right now, because we have to get it approved," Krishnan told.
The IT Secretary further confirmed that the digital infrastructure is ready: "So work is going on," he said. When asked if large corporations had expressed opposition to tighter deadlines during ministry discussions, Krishnan clarified that they had not voiced specific discomfort. "We've asked them to tell us when they will be ready and look at specific aspects....because please understand it's complex," he explained.
Structure and oversight
The Digital Personal Data Protection (DPDP) Act mandates the creation of the Data Protection Board of India to monitor compliance, investigate data breaches, and impose penalties. As an independent body, it will serve as the primary enforcer of data rights.
Under the recently notified DPDP Rules, the selection process will be handled by two distinct committees:
- For the Chairperson: A search-cum-selection committee headed by the Cabinet Secretary, including the Law Secretary, IT Secretary, and two domain experts.
- For Board Members: A separate panel chaired by the IT Secretary, comprising the Law Secretary and two domain experts.
"The central government shall, after considering the suitability of individuals recommended by the search-cum-selection committee, appoint the Chairperson or other Member, as the case may be," the DPDP rules say.
Timeline and penalties
While Krishnan declined to provide an exact launch date, he indicated that the Board is expected to be operational "in the coming months".
The DPDP Act establishes a comprehensive framework that balances individual privacy rights with lawful data processing needs. It defines the obligations of Data Fiduciaries (processors) and the rights of Data Principals (individuals). To ensure accountability, the Act introduces a stringent penalty structure for non-compliance:
| Violation | Maximum Penalty |
| Failure to maintain reasonable security safeguards | Rs 250 crore |
| Failure to notify the Board/individuals of a breach | Rs 200 crore |
| Violations related to children's data | Rs 200 crore |
| Other general violations of the Act/Rules | Rs 50 crore |
ALSO READ: UIDAI issues Aadhaar security guidelines: 5 Essential steps to protect yourself from scams
